25 lines
784 B
Text
25 lines
784 B
Text
|
|
||
|
import "pe"
|
||
|
|
||
|
rule ATM_Malware_DispenserXFS {
|
||
|
meta:
|
||
|
description = "Detects ATM Malware DispenserXFS"
|
||
|
author = "@Xylit0l @r3c0nst / Modified by Florian Roth"
|
||
|
reference = "https://twitter.com/r3c0nst/status/1100775857306652673"
|
||
|
date = "2019/02/27"
|
||
|
modified = "2023-01-06"
|
||
|
score = 80
|
||
|
id = "7c06102c-93d3-52f4-8c25-430f6f7a601f"
|
||
|
strings:
|
||
|
$xc1 = { 68 FF FF 00 00 68 60 EA 00 00 6A 10 }
|
||
|
$s1 = "\\dispenserXFS.pdb" ascii
|
||
|
$s3 = "C:\\xfsasdf.txt" fullword ascii
|
||
|
$s4 = "Injected mxsfs killer into %d." fullword ascii
|
||
|
$s5 = "Waiting for freeze msxfs processes..." fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5A4D and (
|
||
|
1 of them or
|
||
|
pe.imphash() == "617e037ae26d1931818db0790fb44bfe"
|
||
|
)
|
||
|
}
|