======== Payload investigation statistics ======== Suspicios payload offset: 0 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 11 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 0 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 94 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 0 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 3 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 39 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 64 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 15 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 91 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 13 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here
======== Detection disassembly ======== ADD DL (0x00),0x4B CMP DS:[ESI + 0x4EAA774A] (0x4EAA774A),0x51379573 ;random read instruction BOUND EAX (0x00000000),DS:[EDX + 0x55] (0x000000A0),[0x000000A4] (0x000000A4) ;random read instruction POP EAX (0x00000000) INC EBP (0x00000000) PUSH EAX (0x00000000) INC ESI (0x00000000) INC ESI (0x00000001) PUSH EAX (0x00000000) AAS DEC EAX (0x0000FFFA) PUSH ECX (0x00000000) CMP EAX (0x0000FFF9),0x493D5347 PUSH ESP (0x08C0B523) INC EAX (0x0000FFF9) DEC ECX (0x00000000) PUSH EBP (0x00000001) INC ECX (0xFFFFFFFF) DEC EDX (0x0000004B) PUSH ESI (0x00000002) INC ESP (0x08C0B517) DEC EBX (0x00000000) PUSH EDI (0x00000000) INC EBP (0x00000001) DEC ESP (0x08C0B514) PUSH EDI (0x00000000) INC EBX (0xFFFFFFFF) DEC ESP (0x08C0B50F) PUSH EDI (0x00000000) INC EBX (0x00000000) DEC ESP (0x08C0B50A) POP EAX (0x0000FFFA) INC ESI (0x00000002) DEC ESI (0x00000003) POP EDX (0x0000004A) DEC EAX (0x00000000) DEC EDI (0x00000000) POP EBX (0x00000001) DEC ECX (0x00000000) DEC EBP (0x00000002) POP ECX (0xFFFFFFFF) INC EDI (0xFFFFFFFF) DEC EDX (0x00000000) PUSH ESI (0x00000002) INC ESP (0x08C0B515) DEC EDX (0xFFFFFFFF) PUSH ESI (0x00000002) INC ESP (0x08C0B512) DEC EBP (0x00000001) POP ECX (0x00000000) INC EDI (0x00000000) PUSH ECX (0x00000000) POP EBP (0x00000000) DEC EBX (0x00000000) DEC ESI (0x00000002) POP EDX (0xFFFFFFFE) DEC EAX (0xFFFFFFFF) PUSH EAX (0xFFFFFFFE) POP ESP (0x08C0B517) DEC EDX (0x00000000) PUSH EAX (0xFFFFFFFE) POP ESP (0xFFFFFFFE) DEC EDX (0xFFFFFFFF) DEC ESI (0x00000001) POP EDX (0xFFFFFFFE) DEC EAX (0xFFFFFFFE) DEC ESI (0x00000000) POP EDX (0x00000000) DEC EAX (0xFFFFFFFD) DEC EBP (0x00000000) POP ECX (0x00000000) INC EDI (0x00000001) DEC EAX (0xFFFFFFFC) PUSH ESP (0x00000000) INC EDX (0x00000000) INC ECX (0x00000000) DEC EBP (0xFFFFFFFF) CMP EDI (0x00000002),[0x473B3749] (0x473B3749) ;random read instruction XOR EAX (0xFFFFFFFB),0x3D35473B DEC ECX (0x00000001) AAA INC EDX (0x00000001) DEC ESI (0xFFFFFFFF) CMP AL (0xC0),0x46 PUSH EDX (0x00000002) INC EAX (0xC2CAB8C0) DEC EAX (0xC2CAB8C1) PUSH ESP (0x00000000) INC EDX (0x00000002) DEC ECX (0x00000000) PUSH EBP (0xFFFFFFFE) INC EBX (0xFFFFFFFF) INC ESI (0xFFFFFFFE) PUSH EDX (0x00000003) INC EAX (0xC2CAB8C0) INC EDI (0x00000002) PUSH EBX (0x00000000) INC ECX (0xFFFFFFFF) DEC ECX (0x00000000) PUSH EBP (0xFFFFFFFE)
No comments:
Post a Comment