SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dispcashbr (Back to overview)

DispCashBR


There is no description at this point.

References
2020-05-04AviraAnatoly Kazantsev
@online{kazantsev:20200504:atm:20ca401, author = {Anatoly Kazantsev}, title = {{ATM malware targets Wincor and Diebold ATMs}}, date = {2020-05-04}, organization = {Avira}, url = {https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/}, language = {English}, urldate = {2020-05-18} } ATM malware targets Wincor and Diebold ATMs
DispCashBR
2020-02-27Twitter (@r3c0nst)Frank Boldewin
@online{boldewin:20200227:dispcashbr:7dda1c8, author = {Frank Boldewin}, title = {{Tweet on DispCashBR}}, date = {2020-02-27}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1232944566208286720}, language = {English}, urldate = {2020-02-27} } Tweet on DispCashBR
DispCashBR
Yara Rules
[TLP:WHITE] win_dispcashbr_auto (20220516 | Detects win.dispcashbr.)
rule win_dispcashbr_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.dispcashbr."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83ec04 c744240404000000 890424 e8???????? 83ec08 c7442408c8ffffff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   c744240404000000     | mov                 dword ptr [esp + 4], 4
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   c7442408c8ffffff     | mov                 dword ptr [esp + 8], 0xffffffc8

        $sequence_1 = { e8???????? 83ec08 c7442408d7ffffff c7442404???????? a1???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   c7442408d7ffffff     | mov                 dword ptr [esp + 8], 0xffffffd7
            //   c7442404????????     |                     
            //   a1????????           |                     

        $sequence_2 = { ffe0 a1???????? 83c020 8944240c c744240822000000 }
            // n = 5, score = 200
            //   ffe0                 | jmp                 eax
            //   a1????????           |                     
            //   83c020               | add                 eax, 0x20
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   c744240822000000     | mov                 dword ptr [esp + 8], 0x22

        $sequence_3 = { 89442408 c744240403000000 c7042404000000 e8???????? 83ec0c 8b45f0 }
            // n = 6, score = 200
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   c744240403000000     | mov                 dword ptr [esp + 4], 3
            //   c7042404000000       | mov                 dword ptr [esp], 4
            //   e8????????           |                     
            //   83ec0c               | sub                 esp, 0xc
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_4 = { e8???????? 83ec08 c7442408e0ffffff c7442404???????? a1???????? 83c020 890424 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   c7442408e0ffffff     | mov                 dword ptr [esp + 8], 0xffffffe0
            //   c7442404????????     |                     
            //   a1????????           |                     
            //   83c020               | add                 eax, 0x20
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_5 = { e8???????? 83ec04 c744240404000000 890424 e8???????? 83ec08 c7442408e6ffffff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   c744240404000000     | mov                 dword ptr [esp + 4], 4
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   c7442408e6ffffff     | mov                 dword ptr [esp + 8], 0xffffffe6

        $sequence_6 = { 83ec08 c7442408e6ffffff c7442404???????? a1???????? }
            // n = 4, score = 200
            //   83ec08               | sub                 esp, 8
            //   c7442408e6ffffff     | mov                 dword ptr [esp + 8], 0xffffffe6
            //   c7442404????????     |                     
            //   a1????????           |                     

        $sequence_7 = { 890424 e8???????? eb45 c70424f5ffffff }
            // n = 4, score = 200
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   eb45                 | jmp                 0x47
            //   c70424f5ffffff       | mov                 dword ptr [esp], 0xfffffff5

        $sequence_8 = { 83ec08 c7442408e6ffffff c7442404???????? a1???????? 83c020 890424 }
            // n = 6, score = 200
            //   83ec08               | sub                 esp, 8
            //   c7442408e6ffffff     | mov                 dword ptr [esp + 8], 0xffffffe6
            //   c7442404????????     |                     
            //   a1????????           |                     
            //   83c020               | add                 eax, 0x20
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_9 = { c7442408c8ffffff c7442404???????? a1???????? 83c020 890424 }
            // n = 5, score = 200
            //   c7442408c8ffffff     | mov                 dword ptr [esp + 8], 0xffffffc8
            //   c7442404????????     |                     
            //   a1????????           |                     
            //   83c020               | add                 eax, 0x20
            //   890424               | mov                 dword ptr [esp], eax

    condition:
        7 of them and filesize < 123904
}
[TLP:WHITE] win_dispcashbr_w0   (20200227 | Detects of ATM Malware DispCashBR)
rule win_dispcashbr_w0 {
	meta:
		description = "Detects of ATM Malware DispCashBR"
		author = "Frank Boldewin (@r3c0nst)"
		reference = "https://twitter.com/r3c0nst/status/1232944566208286720"
		date = "2020-02-27"
		hash = "7cea6510434f2c8f28c9dbada7973449bb1f844cfe589cdc103c9946c2673036"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr"
        malpedia_version = "20200227"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
	strings:
		$String1 = "(*) Dispensando: %lu" ascii nocase
		$String2 = "COMANDO EXECUTADO COM SUCESSO" ascii nocase
		$String3 = "[+] FOI SACADO:  %lu R$ [+]" ascii nocase
		$DbgStr1 = "_Get_Information_cdm_cuinfo" ascii nocase
		$DbgStr2 = "_GET_INFORMATION_SHUTTER" ascii nocase
		$Code1 = {C7 44 24 08 00 00 00 00 C7 44 24 04 2F 01 00 00 89 04 24 E8} // CDM Info1
		$Code2 = {C7 44 24 08 00 00 00 00 C7 44 24 04 17 05 00 00 89 04 24 E8} // CDM Info2
		$Code3 = {89 4C 24 08 C7 44 24 04 2E 01 00 00 89 04 24 E8} // Dispense Cash
		
	condition:
		uint16(0) == 0x5A4D and filesize < 100KB and 2 of ($String*) and 1 of ($DbgStr*) and all of ($Code*)
}
Download all Yara Rules