/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/

rule ATM_HelloWorld : malware
{
    meta:
        description = "Search strings and procedure in HelloWorld ATM Malware"
        author = "xylitol@temari.fr"
        date = "2019-01-13"

    strings:
        $api1 = "CscCngOpen" ascii wide
        $api2 = "CscCngClose" ascii wide
        $string1 = "%d,%02d;" ascii wide
        $string2 = "MAX_NOTES" ascii wide
        $hex_var1 = { FF 15 ?? ?? ?? ?? BF 00 80 00 00 85 C7 }

    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}