======== Payload investigation statistics ======== Suspicios payload offset: 3060936 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 0 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 2 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 6 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 84 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 0 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 1 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 3 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 3 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 1 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 3 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 6 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 7 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 71 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 4 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here
======== Detection disassembly ======== INC EDI (0x00000000) ADC AL (0x00),0xB1 IN EAX (0x000000B1),DX (0x0000) POP EBX (0x00000000) DAA IN AL (0xB1),DX (0x0000) STD XCHG EBX (0x00000000),EAX (0x000000B1) MOVSB ES:[DI] (0x00000001),BYTE DS:[SI] (0x00000000) ;random write instruction MOV DL (0x00),0xDA RCR DS:[ESI - 0x46] (0xFFFFFFBA),CL (0x00) ;random write instruction INT 0x77 STD STI IN EAX (0x00000000),DX (0x00DA) MOV DL (0xDA),0xE2 XOR EAX (0x00000000),0xBCCBE5AC MOV CL (0x00),0x35 JO 0x1E ;random read instruction DAS MOV DL (0xE2),0xD8 TEST AL (0xA6),0x7E STOSD AAM 0x0A CLI PUSH EBP (0x00000000) SUB DS:[EBP + 0x34] (0x00000034),BH (0x00) ;random write instruction ADC EAX (0xBCCBE5A6),0xBEADAB6A CALL [0x96954A89] (0x96954A89) INC EDI (0x00000001) ADC AL (0x10),0xB1 IN EAX (0x7B7991C1),DX (0x00D8) POP EBX (0x000000B1) DAA IN AL (0xC1),DX (0x00D8) STD XCHG EBX (0xBFFDAE44),EAX (0x7B7991C1) MOVSB ES:[DI] (0x00000002),BYTE DS:[SI] (0x00000000) ;random write instruction MOV DL (0xD8),0xDA RCR DS:[ESI - 0x46] (0xFFFFFFBA),CL (0x35) ;random write instruction INT 0x77 STD STI IN EAX (0xBFFDAE44),DX (0x00DA) MOV DL (0xDA),0xE2 XOR EAX (0xBFFDAE44),0xBCCBE5AC MOV CL (0x35),0x35 JO 0x1E ;random read instruction DAS MOV DL (0xE2),0xD8 TEST AL (0xE2),0x7E STOSD AAM 0x0A CLI PUSH EBP (0x00000000) SUB DS:[EBP + 0x34] (0x00000034),BH (0x91) ;random write instruction ADC EAX (0x03364BE2),0xBEADAB6A CALL [0x969549F8] (0x969549F8) Address 0x969549F8 references monitored buffer INC EDI (0x00000002) ADC AL (0x4C),0xB1 IN EAX (0xC1E3F7FD),DX (0x00D8) POP EBX (0x7B7991C1) DAA IN AL (0xFD),DX (0x00D8) STD XCHG EBX (0xBFFDAE76),EAX (0xC1E3F7FD) MOVSB ES:[DI] (0x00000003),BYTE DS:[SI] (0x00000000) ;random write instruction MOV DL (0xD8),0xDA RCR DS:[ESI - 0x46] (0xFFFFFFBA),CL (0x35) ;random write instruction INT 0x77 STD STI IN EAX (0xBFFDAE76),DX (0x00DA) MOV DL (0xDA),0xE2 XOR EAX (0xBFFDAE76),0xBCCBE5AC MOV CL (0x35),0x35 JO 0x1E ;random read instruction DAS MOV DL (0xE2),0xD8 TEST AL (0xD4),0x7E STOSD AAM 0x0A CLI PUSH EBP (0x00000000) SUB DS:[EBP + 0x34] (0x00000034),BH (0xF7) ;random write instruction ADC EAX (0x03364BD4),0xBEADAB6A CALL [0x96954901] (0x96954901) Address 0x96954901 references monitored buffer INC EDI (0x00000003) ADC AL (0x3E),0xB1 IN EAX (0xC1E3F7EF),DX (0x00D8) POP EBX (0xC1E3F7FD) DAA IN AL (0xEF),DX (0x00D8) STD XCHG EBX (0xBFFDAEA8),EAX (0xC1E3F7EF) MOVSB ES:[DI] (0x00000004),BYTE DS:[SI] (0x00000000) ;random write instruction MOV DL (0xD8),0xDA RCR DS:[ESI - 0x46] (0xFFFFFFBA),CL (0x35) ;random write instruction INT 0x77 STD
No comments:
Post a Comment