A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29777  by xors
 Fri Dec 23, 2016 3:18 pm
Thanks to Tim for providing the samples. Inside the attachment is my attempt to unpack the packed file (packed with VMProtect). I can't fix the stolen OEP bytes. If anyone can help, please post your findings :)

More information: http://blog.trendmicro.com/trendlabs-se ... m-malware/
Attachments
password:infected
(345 KiB) Downloaded 148 times
 #29831  by robemtnez
 Thu Jan 05, 2017 3:05 am
Alice was first used in October 2014. The sample that is not packed with VMProtect is more like a test prototype. The PIN code is hard coded on that one whereas the other samples generate the PIN code using the CRC of the file and the terminal ID (only visible when running the malware on an ATM).
 #31739  by Polar
 Thu Jun 28, 2018 10:52 am
Actual version of Alice ATM malware.
What about reverse?))
Attachments
(2.15 MiB) Downloaded 70 times
 #32168  by g152xx
 Wed Oct 03, 2018 7:55 pm
Polar wrote: Thu Jun 28, 2018 10:52 am Actual version of Alice ATM malware.
What about reverse?))
@Polar do you happen to have a calc-code for your app? thank you very much! :D
 #32259  by hoppler
 Mon Nov 19, 2018 11:09 pm
Hello my fellow Malware Investigators,

well, the last attachment in this Post isn't Alice. So I tried to get the sample, from the first Post, provided by "xors" up running. But somehow there's something missing.

Is there any chance that somebody can provide me the original Alice sample ?
Just for education purpose, of course.

I collected so many ATM Malware samples. Some of them are striped down or altered. But some of them in original shape.
I got Tyupkin and Green Dispenser running, without Pin.
But I'm still missing Alice and Ripper. The ones I got from here, are no good.

So, it would be really nice if somebody could provide me the above mentioned samples of Alice and Ripper. Even different versions are welcome.

Thanks in advance.
cheerio