======== Payload investigation statistics ======== Suspicios payload offset: 121878 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 38 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 4 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 100 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 0 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 2 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 25 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 78 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 31 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 99 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 9 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here
======== Detection disassembly ======== DEC ESI (0x00000000) PUSH ESI (0xFFFFFFFF) POP EBX (0x00000000) DEC EDI (0x00000000) PUSH EDI (0xFFFFFFFF) POP EBX (0xFFFFFFFF) DEC ESI (0xFFFFFFFF) PUSH ESI (0xFFFFFFFE) POP EDX (0x00000000) DEC ESP (0x0889C52F) PUSH ESP (0x0889C52E) POP ECX (0x00000000) DEC ESP (0x0889C52E) PUSH EDX (0xFFFFFFFE) PUSH ESI (0xFFFFFFFE) DEC ESP (0x0889C525) PUSH EDX (0xFFFFFFFE) PUSH ESP (0x0889C520) DEC ESP (0x0889C51C) PUSH EDX (0xFFFFFFFE) PUSH ESP (0x0889C517) DEC ESP (0x0889C513) PUSH EDX (0xFFFFFFFE) PUSH EBX (0xFFFFFFFF) DEC EBP (0x00000000) PUSH EBX (0xFFFFFFFF) PUSH ESP (0x0889C506) DEC ESP (0x0889C502) PUSH EDX (0xFFFFFFFE) PUSH ESP (0x0889C4FD) DEC ESP (0x0889C4F9) PUSH EDX (0xFFFFFFFE) PUSH EBX (0xFFFFFFFF) DEC EBX (0xFFFFFFFF) PUSH ECX (0x0889C52E) PUSH EDX (0xFFFFFFFE) DEC EBX (0xFFFFFFFE) PUSH ECX (0x0889C52E) PUSH EDX (0xFFFFFFFE) DEC EBX (0xFFFFFFFD) PUSH ECX (0x0889C52E) PUSH EDX (0xFFFFFFFE) DEC ESP (0x0889C4D8) PUSH EDX (0xFFFFFFFE) PUSH EBX (0xFFFFFFFC) DEC EBX (0xFFFFFFFC) PUSH ECX (0x0889C52E) PUSH EBX (0xFFFFFFFB) DEC ESP (0x0889C4C7) PUSH EDX (0xFFFFFFFE) PUSH ESI (0xFFFFFFFE) DEC EBX (0xFFFFFFFB) PUSH ECX (0x0889C52E) PUSH ESP (0x0889C4BA) DEC EBX (0xFFFFFFFA) PUSH ECX (0x0889C52E) PUSH EBP (0xFFFFFFFF) DEC EDX (0xFFFFFFFE) PUSH ECX (0x0889C52E) PUSH EBP (0xFFFFFFFF) DEC ESP (0x0889C4A6) PUSH EDX (0xFFFFFFFD) PUSH ESI (0xFFFFFFFE) DEC ESP (0x0889C49D) PUSH EDX (0xFFFFFFFD) PUSH ESI (0xFFFFFFFE) DEC EBP (0xFFFFFFFF) PUSH EBX (0xFFFFFFF9) PUSH EDI (0xFFFFFFFF) DEC ESI (0xFFFFFFFE) PUSH ESP (0x0889C48C) POP EAX (0x00000000) DEC EBP (0xFFFFFFFE) PUSH EBX (0xFFFFFFF9) PUSH EDI (0xFFFFFFFF) DEC ECX (0x0889C52E) DEC ESI (0xFFFFFFFD) PUSH EBX (0xFFFFFFF9) XOR DH (0xFF),[0x1C14113B] (0x1C14113B) ;random read instruction OR AL (0x8C),0x10 SBB DS:[EDX] (0xFFFFFFFD),CL (0x2D) ;random write instruction [suspicious memory write instruction] HINT_NOP DS:[EAX] (0x0889C49C) OR EAX (0x0889C49C),0x130D1F14 SBB EAX (0x1B8DDF9C),0x1021150E SBB [EBX*0x1 + EDI] (0xFFFFFFF8),ESP (0x0889C480) ;random write instruction SUB DH (0xFF),DS:[ECX] (0x0889C52D) DAS AAA SUB EAX (0x0B6CCB8E),0x342C3A34 CMP DS:[EBX] (0xFFFFFFF9),EBP (0xFFFFFFFD) ;random read instruction XOR EDI (0xFFFFFFFF),DS:[ECX] (0x0889C52D) SUB DS:[EAX] (0xD740915A),ESI (0xFFFFFFFC) ;random write instruction AAA DAA XOR EAX (0xD7409260),0x25342D26 SUB AL (0x46),0x33 AND EAX (0xF274BF13),0x2A24332C XOR AH (0x33),DS:[ECX] (0x0889C52D) SUB DS:[EAX] (0x22243300),DH (0xFF) ;random write instruction [suspicious memory write instruction] AND DS:[ECX] (0x0889C52D),EBP (0xFFFFFFFD)
No comments:
Post a Comment