Monday, March 18, 2013

Suspicious payload similar to shellcode detected into ahunion.org/Pic/huzhu/20127410241.gif

======== Payload investigation statistics ========
Suspicios payload offset: 0 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 24 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 0 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 91 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 0 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 0 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 36 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 100 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 28 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 100 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 13 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here


 ======== Detection disassembly ======== 

INC EDI (0x00000000)   
DEC EBX (0x00000000)   
PUSH EAX (0x00000000)  
INC EDI (0x00000001)   
DEC EBX (0xFFFFFFFF)   
PUSH EAX (0x00000000)  
INC EDI (0x00000002)   
DEC ESP (0x09C24527)   
PUSH EAX (0x00000000)  
INC EDI (0x00000003)   
DEC ESP (0x09C24522)   
PUSH EAX (0x00000000)  
INC EDI (0x00000004)   
DEC ESP (0x09C2451D)   
PUSH EAX (0x00000000)  
INC EDI (0x00000005)   
DEC ESP (0x09C24518)   
PUSH EAX (0x00000000)  
INC EDI (0x00000006)   
DEC ESP (0x09C24513)   
PUSH EAX (0x00000000)  
INC EDI (0x00000007)   
DEC EBP (0x00000000)   
PUSH ECX (0x00000000)  
DEC EAX (0x00000000)   
DEC ESI (0x00000000)   
PUSH EDX (0x00000000)  
DEC EAX (0xFFFFFFFF)   
DEC EDI (0x00000008)   
PUSH EBX (0xFFFFFFFE)  
DEC EAX (0xFFFFFFFE)   
DEC EDI (0x00000007)   
PUSH ESP (0x09C24502)  
DEC EAX (0xFFFFFFFD)   
DEC EDI (0x00000006)   
PUSH ESP (0x09C244FE)  
DEC EAX (0xFFFFFFFC)   
DEC EDI (0x00000005)   
PUSH ESP (0x09C244FA)  
DEC EAX (0xFFFFFFFB)   
DEC EDI (0x00000004)   
PUSH ESP (0x09C244F6)  
DEC EAX (0xFFFFFFFA)   
DEC EDI (0x00000003)   
PUSH ESP (0x09C244F2)  
DEC EAX (0xFFFFFFF9)   
PUSH EAX (0xFFFFFFF8)  
PUSH EBP (0xFFFFFFFF)  
DEC EAX (0xFFFFFFF8)   
PUSH EAX (0xFFFFFFF7)  
PUSH EBP (0xFFFFFFFF)  
DEC EAX (0xFFFFFFF7)   
PUSH EAX (0xFFFFFFF6)  
PUSH EBP (0xFFFFFFFF)  
DEC EAX (0xFFFFFFF6)   
PUSH EAX (0xFFFFFFF5)  
PUSH EBP (0xFFFFFFFF)  
DEC EAX (0xFFFFFFF5)   
PUSH EAX (0xFFFFFFF4)  
PUSH EBP (0xFFFFFFFF)  
DEC EAX (0xFFFFFFF4)   
PUSH EAX (0xFFFFFFF3)  
PUSH EBP (0xFFFFFFFF)  
DEC ECX (0x00000000)   
PUSH EAX (0xFFFFFFF3)  
PUSH EBP (0xFFFFFFFF)  
DEC EDX (0x00000000)   
PUSH ECX (0xFFFFFFFF)  
PUSH ESI (0xFFFFFFFF)  
DEC EBX (0xFFFFFFFE)   
PUSH EBX (0xFFFFFFFD)  
PUSH EDI (0x00000002)  
DEC EBP (0xFFFFFFFF)   
PUSH ESP (0x09C244A6)  
POP EAX (0xFFFFFFF3)   
DEC ESI (0xFFFFFFFF)   
PUSH EBP (0xFFFFFFFE)  
POP ECX (0xFFFFFFFF)   
DEC EDI (0x00000002)   
PUSH EBP (0xFFFFFFFE)  
POP ECX (0xFFFFFFFE)   
DEC EDI (0x00000001)   
PUSH ESI (0xFFFFFFFE)  
POP EDX (0xFFFFFFFF)   
PUSH EAX (0x09C244A6)  
PUSH EDI (0x00000000)  
POP EBX (0xFFFFFFFD)   
PUSH EAX (0x09C244A6)  
POP EAX (0x09C244A6)   
POP ESP (0x09C244A2)   
PUSH ECX (0xFFFFFFFE)  
POP ECX (0xFFFFFFFE)   
POP EBP (0xFFFFFFFE)   
PUSH EDX (0xFFFFFFFE)  
POP ECX (0xFFFFFFFE)   
POP EBP (0x00000002)   
PUSH EBX (0x00000000)  
POP EDX (0xFFFFFFFE)   
POP ESI (0xFFFFFFFE)   
PUSH EBP (0xFFFFFFFD)