Monday, March 18, 2013

Suspicious payload behavior similar to shellcode decoder detected into ectrustprc.org.cn/download/4cafea75dfca5.doc

======== Payload investigation statistics ========
Suspicios payload offset: 121878 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 38 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 4 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 100 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 0 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 2 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 25 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 78 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 31 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 99 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 9 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here


 ======== Detection disassembly ======== 

DEC ESI (0x00000000)                                
PUSH ESI (0xFFFFFFFF)                               
POP EBX (0x00000000)                                
DEC EDI (0x00000000)                                
PUSH EDI (0xFFFFFFFF)                               
POP EBX (0xFFFFFFFF)                                
DEC ESI (0xFFFFFFFF)                                
PUSH ESI (0xFFFFFFFE)                               
POP EDX (0x00000000)                                
DEC ESP (0x0889C52F)                                
PUSH ESP (0x0889C52E)                               
POP ECX (0x00000000)                                
DEC ESP (0x0889C52E)                                
PUSH EDX (0xFFFFFFFE)                               
PUSH ESI (0xFFFFFFFE)                               
DEC ESP (0x0889C525)                                
PUSH EDX (0xFFFFFFFE)                               
PUSH ESP (0x0889C520)                               
DEC ESP (0x0889C51C)                                
PUSH EDX (0xFFFFFFFE)                               
PUSH ESP (0x0889C517)                               
DEC ESP (0x0889C513)                                
PUSH EDX (0xFFFFFFFE)                               
PUSH EBX (0xFFFFFFFF)                               
DEC EBP (0x00000000)                                
PUSH EBX (0xFFFFFFFF)                               
PUSH ESP (0x0889C506)                               
DEC ESP (0x0889C502)                                
PUSH EDX (0xFFFFFFFE)                               
PUSH ESP (0x0889C4FD)                               
DEC ESP (0x0889C4F9)                                
PUSH EDX (0xFFFFFFFE)                               
PUSH EBX (0xFFFFFFFF)                               
DEC EBX (0xFFFFFFFF)                                
PUSH ECX (0x0889C52E)                               
PUSH EDX (0xFFFFFFFE)                               
DEC EBX (0xFFFFFFFE)                                
PUSH ECX (0x0889C52E)                               
PUSH EDX (0xFFFFFFFE)                               
DEC EBX (0xFFFFFFFD)                                
PUSH ECX (0x0889C52E)                               
PUSH EDX (0xFFFFFFFE)                               
DEC ESP (0x0889C4D8)                                
PUSH EDX (0xFFFFFFFE)                               
PUSH EBX (0xFFFFFFFC)                               
DEC EBX (0xFFFFFFFC)                                
PUSH ECX (0x0889C52E)                               
PUSH EBX (0xFFFFFFFB)                               
DEC ESP (0x0889C4C7)                                
PUSH EDX (0xFFFFFFFE)                               
PUSH ESI (0xFFFFFFFE)                               
DEC EBX (0xFFFFFFFB)                                
PUSH ECX (0x0889C52E)                               
PUSH ESP (0x0889C4BA)                               
DEC EBX (0xFFFFFFFA)                                
PUSH ECX (0x0889C52E)                               
PUSH EBP (0xFFFFFFFF)                               
DEC EDX (0xFFFFFFFE)                                
PUSH ECX (0x0889C52E)                               
PUSH EBP (0xFFFFFFFF)                               
DEC ESP (0x0889C4A6)                                
PUSH EDX (0xFFFFFFFD)                               
PUSH ESI (0xFFFFFFFE)                               
DEC ESP (0x0889C49D)                                
PUSH EDX (0xFFFFFFFD)                               
PUSH ESI (0xFFFFFFFE)                               
DEC EBP (0xFFFFFFFF)                                
PUSH EBX (0xFFFFFFF9)                               
PUSH EDI (0xFFFFFFFF)                               
DEC ESI (0xFFFFFFFE)                                
PUSH ESP (0x0889C48C)                               
POP EAX (0x00000000)                                
DEC EBP (0xFFFFFFFE)                                
PUSH EBX (0xFFFFFFF9)                               
PUSH EDI (0xFFFFFFFF)                               
DEC ECX (0x0889C52E)                                
DEC ESI (0xFFFFFFFD)                                
PUSH EBX (0xFFFFFFF9)                               
XOR DH (0xFF),[0x1C14113B] (0x1C14113B)            ;random read instruction
OR AL (0x8C),0x10                                   
SBB DS:[EDX] (0xFFFFFFFD),CL (0x2D)                ;random write instruction [suspicious memory write instruction]
HINT_NOP DS:[EAX] (0x0889C49C)                      
OR EAX (0x0889C49C),0x130D1F14                      
SBB EAX (0x1B8DDF9C),0x1021150E                     
SBB [EBX*0x1 + EDI] (0xFFFFFFF8),ESP (0x0889C480)  ;random write instruction
SUB DH (0xFF),DS:[ECX] (0x0889C52D)                 
DAS                                                 
AAA                                                 
SUB EAX (0x0B6CCB8E),0x342C3A34                     
CMP DS:[EBX] (0xFFFFFFF9),EBP (0xFFFFFFFD)         ;random read instruction
XOR EDI (0xFFFFFFFF),DS:[ECX] (0x0889C52D)          
SUB DS:[EAX] (0xD740915A),ESI (0xFFFFFFFC)         ;random write instruction
AAA                                                 
DAA                                                 
XOR EAX (0xD7409260),0x25342D26                     
SUB AL (0x46),0x33                                  
AND EAX (0xF274BF13),0x2A24332C                     
XOR AH (0x33),DS:[ECX] (0x0889C52D)                 
SUB DS:[EAX] (0x22243300),DH (0xFF)                ;random write instruction [suspicious memory write instruction]
AND DS:[ECX] (0x0889C52D),EBP (0xFFFFFFFD)