RIPPER ATM

Forum for analysis and discussion about malware.

RIPPER ATM

Postby Artilllerie » Mon Aug 29, 2016 12:02 pm

Hello,

Attached the sample of this report :
https://www.fireeye.com/blog/threat-res ... warea.html
You do not have the required permissions to view the files attached to this post.
User avatar
Artilllerie
 
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am
Reputation point: 3

Re: RIPPER ATM

Postby flrud2208 » Tue Aug 30, 2016 12:33 am

Thanks this will help in further analysing and detection of the malware.
flrud2208
 
Posts: 6
Joined: Mon Aug 15, 2016 6:24 am
Reputation point: 0

Re: RIPPER ATM

Postby Xylitol » Tue Aug 30, 2016 12:48 pm

Code: Select all
Text string=ASCII "Developed by kernyv@jabbim.com"
User avatar
Xylitol
Global Moderator
 
Posts: 1634
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 491

Re: RIPPER ATM

Postby oilen » Thu Sep 01, 2016 1:06 am

Attacks all three major vendors. Packed with UPX. Connects directly to XFS services using CDM (cash dispenser) ,PIN(Keypad) and IDC(card reader). Erases a lot of vendor specific logs. Kills main application processes before executing any dispense, in an attempt to hide it's presence for longer.Can stop network in order to avoid uplink notification of dispense for the monitored machines.

Regards,
JD
oilen
 
Posts: 1
Joined: Mon Sep 14, 2015 11:50 pm
Reputation point: 0

Re: RIPPER ATM

Postby sadfud » Fri Sep 02, 2016 1:22 pm

Unpacked sample. Additional protection detected: IsDebuggerPresent

YARA Rule:
Code: Select all
rule Ripper_ATM
{
    meta:
    Description = "RIPPER ATM MALWARE"
    Author = "SadFud"
    Date = "02/09/2016"
    Hash = "cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38"
    VT Scan = "https://www.virustotal.com/es/file/cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38/analysis/"
   
    strings:
    $a = { 6b 65 72 6e 79 76 40 6a 61 62 62 69 6d 2e 63 6f 6d }
    
   
    condition:
    $a
   
}
You do not have the required permissions to view the files attached to this post.
sadfud
 
Posts: 2
Joined: Wed Jun 01, 2016 5:12 pm
Reputation point: 0


Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests