Ploutos ATM Malware Analysis

Source: VirusTotal

 File identification
MD5 eca2ca8ecf63816d9a157888e3d871dc
SHA1 b0b13b336ee8770bb2a90fb1292fd9dcabd046f4
SHA256 d99339d3dc6891cdd832754c5739640c62cd229c84e04e9e3cad743c6f66b1b9

 FileVersionInfo properties
Copyright
Copyright © Ploutos 2013

Product Ploutos
Original name Ploutos.exe
Internal name Ploutos.exe
File version 1.0.0.0
Description Ploutos
 PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-07-24 07:09:14
Entry Point 0x0000944E
Number of sections 3
 .NET details
Module Version ID b943871a-96c9-53f0-1673-9625474d13a6
 PE sections
 PE imports
[+] mscoree.dll
 Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
 Number of PE resources by language
NEUTRAL 2

The following command codes, entered using the ATM keypad, and their purpose are as follows:

12340000: To test if the keyboard is receiving commands.

12343570: Generate ATM ID, which is stored in the DATAA entry in the config.ini file.

12343571XXXXXXXX: Has two actions:

Activate ATM ID by generating an activation code based on an encoded ATM ID and the current date. This value is stored in the DATAC entry in the config.ini file. The eight bytes read in must be a valid encoded ATM ID generated by a function called CrypTrack(). A valid ATM activation code must be obtained in order for the ATM to dispense cash.
    Generate timespan: Sets a timer to dispense money, the value will be stored in the DATAB entry in the config.ini file.


12343572XX: Commands the ATM to dispense money. The removed digits represent the number of bills to dispense.   

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s