Home / malware Backdoor:Win32/ATMRippery.A
First posted on 01 September 2016.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/ATMRippery.A.
Explanation :
Installation
This threat can attempt to execute a command shell "cmd /c taskkill /IM dbackup.exe /T /F" to stop the "dbackup.exe" process from running, and replaces it with its version of "dbackup.exe" which is located at %System% (C:\Windows\System32). It also creates a service name "DBackup Service" so that it persist each time the system starts.
Payload
Allows backdoor access and control
This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
- Creating, removing, starting, or stopping a service
- Enumerating directory and deleting file
- Executing remote installation through "/install" and "/autorun" switches
- Modifying the registry to maintain persistence
- Using WFSGetInfo() API calls to obtain ATM device information
- Creating a log file "clnup.dat" in %TEMP% directory
It includes the following backdoor command table that can be easily executed by the remote attacker:
1.Ignore cassete balance
2.CLEAN LOGS
3.HIDE
4.BACK
5.UNINSTALL
6.UNINSTALL SERVICE
7.NETWORK: ENABLE
0.NETWORK: DISABLE
Analysis by: Meths Cebrian FerrerLast update 01 September 2016
