reference NCR ATM library routines

rule:
  meta:
    name: reference NCR ATM library routines
    namespace: targeting/automated-teller-machine/ncr
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    references:
      - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html
    examples:
      - 84a1212f4a91066babcf594d87a85894:0x404470   # loads routines via GetProcAddress
      # 971e599e6e707349eccea2fd4c8e5f67  # packed with vmprotect
  features:
    - or:
      - string: "msxfs.dll"    # Extension for Financial Services (XFS)

      - api: msxfs.WFSCleanUp
      - string: "WFSCleanUp"

      - api: msxfs.WFSClose
      - string: "WFSClose"

      - api: msxfs.WFSExecute
      - string: "WFSExecute"

      - api: msxfs.WFSFreeResult
      - string: "WFSFreeResult"

      - api: msxfs.WFSGetInfo
      - string: "WFSGetInfo"

      - api: msxfs.WFSLock
      - string: "WFSLock"

      - api: msxfs.WFSOpen
      - string: "WFSOpen"

      - api: msxfs.WFSRegister
      - string: "WFSRegister"

      - api: msxfs.WFSStartUp
      - string: "WFSStartUp"

      - api: msxfs.WFSUnlock
      - string: "WFSUnlock"