.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------. ! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV ! `-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE 04f25013eb088d5e8a6e55bdb005c464123e6605897bd80ac245ce7ca12a7a70 Date...........: 2014-12-29 Family.........: Alice File name......: Alice.exe File size......: 18.00 KB Type file......: EXE/Windows Virscan........: VT - HA Documentation..: https://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/ Additional note: Unlock code to operator panel: 123 Entropy: Binary Histogram: === SCREENSHOT === === PEDUMP REPORT ====== Strings ====== MZ Header === signature: "MZ" bytes_in_last_block: 144 0x90 blocks_in_file: 3 3 num_relocs: 0 0 header_paragraphs: 4 4 min_extra_paragraphs: 0 0 max_extra_paragraphs: 65535 0xffff ss: 0 0 sp: 184 0xb8 checksum: 0 0 ip: 0 0 cs: 0 0 reloc_table_offset: 64 0x40 overlay_number: 0 0 reserved0: 0 0 oem_id: 0 0 oem_info: 0 0 reserved2: 0 0 reserved3: 0 0 reserved4: 0 0 reserved5: 0 0 reserved6: 0 0 lfanew: 224 0xe0 === DOS STUB === 00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th| 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno| 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS | 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......| === RICH Header === LIB_ID VERSION TIMES_USED 4 4 8447 20ff 2 2 19 13 8078 1f8e 26 1a 1 1 0 0 16 10 19 13 9049 2359 3 3 18 12 8444 20fc 1 1 6 6 1735 6c7 1 1 === PE Header === signature: "PE\x00\x00" # IMAGE_FILE_HEADER: Machine: 332 0x14c x86 NumberOfSections: 3 3 TimeDateStamp: "2014-10-06 00:17:31" PointerToSymbolTable: 0 0 NumberOfSymbols: 0 0 SizeOfOptionalHeader: 224 0xe0 Characteristics: 271 0x10f RELOCS_STRIPPED, EXECUTABLE_IMAGE LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED 32BIT_MACHINE # IMAGE_OPTIONAL_HEADER32: Magic: 267 0x10b 32-bit executable LinkerVersion: 5.12 SizeOfCode: 3584 0xe00 SizeOfInitializedData: 13824 0x3600 SizeOfUninitializedData: 0 0 AddressOfEntryPoint: 7233 0x1c41 BaseOfCode: 4096 0x1000 BaseOfData: 8192 0x2000 ImageBase: 4194304 0x400000 SectionAlignment: 4096 0x1000 FileAlignment: 512 0x200 OperatingSystemVersion: 4.0 ImageVersion: 0.0 SubsystemVersion: 4.0 Reserved1: 0 0 SizeOfImage: 24576 0x6000 SizeOfHeaders: 1024 0x400 CheckSum: 0 0 Subsystem: 2 2 WINDOWS_GUI DllCharacteristics: 0 0 SizeOfStackReserve: 1048576 0x100000 SizeOfStackCommit: 4096 0x1000 SizeOfHeapReserve: 1048576 0x100000 SizeOfHeapCommit: 4096 0x1000 LoaderFlags: 0 0 NumberOfRvaAndSizes: 16 0x10 === DATA DIRECTORY === EXPORT rva:0x 0 size:0x 0 IMPORT rva:0x 20a4 size:0x 78 RESOURCE rva:0x 3000 size:0x 2f88 EXCEPTION rva:0x 0 size:0x 0 SECURITY rva:0x 0 size:0x 0 BASERELOC rva:0x 0 size:0x 0 DEBUG rva:0x 0 size:0x 0 ARCHITECTURE rva:0x 0 size:0x 0 GLOBALPTR rva:0x 0 size:0x 0 TLS rva:0x 0 size:0x 0 LOAD_CONFIG rva:0x 0 size:0x 0 Bound_IAT rva:0x 0 size:0x 0 IAT rva:0x 2000 size:0x a4 Delay_IAT rva:0x 0 size:0x 0 CLR_Header rva:0x 0 size:0x 0 rva:0x 0 size:0x 0 === SECTIONS === NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS .text 1000 d56 e00 400 0 0 0 0 e0000020 RWX CODE .rdata 2000 424 600 1200 0 0 0 0 40000040 R-- IDATA .rsrc 3000 2f88 3000 1800 0 0 0 0 c0000040 RW- IDATA === RESOURCES === FILE_OFFSET CP LANG SIZE TYPE NAME 0x1de8 0 0x409 9640 ICON #1 0x19b0 0 0x409 380 DIALOG #1000 0x43a8 0 0x409 368 DIALOG #2000 0x4390 0 0x409 20 GROUP_ICON #20 0x4518 0 0x409 624 VERSION #1 0x1b30 0 0x409 689 MANIFEST #1 === IMPORTS === MODULE_NAME HINT ORD FUNCTION_NAME ntdll.dll 15b RtlCaptureStackBackTrace ntdll.dll 229 RtlMoveMemory ntdll.dll 298 RtlUnwind ntdll.dll 2b1 RtlZeroMemory ntdll.dll 2bf VerSetConditionMask ntdll.dll 1c5 RtlFillMemory user32.dll 15b GetWindowTextLengthA user32.dll fa GetDlgItem user32.dll 18a IsWindow user32.dll 90 DialogBoxParamA user32.dll 4 AnimateWindow user32.dll 27d wsprintfA user32.dll 1b1 MessageBoxA user32.dll 1f8 SendDlgItemMessageA user32.dll 1fd SendMessageA user32.dll 216 SetFocus user32.dll 23d SetWindowTextA user32.dll b4 EndDialog kernel32.dll 317 lstrcmpiA kernel32.dll 1f9 LocalSize kernel32.dll 1f4 LocalFree kernel32.dll 1f0 LocalAlloc kernel32.dll 1dc IsBadWritePtr kernel32.dll 134 GetModuleHandleA kernel32.dll 9b ExitProcess comctl32.dll 54 InitCommonControls MSXFS.dll 14 WFSCleanUp MSXFS.dll 1f WFSOpen MSXFS.dll 1b WFSGetInfo MSXFS.dll 19 WFSExecute MSXFS.dll 1e WFSLock MSXFS.dll 20 WFSRegister MSXFS.dll 1a WFSFreeResult MSXFS.dll 24 WFSUnlock MSXFS.dll 15 WFSClose MSXFS.dll 22 WFSStartUp === VERSION INFO === # VS_FIXEDFILEINFO: FileVersion : 1.0.0.0 ProductVersion : 1.0.0.0 StrucVersion : 0x10000 FileFlagsMask : 0 FileFlags : 0 FileOS : 4 FileType : 1 FileSubtype : 0 # StringTable 040904E3: FileVersion : "1.0.0.0" ProductVersion : "1.0.0.0" CompanyName : "Sanctions Group" FileDescription : "Project Alice" InternalName : "Sanctions" ProductName : "Sanctions" LegalCopyright : "Sanctions group" VarFileInfo : [ 0x409, 0x4e3 ] === Packer / Compiler === MS Visual C# v7.0 / Basic .NET=== DOWNLOAD === Mirror provided by vx-underground.org, thx!File pos Mem pos ID Text ======== ======= == ==== 00000000004D 00000040004D 0 !This program cannot be run in DOS mode. 0000000001D8 0000004001D8 0 .text 000000000200 000000400200 0 .rdata 000000000227 000000400227 0 @.rsrc 000000000400 000000401000 0 CurrencyDispenser1 00000000041F 00000040101F 0 Project Alice 000000000660 000000401260 0 Selected cassette is unavailable ! 000000000683 000000401283 0 Can't dispense requested amount. Error %d ocurred ! 00000000082F 00000040142F 0 t@Wj@ 0000000008A9 0000004014A9 0 Bills count 0000000008B5 0000004014B5 0 Bill value 0000000008C0 0000004014C0 0 Currency 0000000008C9 0000004014C9 0 Result 0000000008D3 0000004014D3 0 Total : 000000000D50 000000401950 0 j!j!h6 000000000D68 000000401968 0 t2j7h 0000000013C2 0000004021C2 0 RtlCaptureStackBackTrace 0000000013DE 0000004021DE 0 RtlFillMemory 0000000013EE 0000004021EE 0 RtlMoveMemory 0000000013FE 0000004021FE 0 RtlUnwind 00000000140A 00000040220A 0 RtlZeroMemory 00000000141A 00000040221A 0 VerSetConditionMask 00000000142E 00000040222E 0 ntdll.dll 00000000143A 00000040223A 0 wsprintfA 000000001446 000000402246 0 AnimateWindow 000000001456 000000402256 0 DialogBoxParamA 000000001468 000000402268 0 EndDialog 000000001474 000000402274 0 GetDlgItem 000000001482 000000402282 0 GetWindowTextLengthA 00000000149A 00000040229A 0 IsWindow 0000000014A6 0000004022A6 0 MessageBoxA 0000000014B4 0000004022B4 0 SendDlgItemMessageA 0000000014CA 0000004022CA 0 SendMessageA 0000000014DA 0000004022DA 0 SetFocus 0000000014E6 0000004022E6 0 SetWindowTextA 0000000014F6 0000004022F6 0 user32.dll 000000001504 000000402304 0 ExitProcess 000000001512 000000402312 0 GetModuleHandleA 000000001526 000000402326 0 IsBadWritePtr 000000001536 000000402336 0 LocalAlloc 000000001544 000000402344 0 LocalFree 000000001550 000000402350 0 LocalSize 00000000155C 00000040235C 0 lstrcmpiA 000000001566 000000402366 0 kernel32.dll 000000001576 000000402376 0 InitCommonControls 00000000158A 00000040238A 0 comctl32.dll 00000000159A 00000040239A 0 WFSStartUp 0000000015A8 0000004023A8 0 WFSClose 0000000015B4 0000004023B4 0 WFSUnlock 0000000015C0 0000004023C0 0 WFSFreeResult 0000000015D0 0000004023D0 0 WFSRegister 0000000015DE 0000004023DE 0 WFSLock 0000000015E8 0000004023E8 0 WFSExecute 0000000015F6 0000004023F6 0 WFSGetInfo 000000001604 000000402404 0 WFSOpen 00000000160E 00000040240E 0 WFSCleanUp 00000000161A 00000040241A 0 MSXFS.dll 000000001B30 000000403330 0 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> 000000001B69 000000403369 0 <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 000000001BB4 0000004033B4 0 <assemblyIdentity File pos Mem pos ID Text ======== ======= == ==== 000000001BC7 0000004033C7 0 version="1.0.0.0" 000000001BDE 0000004033DE 0 processorArchitecture="X86" 000000001BFF 0000004033FF 0 name="CompanyName.ProductName.YourApp" 000000001C2B 00000040342B 0 type="win32" 000000001C41 000000403441 0 <description>Your application description here.</description> 000000001C80 000000403480 0 <dependency> 000000001C8E 00000040348E 0 <dependentAssembly> 000000001CA3 0000004034A3 0 <assemblyIdentity 000000001CBE 0000004034BE 0 type="win32" 000000001CD8 0000004034D8 0 name="Microsoft.Windows.Common-Controls" 000000001D0E 00000040350E 0 version="6.0.0.0" 000000001D2D 00000040352D 0 processorArchitecture="X86" 000000001D56 000000403556 0 publicKeyToken="6595b64144ccf1df" 000000001D85 000000403585 0 language="*" 000000001D9F 00000040359F 0 /> 000000001DAB 0000004035AB 0 </dependentAssembly> 000000001DC5 0000004035C5 0 </dependency> 000000001DD4 0000004035D4 0 </assembly> 0000000019CE 0000004031CE 0 Operator panel 0000000019F3 0000004031F3 0 Times New Roman 000000001A30 000000403230 0 Dispenser 000000001A60 000000403260 0 SysListView32 000000001ABC 0000004032BC 0 Dispense panel 000000001AF8 0000004032F8 0 Input cassette ID here : 0000000043C6 000000405BC6 0 Input PIN-code for access ! 000000004405 000000405C05 0 MS Sans Serif 00000000443C 000000405C3C 0 Authorize yourself 000000004480 000000405C80 0 Terminal ID 0000000044D8 000000405CD8 0 Your pin-code 00000000451E 000000405D1E 0 VS_VERSION_INFO 00000000457A 000000405D7A 0 StringFileInfo 00000000459E 000000405D9E 0 040904E3 0000000045B6 000000405DB6 0 FileVersion 0000000045D0 000000405DD0 0 1.0.0.0 0000000045E6 000000405DE6 0 ProductVersion 000000004604 000000405E04 0 1.0.0.0 00000000461A 000000405E1A 0 CompanyName 000000004634 000000405E34 0 Sanctions Group 00000000465A 000000405E5A 0 FileDescription 00000000467C 000000405E7C 0 Project Alice 00000000469E 000000405E9E 0 InternalName 0000000046B8 000000405EB8 0 Sanctions 0000000046D2 000000405ED2 0 ProductName 0000000046EC 000000405EEC 0 Sanctions 000000004706 000000405F06 0 LegalCopyright 000000004724 000000405F24 0 Sanctions group 00000000474A 000000405F4A 0 VarFileInfo 00000000476A 000000405F6A 0 Translation 00000000004D 00000040004D 0 !This program cannot be run in DOS mode. 0000000001D8 0000004001D8 0 .text 000000000200 000000400200 0 .rdata 000000000227 000000400227 0 @.rsrc 000000000400 000000401000 0 CurrencyDispenser1 00000000041F 00000040101F 0 Project Alice 000000000660 000000401260 0 Selected cassette is unavailable ! 000000000683 000000401283 0 Can't dispense requested amount. Error %d ocurred ! 00000000082F 00000040142F 0 t@Wj@ 0000000008A9 0000004014A9 0 Bills count 0000000008B5 0000004014B5 0 Bill value 0000000008C0 0000004014C0 0 Currency File pos Mem pos ID Text ======== ======= == ==== 0000000008C9 0000004014C9 0 Result 0000000008D3 0000004014D3 0 Total : 000000000D50 000000401950 0 j!j!h6 000000000D68 000000401968 0 t2j7h 0000000013C2 0000004021C2 0 RtlCaptureStackBackTrace 0000000013DE 0000004021DE 0 RtlFillMemory 0000000013EE 0000004021EE 0 RtlMoveMemory 0000000013FE 0000004021FE 0 RtlUnwind 00000000140A 00000040220A 0 RtlZeroMemory 00000000141A 00000040221A 0 VerSetConditionMask 00000000142E 00000040222E 0 ntdll.dll 00000000143A 00000040223A 0 wsprintfA 000000001446 000000402246 0 AnimateWindow 000000001456 000000402256 0 DialogBoxParamA 000000001468 000000402268 0 EndDialog 000000001474 000000402274 0 GetDlgItem 000000001482 000000402282 0 GetWindowTextLengthA 00000000149A 00000040229A 0 IsWindow 0000000014A6 0000004022A6 0 MessageBoxA 0000000014B4 0000004022B4 0 SendDlgItemMessageA 0000000014CA 0000004022CA 0 SendMessageA 0000000014DA 0000004022DA 0 SetFocus 0000000014E6 0000004022E6 0 SetWindowTextA 0000000014F6 0000004022F6 0 user32.dll 000000001504 000000402304 0 ExitProcess 000000001512 000000402312 0 GetModuleHandleA 000000001526 000000402326 0 IsBadWritePtr 000000001536 000000402336 0 LocalAlloc 000000001544 000000402344 0 LocalFree 000000001550 000000402350 0 LocalSize 00000000155C 00000040235C 0 lstrcmpiA 000000001566 000000402366 0 kernel32.dll 000000001576 000000402376 0 InitCommonControls 00000000158A 00000040238A 0 comctl32.dll 00000000159A 00000040239A 0 WFSStartUp 0000000015A8 0000004023A8 0 WFSClose 0000000015B4 0000004023B4 0 WFSUnlock 0000000015C0 0000004023C0 0 WFSFreeResult 0000000015D0 0000004023D0 0 WFSRegister 0000000015DE 0000004023DE 0 WFSLock 0000000015E8 0000004023E8 0 WFSExecute 0000000015F6 0000004023F6 0 WFSGetInfo 000000001604 000000402404 0 WFSOpen 00000000160E 00000040240E 0 WFSCleanUp 00000000161A 00000040241A 0 MSXFS.dll 000000001B30 000000403330 0 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> 000000001B69 000000403369 0 <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 000000001BB4 0000004033B4 0 <assemblyIdentity 000000001BC7 0000004033C7 0 version="1.0.0.0" 000000001BDE 0000004033DE 0 processorArchitecture="X86" 000000001BFF 0000004033FF 0 name="CompanyName.ProductName.YourApp" 000000001C2B 00000040342B 0 type="win32" 000000001C41 000000403441 0 <description>Your application description here.</description> 000000001C80 000000403480 0 <dependency> 000000001C8E 00000040348E 0 <dependentAssembly> 000000001CA3 0000004034A3 0 <assemblyIdentity 000000001CBE 0000004034BE 0 type="win32" 000000001CD8 0000004034D8 0 name="Microsoft.Windows.Common-Controls" 000000001D0E 00000040350E 0 version="6.0.0.0" 000000001D2D 00000040352D 0 processorArchitecture="X86" File pos Mem pos ID Text ======== ======= == ==== 000000001D56 000000403556 0 publicKeyToken="6595b64144ccf1df" 000000001D85 000000403585 0 language="*" 000000001D9F 00000040359F 0 /> 000000001DAB 0000004035AB 0 </dependentAssembly> 000000001DC5 0000004035C5 0 </dependency> 000000001DD4 0000004035D4 0 </assembly> 0000000019CE 0000004031CE 0 Operator panel 0000000019F3 0000004031F3 0 Times New Roman 000000001A30 000000403230 0 Dispenser 000000001A60 000000403260 0 SysListView32 000000001ABC 0000004032BC 0 Dispense panel 000000001AF8 0000004032F8 0 Input cassette ID here : 0000000043C6 000000405BC6 0 Input PIN-code for access ! 000000004405 000000405C05 0 MS Sans Serif 00000000443C 000000405C3C 0 Authorize yourself 000000004480 000000405C80 0 Terminal ID 0000000044D8 000000405CD8 0 Your pin-code 00000000451E 000000405D1E 0 VS_VERSION_INFO 00000000457A 000000405D7A 0 StringFileInfo 00000000459E 000000405D9E 0 040904E3 0000000045B6 000000405DB6 0 FileVersion 0000000045D0 000000405DD0 0 1.0.0.0 0000000045E6 000000405DE6 0 ProductVersion 000000004604 000000405E04 0 1.0.0.0 00000000461A 000000405E1A 0 CompanyName 000000004634 000000405E34 0 Sanctions Group 00000000465A 000000405E5A 0 FileDescription 00000000467C 000000405E7C 0 Project Alice 00000000469E 000000405E9E 0 InternalName 0000000046B8 000000405EB8 0 Sanctions 0000000046D2 000000405ED2 0 ProductName 0000000046EC 000000405EEC 0 Sanctions 000000004706 000000405F06 0 LegalCopyright 000000004724 000000405F24 0 Sanctions group 00000000474A 000000405F4A 0 VarFileInfo 00000000476A 000000405F6A 0 Translation