======== Payload investigation statistics ======== Suspicios payload offset: 689310 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 16 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 6 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 95 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 0 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 1 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 42 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 19 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 37 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 97 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 16 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here
======== Detection disassembly ======== PUSH EBX (0x00000000) INC EBP (0x00000000) INC EBX (0x00000000) DEC EDI (0x00000000) DEC ESI (0x00000000) INC ESP (0x08C7D52B) INC ECX (0x00000000) PUSH EDX (0x00000000) POP ECX (0x00000001) POP EDI (0xFFFFFFFF) INC ECX (0x00000000) INC EBX (0x00000001) INC EBX (0x00000002) DEC EDI (0x00000000) PUSH EBP (0x00000001) DEC ESI (0xFFFFFFFF) PUSH ESP (0x08C7D530) PUSH EBX (0x00000003) POP EDI (0xFFFFFFFF) XOR AH (0x00),DS:[EDX] (0x00000000) MOV DH (0x00),0x00 OR DS:[EAX] (0x00005300),EAX (0x00005300) ;random write instruction INC EDX (0x00000000) INC ECX (0x00000001) DEC ESP (0x08C7D530) INC ECX (0x00000002) DEC ESI (0xFFFFFFFE) INC EBX (0x00000003) INC EBP (0x00000001) POP EDI (0x00000000) XOR EAX (0x00005300),DS:[EAX] (0x00005300) ;random read instruction MOV DH (0x00),0x00 OR DS:[EAX] (0x00005300),AL (0x00) ;random write instruction DEC ECX (0x00000003) DEC ESI (0xFFFFFFFD) INC EBX (0x00000004) DEC EDI (0x00000000) DEC EBP (0x00000002) INC EBP (0x00000001) POP EDI (0xFFFFFFFF) XOR AL (0x00),0xB6 ADD [EAX*0x1 + EAX] (0x0000A76C),CL (0x02) ;random write instruction [suspicious memory write instruction] INC ECX (0x00000002) PUSH EBX (0x00000005) PUSH EBX (0x00000005) INC EBP (0x00000002) PUSH ESP (0x08C7D527) POP EDI (0x00000000) INC ESP (0x08C7D527) PUSH ESP (0x08C7D528) DEC ESP (0x08C7D524) POP EDI (0x08C7D527) XOR EAX (0x000053B6),0x1000B661 ADD [ECX + 0x41 + ECX * 0x2] (0x0000004A),CL (0x03) ;random write instruction [suspicious memory write instruction] INC EDX (0x00000001) DEC ECX (0x00000003) DEC ESP (0x08C7D527) DEC ESP (0x08C7D526) PUSH ESP (0x08C7D525) POP ECX (0x00000002) POP EDI (0xC7D52827) INC ESP (0x08C7D529) PUSH ESP (0x08C7D52A) DEC ESP (0x08C7D526) POP EDI (0x0008C7D5) XOR EAX (0x1000E5D7),0x0F00B662 ADD DS:[ECX + 0x4E] (0x08C7D573),CL (0x25) ;random write instruction [suspicious memory write instruction] PUSH ESI (0xFFFFFFFC) INC EBP (0x00000003) DEC ESI (0xFFFFFFFC) PUSH ESP (0x08C7D525) DEC EDI (0xC7D52AD5) PUSH EDX (0x00000002) POP ECX (0x08C7D525) POP EDI (0xC7D52AD4) INC ESP (0x08C7D525) PUSH ESP (0x08C7D526) DEC ESP (0x08C7D522) POP EDI (0x08C7D525) ADD SS:[ESI + 0x52001300] (0x520012FB),DH (0x00) ;random write instruction INC EBP (0x00000004) INC EDI (0xC7D52625) INC ECX (0x00000002) DEC ESP (0x08C7D525) DEC ECX (0x00000003) INC ECX (0x00000002) POP EDI (0xC7D52626) PUSH EBX (0x00000005) INC ECX (0x00000003) DEC ESP (0x08C7D524) INC EBP (0x00000005) PUSH EBX (0x00000005) POP EDI (0xFFFF08C7) INC ESP (0x08C7D523) PUSH ESP (0x08C7D524) DEC ESP (0x08C7D520) POP EDI (0x00000005) AAA ADD DS:[ESI + 0x44000A00] (0x440009FB),DH (0x00) ;random write instruction INC EBP (0x00000006)
No comments:
Post a Comment