.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------.
! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV !
`-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
7bd2c97ac5027c360011dc5aa8f2371cd934f73e885e41f7e80152332b3af1db
Date...........: 2018-09-03
Family.........: ATMWizX
File name......: cngtester_without-vmp[...].dll
File size......: 18.22 KB
Type file......: DLL/Windows
Virscan........: VT (FIRST RACE!) - HA
Additional note: Unpacked of a4b42f503090cd3cd53963ddaf0be3e4eeedbd81ff02664668e68612816e727f
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 64 0x40
blocks_in_file: 1 1
num_relocs: 0 0
header_paragraphs: 2 2
min_extra_paragraphs: 4 4
max_extra_paragraphs: 65535 0xffff
ss: 2 2
sp: 64 0x40
checksum: 0 0
ip: 14 0xe
cs: 0 0
reloc_table_offset: 28 0x1c
overlay_number: 0 0
reserved0: 3706015365755568128 0x336e695700000000
oem_id: 8242 0x2032
oem_info: 28271 0x6e6f
reserved2: 220297580 0xd21796c
reserved3: 3020825610 0xb40e240a
reserved4: 47625 0xba09
reserved5: 3089222943 0xb821cd1f
reserved6: 567102465 0x21cd4c01
lfanew: 64 0x40
=== DOS STUB ===
00000000: 57 69 6e 33 32 20 6f 6e 6c 79 21 0d 0a 24 0e b4 |Win32 only!..$..|
00000010: 09 ba 00 00 1f cd 21 b8 01 4c cd 21 40 00 00 00 |......!..L.!@...|
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 12 0xc
TimeDateStamp: "1970-01-01 00:00:00"
PointerToSymbolTable: 0 0
NumberOfSymbols: 1560281088 0x5d000000
SizeOfOptionalHeader: 224 0xe0
Characteristics: 8974 0x230e EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DEBUG_STRIPPED, DLL
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 2.24
SizeOfCode: 7168 0x1c00
SizeOfInitializedData: 16384 0x4000
SizeOfUninitializedData: 1024 0x400
AddressOfEntryPoint: 4192 0x1060
BaseOfCode: 4096 0x1000
BaseOfData: 12288 0x3000
ImageBase: 1649147904 0x624c0000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 5.0
ImageVersion: 1.0
SubsystemVersion: 5.0
Reserved1: 0 0
SizeOfImage: 3682304 0x383000
SizeOfHeaders: 1024 0x400
CheckSum: 1886369 0x1cc8a1
Subsystem: 3 3 WINDOWS_CUI
DllCharacteristics: 0 0
SizeOfStackReserve: 2097152 0x200000
SizeOfStackCommit: 4096 0x1000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 382000 size:0x 64
RESOURCE rva:0x 381000 size:0x 536
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 0 size:0x 0
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 0 size:0x 0
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 0 size:0x 0
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.text 1000 2000 1a14 400 0 0 0 0 60500060 R-X CODE IDATA
.data 3000 1000 1c 2000 0 0 0 0 c0300040 RW- IDATA
.rdata 4000 1000 322 2200 0 0 0 0 40300040 R-- IDATA
.eh_fram 5000 1000 32c 2600 0 0 0 0 40300040 R-- IDATA
.bss 6000 1000 36c 2a00 0 0 0 0 c0600080 RW- UDATA
.edata 7000 1000 55a 2e00 0 0 0 0 40300040 R-- IDATA
.idata 8000 1000 52f 3400 0 0 0 0 c0300040 RW- IDATA
.CRT 9000 1000 14 3a00 0 0 0 0 c0300040 RW- IDATA
.tls a000 376000 200 3c00 0 0 0 0 c0300040 RW- IDATA
.reloc 380000 1000 11c 3e00 0 0 0 0 40300040 R-- IDATA
.rsrc 381000 1000 535 4000 0 0 0 0 c0300040 RW- IDATA
382000 2e0 2e0 4600 0 0 0 0 e0000060 RWX CODE IDATA
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x4368 0 0 462 DIALOG #100
0x40a0 0 0x407 712 VERSION #1
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
kernel32.dll 53 CloseHandle
kernel32.dll 89 CreateFileA
kernel32.dll 0 DeleteCriticalSection
kernel32.dll 0 EnterCriticalSection
kernel32.dll 11a ExitProcess
kernel32.dll 163 FreeLibrary
kernel32.dll 1bf GetCurrentDirectoryA
kernel32.dll 1e4 GetFileAttributesA
kernel32.dll 201 GetLastError
kernel32.dll 214 GetModuleHandleA
kernel32.dll 244 GetProcAddress
kernel32.dll 0 InitializeCriticalSection
kernel32.dll 0 LeaveCriticalSection
kernel32.dll 33d LoadLibraryA
kernel32.dll 468 SetFilePointer
kernel32.dll 4cc TlsGetValue
kernel32.dll 4f5 VirtualProtect
kernel32.dll 4f7 VirtualQuery
kernel32.dll 52b WriteFile
msvcrt.dll 27f _mbsdup
msvcrt.dll 8d __dllonexit
msvcrt.dll 156 _errno
msvcrt.dll 1db _iob
msvcrt.dll 476 abort
msvcrt.dll 485 calloc
msvcrt.dll 495 fflush
msvcrt.dll 4a6 free
msvcrt.dll 4b1 fwrite
msvcrt.dll 4de malloc
msvcrt.dll 4ea memcpy
msvcrt.dll 50b sprintf
msvcrt.dll 50f sscanf
msvcrt.dll 278 _mbscpy
msvcrt.dll 528 strtok
msvcrt.dll 534 time
msvcrt.dll 540 vfprintf
user32.dll ab DialogBoxParamA
user32.dll da EndDialog
user32.dll 127 GetDlgItem
user32.dll 12d GetForegroundWindow
user32.dll 1e3 KillTimer
user32.dll 277 SendMessageA
user32.dll 2bb SetTimer
=== VERSION INFO ===
# VS_FIXEDFILEINFO:
FileVersion : 1.4.2.6
ProductVersion : 1.4.2.6
StrucVersion : 0x10000
FileFlagsMask : 0x3f
FileFlags : 0
FileOS : 0x40004
FileType : 2
FileSubtype : 0
VarFileInfo : [ 0x409, 0x4b0 ]
# StringTable 040904B0:
CompanyName : "Wincor Nixdorf"
FileDescription : "CNG Device Driver"
FileVersion : "111021 1426"
InternalName : "CSCWCNG.DLL"
LegalCopyright : "Copyright \u00A9 Wincor Nixdorf 2019"
OriginalFilename : "CSCWCNG.DLL"
ProductName : ""
ProductVersion : ""
File pos Mem pos ID Text
======== ======= == ====
000000000020 0000624C0020 0 Win32 only!
000000000138 0000624C0138 0 .text
000000000160 0000624C0160 0 .data
000000000188 0000624C0188 0 .rdata
0000000001AE 0000624C01AE 0 0@.eh_fram
0000000001D6 0000624C01D6 0 0@.bss
000000000200 0000624C0200 0 .edata
000000000226 0000624C0226 0 0@.idata
0000000002A0 0000624C02A0 0 .reloc
0000000002C6 0000624C02C6 0 0@.rsrc
000000001626 0000624C2226 0 =XcLb
0000000016E7 0000624C22E7 0 $$BLb
000000001824 0000624C2424 0 $<BLb
000000001841 0000624C2441 0 CLb- CLb
000000001872 0000624C2472 0 5 CLb
00000000190B 0000624C250B 0 CLbs.
000000001939 0000624C2539 0 CLbr
0000000019FA 0000624C25FA 0 $pBLb
000000002200 0000624C4000 0 libgcj-16.dll
00000000220E 0000624C400E 0 _Jv_RegisterClasses
000000002224 0000624C4024 0 _%d-%d.z
00000000222D 0000624C402D 0 zyxwvutsrqponmlkjihgfedcba9876543210123456789abcdefghijklmnopqrstuvwxyz
000000002277 0000624C4077 0 %1[0-4]VAL=%8[0-9]
00000000228A 0000624C408A 0 %1[0-4]ACT=%8[0-9]
00000000229D 0000624C409D 0 %1[0-4]CUR=%3[A-Z]
0000000022B0 0000624C40B0 0 [%i] %s
0000000022B9 0000624C40B9 0 CscCngOpen
0000000022C4 0000624C40C4 0 %d,%02d;
0000000022CD 0000624C40CD 0 No driver found!
0000000022DE 0000624C40DE 0 Session Open Error! [%x]
0000000022F7 0000624C40F7 0 Cassettes Read Error! [%x]
000000002312 0000624C4112 0 %d cassettes found. %d banknotes.
000000002334 0000624C4134 0 Reset Error! [%x]
000000002346 0000624C4146 0 Exc Acc Error! [%x]
00000000235A 0000624C415A 0 [%d] Dispensing %d notes from cassette %d
000000002384 0000624C4184 0 Dispense Error! [%x]
000000002399 0000624C4199 0 Transporting Cash to WaitPos...
0000000023B9 0000624C41B9 0 Transport WaitPos Error! [%x]
0000000023D7 0000624C41D7 0 Transporting Cash to Customer
0000000023F5 0000624C41F5 0 Transport Out Error! [%x]
00000000240F 0000624C420F 0 Success Cash Out
000000002420 0000624C4220 0 "LbMingw runtime failure:
00000000243C 0000624C423C 0 VirtualQuery failed for %d bytes at address %p
000000002470 0000624C4270 0 Unknown pseudo relocation protocol version %d.
0000000024A4 0000624C42A4 0 Unknown pseudo relocation bit size %d.
0000000024D0 0000624C42D0 0 GCC: (tdm-1) 5.1.0
0000000024E4 0000624C42E4 0 GCC: (tdm-1) 5.1.0
0000000024F8 0000624C42F8 0 GCC: (tdm-1) 5.1.0
00000000250C 0000624C430C 0 GCC: (tdm-1) 5.1.0
000000002E40 0000624C7040 0 zC6C4qC
000000002E56 0000624C7056 0 iC [E
000000003030 0000624C7230 0 AS Pi
0000000030B8 0000624C72B8 0 7q-Fa9q
0000000030F0 0000624C72F0 0 Qo4=-
0000000031DA 0000624C73DA 0 PfKUX]7
0000000031E2 0000624C73E2 0 ~XMZ
0000000031EF 0000624C73EF 0 xDMXf
0000000031F8 0000624C73F8 0 $t|XV
000000003226 0000624C7426 0 JX1*m
000000003267 0000624C7467 0 ;CS~_~GS
File pos Mem pos ID Text
======== ======= == ====
000000003283 0000624C7483 0 o,k<U
000000003328 0000624C7528 0 &cF\b
00000000343D 0000624C803D 0 ,c;(5
00000000364B 0000624C824B 0 J,*qHl
0000000036CC 0000624C82CC 0 N:m$|
000000003735 0000624C8335 0 \3V)p
000000003779 0000624C8379 0 yj<Cj.
000000003789 0000624C8389 0 ~/NKu
000000003E5C 00006284005C 0 q50;4;8;<;H;L;P;
000000003EB5 0000628400B5 0 6 6$6(6,6
000000004664 000062842064 0 kernel32.dll
000000004673 000062842073 0 CloseHandle
000000004681 000062842081 0 CreateFileA
00000000468F 00006284208F 0 DeleteCriticalSection
0000000046A7 0000628420A7 0 EnterCriticalSection
0000000046BE 0000628420BE 0 ExitProcess
0000000046CC 0000628420CC 0 FreeLibrary
0000000046DA 0000628420DA 0 GetCurrentDirectoryA
0000000046F1 0000628420F1 0 GetFileAttributesA
000000004706 000062842106 0 GetLastError
000000004715 000062842115 0 GetModuleHandleA
000000004728 000062842128 0 GetProcAddress
000000004739 000062842139 0 InitializeCriticalSection
000000004755 000062842155 0 LeaveCriticalSection
00000000476C 00006284216C 0 LoadLibraryA
00000000477B 00006284217B 0 SetFilePointer
00000000478C 00006284218C 0 TlsGetValue
00000000479A 00006284219A 0 VirtualProtect
0000000047AB 0000628421AB 0 VirtualQuery
0000000047BA 0000628421BA 0 WriteFile
0000000047C4 0000628421C4 0 msvcrt.dll
0000000047D1 0000628421D1 0 _mbsdup
0000000047DB 0000628421DB 0 __dllonexit
0000000047E9 0000628421E9 0 _errno
0000000047F9 0000628421F9 0 abort
000000004801 000062842201 0 calloc
00000000480A 00006284220A 0 fflush
00000000481A 00006284221A 0 fwrite
000000004823 000062842223 0 malloc
00000000482C 00006284222C 0 memcpy
000000004835 000062842235 0 sprintf
00000000483F 00006284223F 0 sscanf
000000004848 000062842248 0 _mbscpy
000000004852 000062842252 0 strtok
000000004862 000062842262 0 vfprintf
00000000486B 00006284226B 0 user32.dll
000000004878 000062842278 0 DialogBoxParamA
00000000488A 00006284228A 0 EndDialog
000000004896 000062842296 0 GetDlgItem
0000000048A3 0000628422A3 0 GetForegroundWindow
0000000048B9 0000628422B9 0 KillTimer
0000000048C5 0000628422C5 0 SendMessageA
0000000048D4 0000628422D4 0 SetTimer
0000000040A6 0000628410A6 0 VS_VERSION_INFO
000000004102 000062841102 0 VarFileInfo
000000004122 000062841122 0 Translation
000000004146 000062841146 0 StringFileInfo
00000000416A 00006284116A 0 040904B0
000000004182 000062841182 0 CompanyName
00000000419C 00006284119C 0 Wincor Nixdorf
File pos Mem pos ID Text
======== ======= == ====
0000000041C2 0000628411C2 0 FileDescription
0000000041E4 0000628411E4 0 CNG Device Driver
00000000420E 00006284120E 0 FileVersion
000000004228 000062841228 0 111021 1426
000000004246 000062841246 0 InternalName
000000004260 000062841260 0 CSCWCNG.DLL
00000000427E 00006284127E 0 LegalCopyright
0000000042B2 0000628412B2 0 Wincor Nixdorf 2019
0000000042E2 0000628412E2 0 OriginalFilename
000000004304 000062841304 0 CSCWCNG.DLL
000000004322 000062841322 0 ProductName
000000004346 000062841346 0 ProductVersion
00000000437E 00006284137E 0 CNGTester
000000004394 000062841394 0 Ms Shell Dlg
000000000020 0000624C0020 0 Win32 only!
000000000138 0000624C0138 0 .text
000000000160 0000624C0160 0 .data
000000000188 0000624C0188 0 .rdata
0000000001AE 0000624C01AE 0 0@.eh_fram
0000000001D6 0000624C01D6 0 0@.bss
000000000200 0000624C0200 0 .edata
000000000226 0000624C0226 0 0@.idata
0000000002A0 0000624C02A0 0 .reloc
0000000002C6 0000624C02C6 0 0@.rsrc
000000001626 0000624C2226 0 =XcLb
0000000016E7 0000624C22E7 0 $$BLb
000000001824 0000624C2424 0 $<BLb
000000001841 0000624C2441 0 CLb- CLb
000000001872 0000624C2472 0 5 CLb
00000000190B 0000624C250B 0 CLbs.
000000001939 0000624C2539 0 CLbr
0000000019FA 0000624C25FA 0 $pBLb
000000002200 0000624C4000 0 libgcj-16.dll
00000000220E 0000624C400E 0 _Jv_RegisterClasses
000000002224 0000624C4024 0 _%d-%d.z
00000000222D 0000624C402D 0 zyxwvutsrqponmlkjihgfedcba9876543210123456789abcdefghijklmnopqrstuvwxyz
000000002277 0000624C4077 0 %1[0-4]VAL=%8[0-9]
00000000228A 0000624C408A 0 %1[0-4]ACT=%8[0-9]
00000000229D 0000624C409D 0 %1[0-4]CUR=%3[A-Z]
0000000022B0 0000624C40B0 0 [%i] %s
0000000022B9 0000624C40B9 0 CscCngOpen
0000000022C4 0000624C40C4 0 %d,%02d;
0000000022CD 0000624C40CD 0 No driver found!
0000000022DE 0000624C40DE 0 Session Open Error! [%x]
0000000022F7 0000624C40F7 0 Cassettes Read Error! [%x]
000000002312 0000624C4112 0 %d cassettes found. %d banknotes.
000000002334 0000624C4134 0 Reset Error! [%x]
000000002346 0000624C4146 0 Exc Acc Error! [%x]
00000000235A 0000624C415A 0 [%d] Dispensing %d notes from cassette %d
000000002384 0000624C4184 0 Dispense Error! [%x]
000000002399 0000624C4199 0 Transporting Cash to WaitPos...
0000000023B9 0000624C41B9 0 Transport WaitPos Error! [%x]
0000000023D7 0000624C41D7 0 Transporting Cash to Customer
0000000023F5 0000624C41F5 0 Transport Out Error! [%x]
00000000240F 0000624C420F 0 Success Cash Out
000000002420 0000624C4220 0 "LbMingw runtime failure:
00000000243C 0000624C423C 0 VirtualQuery failed for %d bytes at address %p
000000002470 0000624C4270 0 Unknown pseudo relocation protocol version %d.
0000000024A4 0000624C42A4 0 Unknown pseudo relocation bit size %d.
0000000024D0 0000624C42D0 0 GCC: (tdm-1) 5.1.0
File pos Mem pos ID Text
======== ======= == ====
0000000024E4 0000624C42E4 0 GCC: (tdm-1) 5.1.0
0000000024F8 0000624C42F8 0 GCC: (tdm-1) 5.1.0
00000000250C 0000624C430C 0 GCC: (tdm-1) 5.1.0
000000002E40 0000624C7040 0 zC6C4qC
000000002E56 0000624C7056 0 iC [E
000000003030 0000624C7230 0 AS Pi
0000000030B8 0000624C72B8 0 7q-Fa9q
0000000030F0 0000624C72F0 0 Qo4=-
0000000031DA 0000624C73DA 0 PfKUX]7
0000000031E2 0000624C73E2 0 ~XMZ
0000000031EF 0000624C73EF 0 xDMXf
0000000031F8 0000624C73F8 0 $t|XV
000000003226 0000624C7426 0 JX1*m
000000003267 0000624C7467 0 ;CS~_~GS
000000003283 0000624C7483 0 o,k<U
000000003328 0000624C7528 0 &cF\b
00000000343D 0000624C803D 0 ,c;(5
00000000364B 0000624C824B 0 J,*qHl
0000000036CC 0000624C82CC 0 N:m$|
000000003735 0000624C8335 0 \3V)p
000000003779 0000624C8379 0 yj<Cj.
000000003789 0000624C8389 0 ~/NKu
000000003E5C 00006284005C 0 q50;4;8;<;H;L;P;
000000003EB5 0000628400B5 0 6 6$6(6,6
000000004664 000062842064 0 kernel32.dll
000000004673 000062842073 0 CloseHandle
000000004681 000062842081 0 CreateFileA
00000000468F 00006284208F 0 DeleteCriticalSection
0000000046A7 0000628420A7 0 EnterCriticalSection
0000000046BE 0000628420BE 0 ExitProcess
0000000046CC 0000628420CC 0 FreeLibrary
0000000046DA 0000628420DA 0 GetCurrentDirectoryA
0000000046F1 0000628420F1 0 GetFileAttributesA
000000004706 000062842106 0 GetLastError
000000004715 000062842115 0 GetModuleHandleA
000000004728 000062842128 0 GetProcAddress
000000004739 000062842139 0 InitializeCriticalSection
000000004755 000062842155 0 LeaveCriticalSection
00000000476C 00006284216C 0 LoadLibraryA
00000000477B 00006284217B 0 SetFilePointer
00000000478C 00006284218C 0 TlsGetValue
00000000479A 00006284219A 0 VirtualProtect
0000000047AB 0000628421AB 0 VirtualQuery
0000000047BA 0000628421BA 0 WriteFile
0000000047C4 0000628421C4 0 msvcrt.dll
0000000047D1 0000628421D1 0 _mbsdup
0000000047DB 0000628421DB 0 __dllonexit
0000000047E9 0000628421E9 0 _errno
0000000047F9 0000628421F9 0 abort
000000004801 000062842201 0 calloc
00000000480A 00006284220A 0 fflush
00000000481A 00006284221A 0 fwrite
000000004823 000062842223 0 malloc
00000000482C 00006284222C 0 memcpy
000000004835 000062842235 0 sprintf
00000000483F 00006284223F 0 sscanf
000000004848 000062842248 0 _mbscpy
000000004852 000062842252 0 strtok
000000004862 000062842262 0 vfprintf
00000000486B 00006284226B 0 user32.dll
File pos Mem pos ID Text
======== ======= == ====
000000004878 000062842278 0 DialogBoxParamA
00000000488A 00006284228A 0 EndDialog
000000004896 000062842296 0 GetDlgItem
0000000048A3 0000628422A3 0 GetForegroundWindow
0000000048B9 0000628422B9 0 KillTimer
0000000048C5 0000628422C5 0 SendMessageA
0000000048D4 0000628422D4 0 SetTimer
0000000040A6 0000628410A6 0 VS_VERSION_INFO
000000004102 000062841102 0 VarFileInfo
000000004122 000062841122 0 Translation
000000004146 000062841146 0 StringFileInfo
00000000416A 00006284116A 0 040904B0
000000004182 000062841182 0 CompanyName
00000000419C 00006284119C 0 Wincor Nixdorf
0000000041C2 0000628411C2 0 FileDescription
0000000041E4 0000628411E4 0 CNG Device Driver
00000000420E 00006284120E 0 FileVersion
000000004228 000062841228 0 111021 1426
000000004246 000062841246 0 InternalName
000000004260 000062841260 0 CSCWCNG.DLL
00000000427E 00006284127E 0 LegalCopyright
0000000042B2 0000628412B2 0 Wincor Nixdorf 2019
0000000042E2 0000628412E2 0 OriginalFilename
000000004304 000062841304 0 CSCWCNG.DLL
000000004322 000062841322 0 ProductName
000000004346 000062841346 0 ProductVersion
00000000437E 00006284137E 0 CNGTester
000000004394 000062841394 0 Ms Shell Dlg