Alice Pos malware

Forum for analysis and discussion about malware.
Post Reply
User avatar
xors
Posts: 159
Joined: Mon May 23, 2016 2:01 am

Alice Pos malware

Post by xors » Fri Dec 23, 2016 3:18 pm

Thanks to Tim for providing the samples. Inside the attachment is my attempt to unpack the packed file (packed with VMProtect). I can't fix the stolen OEP bytes. If anyone can help, please post your findings :)

More information: http://blog.trendmicro.com/trendlabs-se ... m-malware/
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Alice Pos malware

Post by Xylitol » Fri Dec 23, 2016 6:20 pm

Trend Micro has discovered a new family of ATM malware called Alice
lol, i think MalwareTech gived me that file a while back, but we haven't really looked at it due to vmp.

robemtnez
Posts: 15
Joined: Tue Feb 03, 2015 4:11 pm

Re: Alice Pos malware

Post by robemtnez » Thu Jan 05, 2017 3:05 am

Alice was first used in October 2014. The sample that is not packed with VMProtect is more like a test prototype. The PIN code is hard coded on that one whereas the other samples generate the PIN code using the CRC of the file and the terminal ID (only visible when running the malware on an ATM).

Polar
Posts: 1
Joined: Mon Oct 16, 2017 5:05 pm

Re: Alice Pos malware

Post by Polar » Thu Jun 28, 2018 10:52 am

Actual version of Alice ATM malware.
What about reverse?))
You do not have the required permissions to view the files attached to this post.

g152xx
Posts: 1
Joined: Wed Oct 03, 2018 2:25 pm

Re: Alice Pos malware

Post by g152xx » Wed Oct 03, 2018 7:55 pm

Polar wrote:
Thu Jun 28, 2018 10:52 am
Actual version of Alice ATM malware.
What about reverse?))
@Polar do you happen to have a calc-code for your app? thank you very much! :D

Post Reply