Monday, March 18, 2013

Suspicious payload detected into myweb.stedwards.edu/zcarpen/Picture.bmp

Quttera investigation engine statistics of the detected payload/shellcode

Offset of the detected payload: 0

Payload emulation counters:

WRITES_TO_PROCESS_STACK_MEMORY12
BUFFER_INSIDE_WRITES_COUNT0
REFERENCES_TO_PROCESS_INTERNALS0
BUFFER_OUTSIDE_WRITES_COUNT2
FAR_JUMPS_COUNT0
FULLY_INITIALIZED_INSTRUCTIONS91
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES0
PROC_CALLS_INSIDE_INV_BUFFER0
BUFFER_OUTSIDE_READS_COUNT11
UNDEFINED_DIRECT_CALLS0
JUMPS_INSIDE_INV_BUFFER8
CORRECTLY_PARSED_INSTRUCTIONS100
MEMORY_MODIFYING_MATH_INSTRUCTIONS0
BUFFER_INSIDE_READS_COUNT0
SYSTEM_CALLS_COUNT0
UNRECOGNIZED_CALL_TARGETS0
REFERENCES_TO_PROCESS_IMPORTS0
CORRECT_PROCEDURES_CALLS0
EIP_RETRIEVAL_INSTRUCTIONS0
JUMPS_TO_PROCESS_INTERNALS0
EXECUTED_ARITHMETIC_INSTRUCTIONS50
CALLS_TARGETED_IMPORTS_SECTION0
UNRECOGNIZED_JUMP_TARGETS0
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS12
REFERENCES_TO_PROCESS_EXPORTS0
EXECUTES_BITS_OPERATING_INSTRUCTIONS0
IMMEDIATE_OPERANDS_INSTRUCTIONS0
INDIRECT_BUFFER_REFERENCES15
MAX_WRITTEN_MEMORY_BLOCK0
CORRECTLY_EXECUTED_INSTRUCTIONS91
READS_FROM_PROCESS_STACK_MEMORY9
CALLS_TARGETED_EXPORTS_SECTION0


Detection disassembly:

PUSH 0x7546325A
POPAD
PUSH EDI (0x7546325A)
XOR DS:[EBP + 0x59] (0x00000059),DH (0x00) ;random write instruction
XOR BH (0x00),DS:[EAX] (0x00000000)
JNZ 0x61 ;random read instruction
INC ECX (0x00000000)
INC ECX (0x00000001)
INC ESI (0x00000000)
POP EDX (0x00000000)
INC ECX (0x00000002)
INC ECX (0x00000003)
PUSH ECX (0x00000004)
INC ECX (0x00000004)
INC ECX (0x00000005)
INC ECX (0x00000006)
INC EDX (0x7546325A)
XOR AL (0x00),0x4E
PUSH ECX (0x00000007)
PUSH EDI (0x7546325A)
JS 0x30 ;random read instruction
POP EDX (0x7546325B)
POP EAX (0x0000004E)
DEC EDX (0x7546325A)
JNZ 0x59 ;random read instruction
POP EAX (0x00000007)
POP EAX (0x00000004)
JNO 0x68 ;random read instruction
PUSH EDX (0x75463259)
DEC CX (0x0007)
PUSH ESI (0x00000001)
DEC ESI (0x00000001)
INC EBX (0x00006800)
INC ECX (0x00000007)
OUTS DX (0x3259),DWORD DS:[ESI] (0x00000000)
INC ECX (0x00000008)
INC ESP (0x093539E7)
POP EDX (0x75463259)
INC EDI (0x7546325A)
PUSH ECX (0x00000009)
INC EBX (0x00006801)
INC ECX (0x00000009)
CMP DS:[BX + 0x41] (0x00006843),DL (0x00) ;random read instruction
PUSH 0x6D564834
INS ES:[EDI] (0x0000325B),DX (0x0000) ;random write instruction
JP 0x61 ;random read instruction
INC ECX (0x0000000A)
INC ECX (0x0000000B)
INC ECX (0x0000000C)
INC ECX (0x0000000D)
INC ECX (0x0000000E)
INC ECX (0x0000000F)
PUSH 0x6B
INC ECX (0x00000010)
INC EDX (0x59000000)
INC ECX (0x00000011)
INC ECX (0x00000012)
INC ECX (0x00000013)
INC ECX (0x00000014)
DEC EAX (0x00000000)
JNBE 0x63 ;random read instruction
BOUND EAX (0xFFFFFFFF),DS:[ECX + 0x41] (0x00000056),[0x0000005A] (0x0000005A) ;random read instruction
INC ECX (0x00000015)
INC ECX (0x00000016)
INC ECX (0x00000017)
INC ECX (0x00000018)
INC ESP (0x093539E0)
INC ECX (0x00000019)
POP ECX (0x0000001A)
IMUL EAX (0xFFFFFFFF),DS:[ECX + 0x42] (0x34000042),0x41
INC ECX (0x34000000)
INC ECX (0x34000001)
INC ECX (0x34000002)
DEC EAX (0x00000000)
JNBE 0x6F ;random read instruction
INC EBX (0x00006802)
INC ECX (0x34000003)
DEC ESI (0x00000000)
IMUL EBX (0x00006803),DS:[EDX + 0x41] (0x59000042),0x49
DEC ESP (0x093539E5)
INC ESP (0x093539E4)
XOR DL (0x01),DS:[ECX + 0x57] (0x3400005B) ;random read instruction
INC ECX (0x34000004)
INS ES:[EDI] (0x0000325B),DX (0x0001) ;random write instruction
POP ECX (0x34000005)
PUSH EAX (0xFFFFFFFF)
INC ESP (0x093539E5)
JS 0x59 ;random read instruction
INC EBX (0x00000000)
DEC EAX (0xFFFFFFFF)
CMP DS:[BP + 0x62] (0x00000062),EAX (0xFFFFFFFE) ;random read instruction
INS ES:[EDI] (0x0000325B),DX (0x0001) ;random write instruction
INC ESI (0xFFFFFFFF)
IMUL ESP (0x093539E6),DS:[EDX + 0x47] (0x59000048),0x57615756
PUSH ESI (0x00000000)
XOR EDX (0x59000001),DS:[EBP + 0x33] (0x00000033) ;random read instruction
PUSH EDX (0x0D4E3950)
PUSH 0x6E564764
POP EDX (0x0D4E3950)
INC EDI (0x7546325B)