SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dispcashbr (Back to overview)

DispCashBR


There is no description at this point.

References
2020-05-04AviraAnatoly Kazantsev
@online{kazantsev:20200504:atm:20ca401, author = {Anatoly Kazantsev}, title = {{ATM malware targets Wincor and Diebold ATMs}}, date = {2020-05-04}, organization = {Avira}, url = {https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/}, language = {English}, urldate = {2020-05-18} } ATM malware targets Wincor and Diebold ATMs
DispCashBR
2020-02-27Twitter (@r3c0nst)Frank Boldewin
@online{boldewin:20200227:dispcashbr:7dda1c8, author = {Frank Boldewin}, title = {{Tweet on DispCashBR}}, date = {2020-02-27}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1232944566208286720}, language = {English}, urldate = {2020-02-27} } Tweet on DispCashBR
DispCashBR
Yara Rules
[TLP:WHITE] win_dispcashbr_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_dispcashbr_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83ec08 c7442408eaffffff c7442404???????? }
            // n = 4, score = 200
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   c7442408eaffffff     | mov                 dword ptr [esp + 8], 0xffffffea
            //   c7442404????????     |                     

        $sequence_1 = { 83ec08 c7442408c9ffffff c7442404???????? a1???????? }
            // n = 4, score = 200
            //   83ec08               | sub                 esp, 8
            //   c7442408c9ffffff     | mov                 dword ptr [esp + 8], 0xffffffc9
            //   c7442404????????     |                     
            //   a1????????           |                     

        $sequence_2 = { c7442408f1ffffff c7442404???????? a1???????? 83c020 890424 e8???????? e9???????? }
            // n = 7, score = 200
            //   c7442408f1ffffff     | mov                 dword ptr [esp + 8], 0xfffffff1
            //   c7442404????????     |                     
            //   a1????????           |                     
            //   83c020               | add                 eax, 0x20
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_3 = { 890424 e8???????? 83ec08 c7442408f2ffffff c7442404???????? a1???????? 83c020 }
            // n = 7, score = 200
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   c7442408f2ffffff     | mov                 dword ptr [esp + 8], 0xfffffff2
            //   c7442404????????     |                     
            //   a1????????           |                     
            //   83c020               | add                 eax, 0x20

        $sequence_4 = { c7442408c8ffffff c7442404???????? a1???????? 83c020 890424 e8???????? }
            // n = 6, score = 200
            //   c7442408c8ffffff     | mov                 dword ptr [esp + 8], 0xffffffc8
            //   c7442404????????     |                     
            //   a1????????           |                     
            //   83c020               | add                 eax, 0x20
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_5 = { 890424 e8???????? 83ec08 c7442408ceffffff c7442404???????? a1???????? }
            // n = 6, score = 200
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   c7442408ceffffff     | mov                 dword ptr [esp + 8], 0xffffffce
            //   c7442404????????     |                     
            //   a1????????           |                     

        $sequence_6 = { c7442408d7ffffff c7442404???????? a1???????? 83c020 890424 }
            // n = 5, score = 200
            //   c7442408d7ffffff     | mov                 dword ptr [esp + 8], 0xffffffd7
            //   c7442404????????     |                     
            //   a1????????           |                     
            //   83c020               | add                 eax, 0x20
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_7 = { c744240404000000 890424 e8???????? 83ec08 c7442408f1ffffff c7442404???????? a1???????? }
            // n = 7, score = 200
            //   c744240404000000     | mov                 dword ptr [esp + 4], 4
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   c7442408f1ffffff     | mov                 dword ptr [esp + 8], 0xfffffff1
            //   c7442404????????     |                     
            //   a1????????           |                     

        $sequence_8 = { c744240404000000 890424 e8???????? 83ec08 c7442408caffffff c7442404???????? }
            // n = 6, score = 200
            //   c744240404000000     | mov                 dword ptr [esp + 4], 4
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec08               | sub                 esp, 8
            //   c7442408caffffff     | mov                 dword ptr [esp + 8], 0xffffffca
            //   c7442404????????     |                     

        $sequence_9 = { 83c00d c7442404???????? 890424 e8???????? }
            // n = 4, score = 200
            //   83c00d               | add                 eax, 0xd
            //   c7442404????????     |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 123904
}
[TLP:WHITE] win_dispcashbr_w0   (20200227 | Detects of ATM Malware DispCashBR)
rule win_dispcashbr_w0 {
	meta:
		description = "Detects of ATM Malware DispCashBR"
		author = "Frank Boldewin (@r3c0nst)"
		reference = "https://twitter.com/r3c0nst/status/1232944566208286720"
		date = "2020-02-27"
		hash = "7cea6510434f2c8f28c9dbada7973449bb1f844cfe589cdc103c9946c2673036"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr"
        malpedia_version = "20200227"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
	strings:
		$String1 = "(*) Dispensando: %lu" ascii nocase
		$String2 = "COMANDO EXECUTADO COM SUCESSO" ascii nocase
		$String3 = "[+] FOI SACADO:  %lu R$ [+]" ascii nocase
		$DbgStr1 = "_Get_Information_cdm_cuinfo" ascii nocase
		$DbgStr2 = "_GET_INFORMATION_SHUTTER" ascii nocase
		$Code1 = {C7 44 24 08 00 00 00 00 C7 44 24 04 2F 01 00 00 89 04 24 E8} // CDM Info1
		$Code2 = {C7 44 24 08 00 00 00 00 C7 44 24 04 17 05 00 00 89 04 24 E8} // CDM Info2
		$Code3 = {89 4C 24 08 C7 44 24 04 2E 01 00 00 89 04 24 E8} // Dispense Cash
		
	condition:
		uint16(0) == 0x5A4D and filesize < 100KB and 2 of ($String*) and 1 of ($DbgStr*) and all of ($Code*)
}
Download all Yara Rules