24 lines
1,003 B
Text
24 lines
1,003 B
Text
|
rule ATM_Malware_XFSADM {
|
||
|
meta:
|
||
|
description = "Detects ATM Malware XFSADM"
|
||
|
author = "Frank Boldewin (@r3c0nst), modified by Florian Roth"
|
||
|
reference = "https://twitter.com/r3c0nst/status/1149043362244308992"
|
||
|
date = "2019-06-21"
|
||
|
hash1 = "2740bd2b7aa0eaa8de2135dd710eb669d4c4c91d29eefbf54f1b81165ad2da4d"
|
||
|
id = "7bd7e194-1cf1-5d12-809b-25aaf7f62ca3"
|
||
|
strings:
|
||
|
$Code1 = {68 88 13 00 00 FF 35 ?? ?? ?? ?? 68 CF 00 00 00 50 FF 15} // Read Card Data
|
||
|
$Code2 = {68 98 01 00 00 50 FF 15} // Get PIN Data
|
||
|
$Mutex = "myXFSADM" wide
|
||
|
$MSXFSDIR = "C:\\Windows\\System32\\msxfs.dll" ascii
|
||
|
$XFSCommand1 = "WfsExecute" ascii
|
||
|
$XFSCommand2 = "WfsGetInfo" ascii
|
||
|
$PDB = "C:\\Work64\\ADM\\XFS\\Release\\XFS.pdb" ascii
|
||
|
$WindowName = "XFS ADM" wide
|
||
|
$FindWindow = "ADM rec" wide
|
||
|
$LogFile = "xfs.log" ascii
|
||
|
$TmpFile = "~pipe.tmp" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5A4D and filesize < 500KB and ( 4 of them or $PDB )
|
||
|
}
|