RIPPER ATM

Forum for analysis and discussion about malware.
Post Reply
User avatar
Artilllerie
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am

RIPPER ATM

Post by Artilllerie » Mon Aug 29, 2016 12:02 pm

Hello,

Attached the sample of this report :
https://www.fireeye.com/blog/threat-res ... warea.html
You do not have the required permissions to view the files attached to this post.

flrud2208
Posts: 6
Joined: Mon Aug 15, 2016 6:24 am

Re: RIPPER ATM

Post by flrud2208 » Tue Aug 30, 2016 12:33 am

Thanks this will help in further analysing and detection of the malware.

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: RIPPER ATM

Post by Xylitol » Tue Aug 30, 2016 12:48 pm

Code: Select all

Text string=ASCII "Developed by kernyv@jabbim.com"

oilen
Posts: 1
Joined: Mon Sep 14, 2015 11:50 pm

Re: RIPPER ATM

Post by oilen » Thu Sep 01, 2016 1:06 am

Attacks all three major vendors. Packed with UPX. Connects directly to XFS services using CDM (cash dispenser) ,PIN(Keypad) and IDC(card reader). Erases a lot of vendor specific logs. Kills main application processes before executing any dispense, in an attempt to hide it's presence for longer.Can stop network in order to avoid uplink notification of dispense for the monitored machines.

Regards,
JD

sadfud
Posts: 2
Joined: Wed Jun 01, 2016 5:12 pm

Re: RIPPER ATM

Post by sadfud » Fri Sep 02, 2016 1:22 pm

Unpacked sample. Additional protection detected: IsDebuggerPresent

YARA Rule:

Code: Select all

rule Ripper_ATM
{
    meta:
    Description = "RIPPER ATM MALWARE"
    Author = "SadFud"
    Date = "02/09/2016"
    Hash = "cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38"
    VT Scan = "https://www.virustotal.com/es/file/cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38/analysis/"
    
    strings:
    $a = { 6b 65 72 6e 79 76 40 6a 61 62 62 69 6d 2e 63 6f 6d }
	  
    
    condition:
    $a 
    
}
You do not have the required permissions to view the files attached to this post.

Post Reply