Monday, March 18, 2013

Suspicious shellcode decoder payload detected into http://cyborggaming.com/imgs/rat9_left.png

Quttera investigation engine statistics of the detected payload

Offset of the detected payload: 67932

Payload emulation counters:

WRITES_TO_PROCESS_STACK_MEMORY0
BUFFER_INSIDE_WRITES_COUNT0
REFERENCES_TO_PROCESS_INTERNALS2
BUFFER_OUTSIDE_WRITES_COUNT7
FAR_JUMPS_COUNT0
FULLY_INITIALIZED_INSTRUCTIONS73
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES6
PROC_CALLS_INSIDE_INV_BUFFER0
BUFFER_OUTSIDE_READS_COUNT3
UNDEFINED_DIRECT_CALLS0
JUMPS_INSIDE_INV_BUFFER0
CORRECTLY_PARSED_INSTRUCTIONS100
MEMORY_MODIFYING_MATH_INSTRUCTIONS0
BUFFER_INSIDE_READS_COUNT0
SYSTEM_CALLS_COUNT0
UNRECOGNIZED_CALL_TARGETS3
REFERENCES_TO_PROCESS_IMPORTS0
CORRECT_PROCEDURES_CALLS0
EIP_RETRIEVAL_INSTRUCTIONS0
JUMPS_TO_PROCESS_INTERNALS0
EXECUTED_ARITHMETIC_INSTRUCTIONS17
CALLS_TARGETED_IMPORTS_SECTION0
UNRECOGNIZED_JUMP_TARGETS0
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS4
REFERENCES_TO_PROCESS_EXPORTS0
EXECUTES_BITS_OPERATING_INSTRUCTIONS0
IMMEDIATE_OPERANDS_INSTRUCTIONS0
INDIRECT_BUFFER_REFERENCES1
MAX_WRITTEN_MEMORY_BLOCK0
CORRECTLY_EXECUTED_INSTRUCTIONS76
READS_FROM_PROCESS_STACK_MEMORY4
CALLS_TARGETED_EXPORTS_SECTION0

Read more about Quttera investigation engine here

Detection disassembly:

FSUB DS:[EDI + 0x61] (0x00000061)
ADC BL (0x00),CL (0x00)
INC ESP (0x09A1752F)
POP ESI (0x00000000)
SUB DS:[EAX - 0x9BC1031] (0xF643EFCF),ESI (0x00000000) ;random write instruction
LODSD
DEC EDX (0x00000000)
OUT DX (0xFFFF),AL (0xDC)
XCHG EDX (0xFFFFFFFF),EAX (0x676167DC)
OR EAX (0xFFFFFFFF),0xF4D87CCA
MOVSD ES:[EDI] (0x00000000),DWORD DS:[ESI] (0x00000004) ;random read instruction
DEC ECX (0x00000000)
ADC DH (0x67),DH (0x67)
SUB FS:[EBX + 0x69] (0x09A4A8B9),BH (0x00)
ADC BL (0x00),DS:[EDX - 0x64] (0x6761CE78) ;random read instruction
INS ES:[EDI] (0x00000000),DX (0xCEDC)
MOV ECX (0xFFFFFFFF),0xC9C52BF1
SBB DS:[EBP - 0x74] (0xFFFFFF8C),DH (0xCE) ;random write instruction
XLAT
SBB [0x5AAF83E9] (0x5AAF83E9),EDI (0x00000000) ;random write instruction
PUSH EDI (0x00000000)
CLI
OUT 0xC6,AL (0xFF)
SUB EBX (0x00000000),DS:[ECX + 0x4A] (0xC9C52C3B) ;random read instruction
MOV BH (0x00),0x1D
CMC
INTO
CALL d546:e85cd384 (0xFD5ED384)
FSUB DS:[EDI + 0x61] (0x00000061)
ADC BL (0x00),CL (0xF1)
INC ESP (0x09A17530)
POP ESI (0x00000004)
SUB DS:[EAX - 0x9BC1031] (0xF643EFCE),ESI (0x00000000) ;random write instruction
LODSD
DEC EDX (0x6761CEDC)
OUT DX (0xCEDB),AL (0xDC)
XCHG EDX (0x6761CEDB),EAX (0x676167DC)
OR EAX (0x6761CEDB),0xF4D87CCA
MOVSD ES:[EDI] (0x00000000),DWORD DS:[ESI] (0x00000004) ;random read instruction
DEC ECX (0xC9C52BF1)
ADC DH (0x67),DH (0x67)
SUB FS:[EBX + 0x69] (0x09A4C6AA),BH (0x1D)
ADC BL (0xF1),DS:[EDX - 0x64] (0x6761CE78) ;random read instruction
INS ES:[EDI] (0x00000000),DX (0xCEDC)
MOV ECX (0xC9C52BF0),0xC9C52BF1
SBB DS:[EBP - 0x74] (0xFFFFFF8C),DH (0xCE) ;random write instruction
XLAT
SBB [0x5AAF83E9] (0x5AAF83E9),EDI (0x00000000) ;random write instruction
PUSH EDI (0x00000000)
CLI
OUT 0xC6,AL (0xDB)
SUB EBX (0x00001DF1),DS:[ECX + 0x4A] (0xC9C52C3B) ;random read instruction
MOV BH (0x1D),0x1D
CMC
INTO
CALL d546:e85cd384 (0xFD5ED384)
FSUB DS:[EDI + 0x61] (0x00000061)
ADC BL (0xF1),CL (0xF1)
INC ESP (0x09A17531)
POP ESI (0x00000004)
SUB DS:[EAX - 0x9BC1031] (0xEE3DEEAA),ESI (0x00000000) ;random write instruction
LODSD
DEC EDX (0x6761CEDC)
OUT DX (0xCEDB),AL (0xDC)
XCHG EDX (0x6761CEDB),EAX (0x676167DC)
OR EAX (0x6761CEDB),0xF4D87CCA
MOVSD ES:[EDI] (0x00000000),DWORD DS:[ESI] (0x00000004) ;random read instruction
DEC ECX (0xC9C52BF1)
ADC DH (0x67),DH (0x67)
SUB FS:[EBX + 0x69] (0x09A4C69B),BH (0x1D) ; Address 0x09A4C69B is process internal [suspicious memory write instruction]
ADC BL (0xE2),DS:[EDX - 0x64] (0x6761CE78) ;random read instruction
INS ES:[EDI] (0x00000000),DX (0xCEDC)
MOV ECX (0xC9C52BF0),0xC9C52BF1
SBB DS:[EBP - 0x74] (0xFFFFFF8C),DH (0xCE) ;random write instruction
XLAT
SBB [0x5AAF83E9] (0x5AAF83E9),EDI (0x00000000) ;random write instruction
PUSH EDI (0x00000000)
CLI
OUT 0xC6,AL (0xDB)
SUB EBX (0x00001DE2),DS:[ECX + 0x4A] (0xC9C52C3B) ;random read instruction
MOV BH (0x1D),0x1D
CMC
INTO
CALL d546:e85cd384 (0xFD5ED384)
FSUB DS:[EDI + 0x61] (0x00000061)
ADC BL (0xE2),CL (0xF1)
INC ESP (0x09A17532)
POP ESI (0x00000004)
SUB DS:[EAX - 0x9BC1031] (0xEE3DEEAA),ESI (0x00000000) ;random write instruction
LODSD
DEC EDX (0x6761CEDC)
OUT DX (0xCEDB),AL (0xDC)
XCHG EDX (0x6761CEDB),EAX (0x676167DC)
OR EAX (0x6761CEDB),0xF4D87CCA
MOVSD ES:[EDI] (0x00000000),DWORD DS:[ESI] (0x00000004) ;random read instruction
DEC ECX (0xC9C52BF1)
ADC DH (0x67),DH (0x67)
SUB FS:[EBX + 0x69] (0x09A4C68C),BH (0x1D) ; Address 0x09A4C68C is process internal [suspicious memory write instruction]
ADC BL (0xD3),DS:[EDX - 0x64] (0x6761CE78) ;random read instruction
INS ES:[EDI] (0x00000000),DX (0xCEDC)