RIPPER ATM

Forum for analysis and discussion about malware.
Post Reply
User avatar
Artilllerie
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am

Mon Aug 29, 2016 12:02 pm

Hello,

Attached the sample of this report :
https://www.fireeye.com/blog/threat-res ... warea.html
You do not have the required permissions to view the files attached to this post.
flrud2208
Posts: 6
Joined: Mon Aug 15, 2016 6:24 am

Tue Aug 30, 2016 12:33 am

Thanks this will help in further analysing and detection of the malware.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Tue Aug 30, 2016 12:48 pm

Code: Select all

Text string=ASCII "Developed by kernyv@jabbim.com"
oilen
Posts: 5
Joined: Mon Sep 14, 2015 11:50 pm

Thu Sep 01, 2016 1:06 am

Attacks all three major vendors. Packed with UPX. Connects directly to XFS services using CDM (cash dispenser) ,PIN(Keypad) and IDC(card reader). Erases a lot of vendor specific logs. Kills main application processes before executing any dispense, in an attempt to hide it's presence for longer.Can stop network in order to avoid uplink notification of dispense for the monitored machines.

Regards,
JD
sadfud
Posts: 2
Joined: Wed Jun 01, 2016 5:12 pm

Fri Sep 02, 2016 1:22 pm

Unpacked sample. Additional protection detected: IsDebuggerPresent

YARA Rule:

Code: Select all

rule Ripper_ATM
{
    meta:
    Description = "RIPPER ATM MALWARE"
    Author = "SadFud"
    Date = "02/09/2016"
    Hash = "cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38"
    VT Scan = "https://www.virustotal.com/es/file/cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38/analysis/"
    
    strings:
    $a = { 6b 65 72 6e 79 76 40 6a 61 62 62 69 6d 2e 63 6f 6d }
	  
    
    condition:
    $a 
    
}
You do not have the required permissions to view the files attached to this post.
Post Reply