A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29137  by flrud2208
 Tue Aug 30, 2016 12:33 am
Thanks this will help in further analysing and detection of the malware.
 #29158  by oilen
 Thu Sep 01, 2016 1:06 am
Attacks all three major vendors. Packed with UPX. Connects directly to XFS services using CDM (cash dispenser) ,PIN(Keypad) and IDC(card reader). Erases a lot of vendor specific logs. Kills main application processes before executing any dispense, in an attempt to hide it's presence for longer.Can stop network in order to avoid uplink notification of dispense for the monitored machines.

Regards,
JD
 #29168  by sadfud
 Fri Sep 02, 2016 1:22 pm
Unpacked sample. Additional protection detected: IsDebuggerPresent

YARA Rule:
Code: Select all
rule Ripper_ATM
{
    meta:
    Description = "RIPPER ATM MALWARE"
    Author = "SadFud"
    Date = "02/09/2016"
    Hash = "cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38"
    VT Scan = "https://www.virustotal.com/es/file/cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38/analysis/"
    
    strings:
    $a = { 6b 65 72 6e 79 76 40 6a 61 62 62 69 6d 2e 63 6f 6d }
	  
    
    condition:
    $a 
    
}
Attachments
pass : infected
(162.37 KiB) Downloaded 96 times