22 lines
746 B
Text
22 lines
746 B
Text
|
rule ATM_Malware_JavaDispCash {
|
||
|
meta:
|
||
|
description = "Detects ATM Malware JavaDispCash"
|
||
|
author = "Frank Boldewin (@r3c0nst)"
|
||
|
reference = "https://twitter.com/r3c0nst/status/1111254169623674882"
|
||
|
date = "2019-03-28"
|
||
|
hash1 = "0149667c0f8cbfc216ef9d1f3154643cbbf6940e6f24a09c92a82dd7370a5027"
|
||
|
hash2 = "ef407db8c79033027858364fd7a04eeb70cf37b7c3a10069a92bae96da88dfaa"
|
||
|
|
||
|
id = "7aa91719-6539-572a-8618-bfb5290a5b59"
|
||
|
strings:
|
||
|
$CashInfo = "getNumberOfCashUnits" ascii wide
|
||
|
$Dispense = "waitforbillstaken" ascii wide
|
||
|
$Inject = "No code to inject!" ascii wide
|
||
|
$config = ".Agentcli" ascii wide
|
||
|
$log1 = "logft.log" ascii wide
|
||
|
$log2 = ".loginside" ascii wide
|
||
|
|
||
|
condition:
|
||
|
uint16(0) == 0x4B50 and filesize < 500KB and all of them
|
||
|
}
|