GIF file containing suspicious CPU instructions
Background
Quttera's Online Website Malware Scanner detected suspicious image file. Heuristic layer of the scanner identified this .gif file as malicious because it contains sensible CPU instructions similar to known shell-code decoder. Malicious Content Detection System(PDF file), developed by Quttera, is the core technology that is used by all its products and services. And this layer is a part of the multi-layered investigation system.
Website Malware Scanner report summary
Website malware scan report: http://goo.gl/UL7wm
Size of URL response content scanned: 20MBs
Infected files count: 1
Size of URL response content scanned: 20MBs
Infected files count: 1
Online Website Malware Scanner report |
Malicious GIF file |
Heuristic exploit detection engine report
- flip-up_sv1.gif is suspicious.
- Detection offset: 0
- Payload disassembly:
- INC EDI (0x00000000)
- DEC ECX (0x00000000)
- INC ESI (0x00000000)
- CMP DS:[ECX] (0xFFFFFFFF),BH (0x00) ==random read instruction
- POPAD
- POP EAX (0x00000000)
- ADD DL (0x00),DS:[ECX] (0xFFFFFFFF) ==random read instruction
- ADD EDI (0x00000001),ESP (0x08F6C637)
- INC DS:[EAX] (0x00000000)
- PUSH SS (0x0000)
- POP SS (0x0000)
- ADC AL (0x00),0x1B
- SBB EBX (0x00000000),DS:[ESI] (0x00000001) ==random read instruction
- SBB BL (0xB7),[EBX*0x1 + ECX] (0xC6C7B9B6) ==random read instruction
- AND DS:[EDX] (0x00000000),ESP (0x08F6C637)
- AND DS:[EDX] (0x00000000),ESP (0x08F6C637)
- AND ESI (0x00000001),[0x221D2624] (0x221D2624) ==random read instruction
- SUB EDX (0x00000000),DS:[EBX] (0xC6C7B9B7) ==random read instruction
- DAA
- SUB DS:[EAX] (0x0000001B),EBP (0x00000000) ==random write instruction
- DAS
- SUB EAX (0x00000015),0x31332F2D
- XOR CH (0xFF),DS:[EDX] (0x00000000)
- CMP DS:[ECX] (0xFFFFF8FF),DH (0x00) ==random read instruction
- SUB EDI (0x08F6C638),DS:[EAX] (0xCECCD0E8) ==random read instruction
- XOR DS:[ECX] (0xFFFFF8FF),EDI (0x08F6C638) ==random write instruction
- XOR EAX (0xCECCD0E8),0x36343335
- CMP DH (0x00),DS:[EDX] (0x00000000)
- SBB AL (0xDD),0x37
- CMP CL (0xFF),DS:[ECX + 0x38] (0xFFFFF937) ==random read instruction
- CMP EDX (0x00000000),DS:[EDI + 0x43] (0x08F6C67B) ==random read instruction
- CMP AL (0xA5),0x43
- INC EBX (0xC6C7B9B7)
- CMP EAX (0xF8F8E3A5),0x433E3F3D
- CMP EAX (0xF8F8E3A5),0x403B3D40
- INC EBX (0xC6C7B9B8)
- INC ESI (0x00000000)
- AAA
- INC EAX (0xF8F8E3A5)
- INC ECX (0xFFFFF8FF)
- CMP DS:[ESI] (0x00000001),BH (0xB9) ==random read instruction
- INC ESI (0x00000001)
- SUB EAX (0xF8F8E3A6),0x44474947
- DEC EDX (0x00000000)
- DEC ESP (0x08F6C637)
- DEC EAX (0xB4B19A5F)
- DEC EDX (0xFFFFFFFF)
- INC EDX (0xFFFFFFFE)
- INC EBP (0x00000000)
- DEC EDX (0xFFFFFFFF)
- PUSH ESP (0x08F6C636)
- DEC EBX (0xC6C7B9B9)
- DEC EBP (0x00000001)
- CMP EAX (0xB4B19A5E),0x52494B51
- DEC EDX (0xFFFFFFFE)
- PUSH ESP (0x08F6C632)
- DEC ESI (0x00000002)
- DEC ESP (0x08F6C62E)
- PUSH EAX (0xB4B19A5E)
- POP EBP (0x00000000)
- DEC EDX (0xFFFFFFFD)
- INC EAX (0xB4B19A5E)
- DEC EAX (0xB4B19A5F)
- DEC EBP (0xB4B19A5E)
- POPAD
- DEC ECX (0xFFFFF900)
- PUSH ECX (0xFFFFF8FF)
- POP EDX (0xFFFFFFFC)
- DEC EDI (0xF6C63200)
- PUSH ECX (0xFFFFF8FF)
- DEC ESP (0x08F6C631)
- DEC ESI (0xF6C63608)
- PUSH EAX (0xB4B19A5E)
- POP EBX (0xC6C7B9B8)
- DEC EDX (0xFFFFF8FF)
- PUSH EDX (0xFFFFF8FE)
- PUSH EBX (0xB4B19A5E)
- DEC ESP (0x08F6C628)
- PUSH EBP (0xB4B19A5D)
- XOR CL (0xFF),DS:[EAX + 0x5D] (0xB4B19ABB) ==random read instruction
- SUB DS:[ESI + 0x56] (0xF6C6365D),EDX (0xFFFFF8FE) ==random write instruction
- POP EDI (0xF6C631FF)
- PUSH ECX (0xFFFFF8FF)
- PUSH EDI (0xB4B19A5D)
- PUSH EAX (0xB4B19A5E)
- POP EAX (0xB4B19A5E)
- POP EDI (0xB4B19A5D)
- POP EAX (0xB4B19A5E)
- PUSH EDI (0xB4B19A5D)
- PUSH EBX (0xB4B19A5E)
- DEC EDI (0xB4B19A5D)
- POP EDX (0xFFFFF8FE)
- POP EBX (0xB4B19A5E)
- PUSH EDI (0xB4B19A5C)
- POP EBX (0xB4B19A5D)
- DEC ECX (0xFFFFF8FF)
- OUTS DX (0x9A5E),BYTE DS:[ESI] (0xF6C63607) ==random read instruction
- PUSH EBX (0xB4B19A5C)
- PUSH EBP (0xB4B19A5D)
- PUSH EBP (0xB4B19A5D)
- Investigation counters:
- REFERENCES_TO_PROCESS_INTERNALS 0
- REFERENCES_TO_PROCESS_IMPORTS 0
- REFERENCES_TO_PROCESS_EXPORTS 0
- CORRECTLY_PARSED_INSTRUCTIONS 100
- CORRECTLY_EXECUTED_INSTRUCTIONS 97
- UNRECOGNIZED_CALL_TARGETS 0
- UNDEFINED_DIRECT_CALLS 0
- UNRECOGNIZED_JUMP_TARGETS 0
- SYSTEM_CALLS_COUNT 0
- PROC_CALLS_INSIDE_INV_BUFFER 0
- JUMPS_INSIDE_INV_BUFFER 0
- JUMPS_TO_PROCESS_INTERNALS 0
- CALLS_TARGETED_IMPORTS_SECTION 0
- CALLS_TARGETED_EXPORTS_SECTION 0
- CORRECT_PROCEDURES_CALLS 0
- FAR_JUMPS_COUNT 0
- BUFFER_OUTSIDE_WRITES_COUNT 3
- BUFFER_INSIDE_WRITES_COUNT 0
- BUFFER_OUTSIDE_READS_COUNT 11
- BUFFER_INSIDE_READS_COUNT 0
- FULLY_INITIALIZED_INSTRUCTIONS 92
- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 25
- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 0
- INDIRECT_BUFFER_REFERENCES 19
- READS_FROM_PROCESS_STACK_MEMORY 12
- WRITES_TO_PROCESS_STACK_MEMORY 18
- EXECUTED_ARITHMETIC_INSTRUCTIONS 33
- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0
- EIP_RETRIEVAL_INSTRUCTIONS 0
- IMMEDIATE_OPERANDS_INSTRUCTIONS 0
- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0
- MAX_WRITTEN_MEMORY_BLOCK 0
Malware clean-up
Such malware is often targets specific software security vulnerability inside the attacked process or application. In order to make the final decision whether such detection is false-positive or part of a working vulnerability exploit in depth investigation of all website's files required. If you suspect your site has been compromised in this way sign up for Website Anti-malware Monitoring and receive malware remediation assessment for these and other kinds of malware.
No comments:
Post a Comment