A forum for reverse engineering, OS internals and malware analysis 

RIPPER ATM

Forum for analysis and discussion about malware.

Re: RIPPER ATM

 #29137  by flrud2208
 Tue Aug 30, 2016 12:33 am
Thanks this will help in further analysing and detection of the malware.

Re: RIPPER ATM

 #29158  by oilen
 Thu Sep 01, 2016 1:06 am
Attacks all three major vendors. Packed with UPX. Connects directly to XFS services using CDM (cash dispenser) ,PIN(Keypad) and IDC(card reader). Erases a lot of vendor specific logs. Kills main application processes before executing any dispense, in an attempt to hide it's presence for longer.Can stop network in order to avoid uplink notification of dispense for the monitored machines.

Regards,
JD

Re: RIPPER ATM

 #29168  by sadfud
 Fri Sep 02, 2016 1:22 pm
Unpacked sample. Additional protection detected: IsDebuggerPresent

YARA Rule:
Code: Select all
rule Ripper_ATM
{
    meta:
    Description = "RIPPER ATM MALWARE"
    Author = "SadFud"
    Date = "02/09/2016"
    Hash = "cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38"
    VT Scan = "https://www.virustotal.com/es/file/cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38/analysis/"
    
    strings:
    $a = { 6b 65 72 6e 79 76 40 6a 61 62 62 69 6d 2e 63 6f 6d }
	  
    
    condition:
    $a 
    
}
Attachments
pass : infected
(162.37 KiB) Downloaded 95 times
 Return to “Malware”