Monday, March 18, 2013

Suspicious payload similar to shellcode decoder detected into cats.org.cn/upload/lawer/1326334406.bmp

======== Payload investigation statistics ========
Suspicios payload offset: 0 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 11 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 0 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 94 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 0 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 3 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 39 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 64 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 15 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 91 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 13 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here


 ======== Detection disassembly ======== 

ADD DL (0x00),0x4B                                                              
CMP DS:[ESI + 0x4EAA774A] (0x4EAA774A),0x51379573                              ;random read instruction
BOUND EAX (0x00000000),DS:[EDX + 0x55] (0x000000A0),[0x000000A4] (0x000000A4)  ;random read instruction
POP EAX (0x00000000)                                                            
INC EBP (0x00000000)                                                            
PUSH EAX (0x00000000)                                                           
INC ESI (0x00000000)                                                            
INC ESI (0x00000001)                                                            
PUSH EAX (0x00000000)                                                           
AAS                                                                             
DEC EAX (0x0000FFFA)                                                            
PUSH ECX (0x00000000)                                                           
CMP EAX (0x0000FFF9),0x493D5347                                                 
PUSH ESP (0x08C0B523)                                                           
INC EAX (0x0000FFF9)                                                            
DEC ECX (0x00000000)                                                            
PUSH EBP (0x00000001)                                                           
INC ECX (0xFFFFFFFF)                                                            
DEC EDX (0x0000004B)                                                            
PUSH ESI (0x00000002)                                                           
INC ESP (0x08C0B517)                                                            
DEC EBX (0x00000000)                                                            
PUSH EDI (0x00000000)                                                           
INC EBP (0x00000001)                                                            
DEC ESP (0x08C0B514)                                                            
PUSH EDI (0x00000000)                                                           
INC EBX (0xFFFFFFFF)                                                            
DEC ESP (0x08C0B50F)                                                            
PUSH EDI (0x00000000)                                                           
INC EBX (0x00000000)                                                            
DEC ESP (0x08C0B50A)                                                            
POP EAX (0x0000FFFA)                                                            
INC ESI (0x00000002)                                                            
DEC ESI (0x00000003)                                                            
POP EDX (0x0000004A)                                                            
DEC EAX (0x00000000)                                                            
DEC EDI (0x00000000)                                                            
POP EBX (0x00000001)                                                            
DEC ECX (0x00000000)                                                            
DEC EBP (0x00000002)                                                            
POP ECX (0xFFFFFFFF)                                                            
INC EDI (0xFFFFFFFF)                                                            
DEC EDX (0x00000000)                                                            
PUSH ESI (0x00000002)                                                           
INC ESP (0x08C0B515)                                                            
DEC EDX (0xFFFFFFFF)                                                            
PUSH ESI (0x00000002)                                                           
INC ESP (0x08C0B512)                                                            
DEC EBP (0x00000001)                                                            
POP ECX (0x00000000)                                                            
INC EDI (0x00000000)                                                            
PUSH ECX (0x00000000)                                                           
POP EBP (0x00000000)                                                            
DEC EBX (0x00000000)                                                            
DEC ESI (0x00000002)                                                            
POP EDX (0xFFFFFFFE)                                                            
DEC EAX (0xFFFFFFFF)                                                            
PUSH EAX (0xFFFFFFFE)                                                           
POP ESP (0x08C0B517)                                                            
DEC EDX (0x00000000)                                                            
PUSH EAX (0xFFFFFFFE)                                                           
POP ESP (0xFFFFFFFE)                                                            
DEC EDX (0xFFFFFFFF)                                                            
DEC ESI (0x00000001)                                                            
POP EDX (0xFFFFFFFE)                                                            
DEC EAX (0xFFFFFFFE)                                                            
DEC ESI (0x00000000)                                                            
POP EDX (0x00000000)                                                            
DEC EAX (0xFFFFFFFD)                                                            
DEC EBP (0x00000000)                                                            
POP ECX (0x00000000)                                                            
INC EDI (0x00000001)                                                            
DEC EAX (0xFFFFFFFC)                                                            
PUSH ESP (0x00000000)                                                           
INC EDX (0x00000000)                                                            
INC ECX (0x00000000)                                                            
DEC EBP (0xFFFFFFFF)                                                            
CMP EDI (0x00000002),[0x473B3749] (0x473B3749)                                 ;random read instruction
XOR EAX (0xFFFFFFFB),0x3D35473B                                                 
DEC ECX (0x00000001)                                                            
AAA                                                                             
INC EDX (0x00000001)                                                            
DEC ESI (0xFFFFFFFF)                                                            
CMP AL (0xC0),0x46                                                              
PUSH EDX (0x00000002)                                                           
INC EAX (0xC2CAB8C0)                                                            
DEC EAX (0xC2CAB8C1)                                                            
PUSH ESP (0x00000000)                                                           
INC EDX (0x00000002)                                                            
DEC ECX (0x00000000)                                                            
PUSH EBP (0xFFFFFFFE)                                                           
INC EBX (0xFFFFFFFF)                                                            
INC ESI (0xFFFFFFFE)                                                            
PUSH EDX (0x00000003)                                                           
INC EAX (0xC2CAB8C0)                                                            
INC EDI (0x00000002)                                                            
PUSH EBX (0x00000000)                                                           
INC ECX (0xFFFFFFFF)                                                            
DEC ECX (0x00000000)                                                            
PUSH EBP (0xFFFFFFFE)