Sneed-Reactivity/yara-Neo23x0/crime_atm_xfsadm.yar

24 lines
1,003 B
Text
Raw Normal View History

rule ATM_Malware_XFSADM {
meta:
description = "Detects ATM Malware XFSADM"
author = "Frank Boldewin (@r3c0nst), modified by Florian Roth"
reference = "https://twitter.com/r3c0nst/status/1149043362244308992"
date = "2019-06-21"
hash1 = "2740bd2b7aa0eaa8de2135dd710eb669d4c4c91d29eefbf54f1b81165ad2da4d"
id = "7bd7e194-1cf1-5d12-809b-25aaf7f62ca3"
strings:
$Code1 = {68 88 13 00 00 FF 35 ?? ?? ?? ?? 68 CF 00 00 00 50 FF 15} // Read Card Data
$Code2 = {68 98 01 00 00 50 FF 15} // Get PIN Data
$Mutex = "myXFSADM" wide
$MSXFSDIR = "C:\\Windows\\System32\\msxfs.dll" ascii
$XFSCommand1 = "WfsExecute" ascii
$XFSCommand2 = "WfsGetInfo" ascii
$PDB = "C:\\Work64\\ADM\\XFS\\Release\\XFS.pdb" ascii
$WindowName = "XFS ADM" wide
$FindWindow = "ADM rec" wide
$LogFile = "xfs.log" ascii
$TmpFile = "~pipe.tmp" ascii
condition:
uint16(0) == 0x5A4D and filesize < 500KB and ( 4 of them or $PDB )
}