SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ripper_atm (Back to overview)

Ripper ATM

There is no description at this point.

References
2018-03-30Trend MicroDavid Sancho, Numaan Huq, Massimiliano Michenz
@techreport{sancho:20180330:cashing:b325dd3, author = {David Sancho and Numaan Huq and Massimiliano Michenz}, title = {{Cashing in on ATM Malware: A Comprehensive Look at Various Attack Types}}, date = {2018-03-30}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf}, language = {English}, urldate = {2020-02-27} } Cashing in on ATM Malware: A Comprehensive Look at Various Attack Types
Project Alice ATMitch Ploutus ATM Ripper ATM Skimer SUCEFUL Tyupkin
2016-09-19Trend MicroNumaan Huq
@online{huq:20160919:untangling:daa62bd, author = {Numaan Huq}, title = {{Untangling the Ripper ATM Malware}}, date = {2016-09-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/}, language = {English}, urldate = {2019-11-26} } Untangling the Ripper ATM Malware
Ripper ATM
Yara Rules
[TLP:WHITE] win_ripper_atm_auto (20230407 | Detects win.ripper_atm.)
rule win_ripper_atm_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.ripper_atm."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 897e70 6a43 58 668986b8000000 668986be010000 c74668d87b4300 83a6b803000000 }
            // n = 7, score = 100
            //   897e70               | mov                 dword ptr [esi + 0x70], edi
            //   6a43                 | push                0x43
            //   58                   | pop                 eax
            //   668986b8000000       | mov                 word ptr [esi + 0xb8], ax
            //   668986be010000       | mov                 word ptr [esi + 0x1be], ax
            //   c74668d87b4300       | mov                 dword ptr [esi + 0x68], 0x437bd8
            //   83a6b803000000       | and                 dword ptr [esi + 0x3b8], 0

        $sequence_1 = { 33db e8???????? 895c2438 8b442424 8b4c2420 }
            // n = 5, score = 100
            //   33db                 | xor                 ebx, ebx
            //   e8????????           |                     
            //   895c2438             | mov                 dword ptr [esp + 0x38], ebx
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]

        $sequence_2 = { 895130 885120 33c0 66894106 895138 }
            // n = 5, score = 100
            //   895130               | mov                 dword ptr [ecx + 0x30], edx
            //   885120               | mov                 byte ptr [ecx + 0x20], dl
            //   33c0                 | xor                 eax, eax
            //   66894106             | mov                 word ptr [ecx + 6], ax
            //   895138               | mov                 dword ptr [ecx + 0x38], edx

        $sequence_3 = { 8b7164 57 ff742410 894168 89516c }
            // n = 5, score = 100
            //   8b7164               | mov                 esi, dword ptr [ecx + 0x64]
            //   57                   | push                edi
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   894168               | mov                 dword ptr [ecx + 0x68], eax
            //   89516c               | mov                 dword ptr [ecx + 0x6c], edx

        $sequence_4 = { 0f434dbc 53 51 ff75b8 ffd7 ff75b8 8b1d???????? }
            // n = 7, score = 100
            //   0f434dbc             | cmovae              ecx, dword ptr [ebp - 0x44]
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   ff75b8               | push                dword ptr [ebp - 0x48]
            //   ffd7                 | call                edi
            //   ff75b8               | push                dword ptr [ebp - 0x48]
            //   8b1d????????         |                     

        $sequence_5 = { 68???????? 6804040000 57 68???????? 897dd8 ff15???????? 8bf0 }
            // n = 7, score = 100
            //   68????????           |                     
            //   6804040000           | push                0x404
            //   57                   | push                edi
            //   68????????           |                     
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_6 = { 334ad8 3342dc 334a28 33422c 330a 334204 894cf428 }
            // n = 7, score = 100
            //   334ad8               | xor                 ecx, dword ptr [edx - 0x28]
            //   3342dc               | xor                 eax, dword ptr [edx - 0x24]
            //   334a28               | xor                 ecx, dword ptr [edx + 0x28]
            //   33422c               | xor                 eax, dword ptr [edx + 0x2c]
            //   330a                 | xor                 ecx, dword ptr [edx]
            //   334204               | xor                 eax, dword ptr [edx + 4]
            //   894cf428             | mov                 dword ptr [esp + esi*8 + 0x28], ecx

        $sequence_7 = { 7423 3d00000400 7550 80c980 884c3704 8b0c9df0974400 8a443124 }
            // n = 7, score = 100
            //   7423                 | je                  0x25
            //   3d00000400           | cmp                 eax, 0x40000
            //   7550                 | jne                 0x52
            //   80c980               | or                  cl, 0x80
            //   884c3704             | mov                 byte ptr [edi + esi + 4], cl
            //   8b0c9df0974400       | mov                 ecx, dword ptr [ebx*4 + 0x4497f0]
            //   8a443124             | mov                 al, byte ptr [ecx + esi + 0x24]

        $sequence_8 = { e8???????? e8???????? e9???????? 8d85bcf7ffff 50 e8???????? 83780402 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e8????????           |                     
            //   e9????????           |                     
            //   8d85bcf7ffff         | lea                 eax, [ebp - 0x844]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83780402             | cmp                 dword ptr [eax + 4], 2

        $sequence_9 = { 85c0 0f44f3 8bc6 5e 33cd 5b }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   0f44f3               | cmove               esi, ebx
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   33cd                 | xor                 ecx, ebp
            //   5b                   | pop                 ebx

    condition:
        7 of them and filesize < 724992
}
Download all Yara Rules