ATMMalScan – Tool for Windows which helps to search for malware traces on an ATM during the DFIR process

ATMMalScan is a commandline tool for Windows operating systems version 7 and higher, which helps to search for malware traces on an ATM during the DFIR process. This tool examines the running processes of a system, as well as the hard disk, depending on the specified file path. To scan a system, a user with standard rights is sufficient. However, ATMMalScan provides the best results with administrator privileges.

Known issues:

Currently ATMMalScan does not support codepages that require Unicode, this means Windows operating systems that are set to e.g. Cyrillic or Chinese characters, no representative result can be guaranteed.

Requirements:

Make sure at least Visual C++ Redistributable for Visual Studio 2015 has been installed on the ATM, you like to scan.

Usage (Example)

Step1 => Scan process memory and disk. ===> Check if Admin privileges are available on the device for best results!

Step2 => ATMMalScan detected a Malware called XFS_DIRECT in a process, gives details about the thread and its rules matches. Further a full processmemory dump has been saved to disk, to catch the malicious process, its modules, as well as its stack and heap pages.

Step3 => Dump can be found here => .Dump

Step4 => Open dumpfile with Windbg and extract the ATM malware to disk using “.writemem”

Step5 => Repair the dumped PE with one of your favorite PE-Fixers and start analysing the malware in detail.