rule ATMSpitter_XFS { meta: author = "Quoscient GmbH" date = "2018-01-26" description = "Rule for detecting ATMSpitter_XFS variant used by Cobalt group" sample = "c5b43b02a62d424a4e8a63b23bef8b022c08a889a15a6ad7f5bf1fd4fe73291f" strings: $string_1 = "info/disp/sht/retr/calc" $string_2 = "Usage for disp operation" $string_3 = "Error! Banknotes Count" $string_4 = "Error! Cassette Slot Number" $string_5 = "WFS_ERR_INTERNAL_ERROR" $string_6 = "WFSStartUp failed with error:" $string_7 = "WFSOpen failed with error:" $string_8 = "Getting cash units information..." $string_9 = "WFSGetInfo (WFS_INF_CDM_CASH_UNIT_INFO) failed with error" $string_10 = "Slot\tType\tStatus\tCcy\tValue\tCount\n" $string_11 = "WFSFreeResult failed with error:" $string_12 = "Error! Total count of slots is" $string_13 = "Executing dispense operation" $string_14 = "WFSExecute (WFS_CMD_CDM_DISPENSE) failed with error:" $string_15 = "WFSFreeResult failed with error:" $string_16 = "WFSExecute (WFS_CMD_CDM_OPEN_SHUTTER) failed with error" $string_17 = "WFSExecute (WFS_CMD_CDM_RETRACT) failed with error" $string_18 = "WFSClose failed with error:" $string_19 = "WFSCleanUp failed with error:" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 5 of ($string_*) }