SYMBOLCOMMON_NAMEaka. SYNONYMS
win.loup (Back to overview)

Loup


Frank Boldewin describes Loup as a small cli-tool to cash out NCR devices (ATM).

References
2020-08-17Twitter (@Arkbird_SOLG)Arkbird
@online{arkbird:20200817:short:a510811, author = {Arkbird}, title = {{Short twitter thread with analysis on Loup ATM malware}}, date = {2020-08-17}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1295396936896438272}, language = {English}, urldate = {2020-08-25} } Short twitter thread with analysis on Loup ATM malware
Loup
2020-08-17Twitter (@r3c0nst)Frank Boldewin
@online{boldewin:20200817:loup:c8e43e4, author = {Frank Boldewin}, title = {{Tweet on Loup}}, date = {2020-08-17}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1295275546780327936}, language = {English}, urldate = {2020-08-17} } Tweet on Loup
Loup
Yara Rules
[TLP:WHITE] win_loup_auto (20220411 | Detects win.loup.)
rule win_loup_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.loup."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.loup"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b15???????? 8995ccfbffff a1???????? 8985d0fbffff 668b0d???????? 66898dd4fbffff 8a15???????? }
            // n = 7, score = 100
            //   8b15????????         |                     
            //   8995ccfbffff         | mov                 dword ptr [ebp - 0x434], edx
            //   a1????????           |                     
            //   8985d0fbffff         | mov                 dword ptr [ebp - 0x430], eax
            //   668b0d????????       |                     
            //   66898dd4fbffff       | mov                 word ptr [ebp - 0x42c], cx
            //   8a15????????         |                     

        $sequence_1 = { 8bcf ffd6 85c0 0f84da000000 8b7dec 8b07 8b7068 }
            // n = 7, score = 100
            //   8bcf                 | mov                 ecx, edi
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f84da000000         | je                  0xe0
            //   8b7dec               | mov                 edi, dword ptr [ebp - 0x14]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8b7068               | mov                 esi, dword ptr [eax + 0x68]

        $sequence_2 = { 8bec 83ec08 a1???????? 8945fc 837dfcff 7510 }
            // n = 6, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec08               | sub                 esp, 8
            //   a1????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   837dfcff             | cmp                 dword ptr [ebp - 4], -1
            //   7510                 | jne                 0x12

        $sequence_3 = { 8bec 8b5508 83fa04 7713 8b04950ca04100 8b4d0c }
            // n = 6, score = 100
            //   8bec                 | mov                 ebp, esp
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83fa04               | cmp                 edx, 4
            //   7713                 | ja                  0x15
            //   8b04950ca04100       | mov                 eax, dword ptr [edx*4 + 0x41a00c]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_4 = { ff15???????? 85c0 0f8444030000 ff751c }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8444030000         | je                  0x34a
            //   ff751c               | push                dword ptr [ebp + 0x1c]

        $sequence_5 = { 81781422059319 740c 8b4dfc 81791400409901 7522 e8???????? }
            // n = 6, score = 100
            //   81781422059319       | cmp                 dword ptr [eax + 0x14], 0x19930522
            //   740c                 | je                  0xe
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   81791400409901       | cmp                 dword ptr [ecx + 0x14], 0x1994000
            //   7522                 | jne                 0x24
            //   e8????????           |                     

        $sequence_6 = { 85c0 0f8418010000 8b7de0 6a00 6a00 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   0f8418010000         | je                  0x11e
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_7 = { 8945b4 8b45c0 50 e8???????? 837db400 750c c78594feffff01000000 }
            // n = 7, score = 100
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   50                   | push                eax
            //   e8????????           |                     
            //   837db400             | cmp                 dword ptr [ebp - 0x4c], 0
            //   750c                 | jne                 0xe
            //   c78594feffff01000000     | mov    dword ptr [ebp - 0x16c], 1

        $sequence_8 = { 8b0d???????? 83c920 890d???????? ba04000000 d1e2 8b4415f0 }
            // n = 6, score = 100
            //   8b0d????????         |                     
            //   83c920               | or                  ecx, 0x20
            //   890d????????         |                     
            //   ba04000000           | mov                 edx, 4
            //   d1e2                 | shl                 edx, 1
            //   8b4415f0             | mov                 eax, dword ptr [ebp + edx - 0x10]

        $sequence_9 = { e8???????? 83c404 eb07 c745e8ffffffff e8???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb07                 | jmp                 9
            //   c745e8ffffffff       | mov                 dword ptr [ebp - 0x18], 0xffffffff
            //   e8????????           |                     

    condition:
        7 of them and filesize < 257024
}
[TLP:WHITE] win_loup_w0   (20200817 | Detects of ATM Malware Loup)
rule win_loup_w0 {
	meta:
		description = "Detects of ATM Malware Loup"
		author = "Frank Boldewin (@r3c0nst)"
		reference = "https://twitter.com/r3c0nst/status/1295275546780327936"
		source = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/ATM.Malware.Loup.yar"
		date = "2020-08-17"
		hash = "6c9e9f78963ab3e7acb43826906af22571250dc025f9e7116e0201b805dc1196"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.loup"
        malpedia_rule_date = "20200817"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$String1 = "C:\\Users\\muham\\source\\repos\\loup\\Debug\\loup.pdb" ascii nocase
		$String2 = "CurrencyDispenser1" ascii nocase
		$Code = {50 68 C0 D4 01 00 8D 4D E8 51 68 2E 01 00 00 0F B7 55 08 52 E8} // Dispense
		
	condition:
		uint16(0) == 0x5A4D and filesize < 100KB and all of ($String*) and $Code
}
Download all Yara Rules