Win32/Tyupkin (ATM Malware, alias: Ulssm, Sidkey)

Forum for analysis and discussion about malware.

Win32/Tyupkin (ATM Malware, alias: Ulssm, Sidkey)

Postby Xylitol » Wed Oct 08, 2014 7:33 am

Tyupkin: Manipulating ATM Machines with Malware ~ http://securelist.com/blog/research/669 ... h-malware/
NCR ATM API Documentation Available on Baidu ~ http://www.f-secure.com/weblog/archives/00002751.html
Man arrested in Tyupkin malware cyber attack on UK ATMs ~ http://www.itgovernance.co.uk/blog/man- ... n-uk-atms/
Backdoor:MSIL/Sidkey.A ~ http://www.microsoft.com/security/porta ... ey.A#tab=2
Backdoor.Padpin ~ http://www.symantec.com/security_respon ... 99&tabid=2
XFS 3.20 in attachment for testing purpose, XFS can be downloaded also from the official site here: http://www.cen.eu/work/areas/ict/ebusin ... s-xfs.aspx

Backdoor.MSIL.Tyupkin.a:
https://www.virustotal.com/en/file/b670 ... 412753212/

Backdoor.MSIL.Tyupkin.c:
https://www.virustotal.com/en/file/1616 ... 412753210/
https://www.virustotal.com/en/file/8bb5 ... 412753217/

Backdoor.Win32.Tyupkin.d:
https://www.virustotal.com/en/file/853f ... 412753215/
interesting offsets:
0x41FCF8
0x41FB6D
0x41FACB
9 = Auto remove
3 = Time extend
2 = Dispense cassette menu
1 = Hide Tyupkin
0 = Show Tyupkin
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Backdoor.MSIL.Tyupkin

Postby Xylitol » Wed Oct 29, 2014 2:16 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Backdoor.MSIL.Tyupkin

Postby harikrish093 » Fri Jan 30, 2015 9:21 am

Hi,
Which is the best way to Reverse an MSIL malware file for finding an signature of that file?
harikrish093
 
Posts: 3
Joined: Mon Jan 26, 2015 8:43 am
Reputation point: 0

Re: Backdoor.MSIL.Tyupkin

Postby maximusdecimer » Fri Jan 30, 2015 11:42 am

You can use ILSpy and de4dot to analyze MSIL malwares.
http://ilspy.net/
https://github.com/0xd4d/de4dot
maximusdecimer
 
Posts: 10
Joined: Tue Aug 05, 2014 4:54 am
Reputation point: 0

Re: Backdoor.MSIL.Tyupkin

Postby Xylitol » Fri Jan 30, 2015 7:50 pm

User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Backdoor.MSIL.Tyupkin

Postby SomeUnusedName » Mon Feb 02, 2015 11:18 am

dotPeek is also very nice:

https://www.jetbrains.com/decompiler/
SomeUnusedName
 
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm
Reputation point: 8

Re: Backdoor.MSIL.Tyupkin

Postby Earth124 » Sun May 03, 2015 9:31 pm

Hey again Xylitol , I just started studying about this malware and so far im very interested. I appreciate your experience and skill because without you I wouldnt know what exactly I need to know. I dont want to get to personal on your thread but . I have a few questions; will the programs ; ploutus and or tyupkin work if installed correctly even though they are samples ? I know I will need physical access. What malware should be used for each brands of atm etc, I would like to know . From an expert like.yourself . I will be getting a laptop very soon I'm pretty poor low income job and not to mention I'm 19yo. I take this stuff serious and enjoy quality advice . Please email me . drizzl412@gmail.com or icq 697529503
TUTS of any type are welcome ! Have a good evening.
Earth124
 
Posts: 4
Joined: Fri May 01, 2015 5:24 am
Reputation point: 0

Re: Backdoor.MSIL.Tyupkin

Postby Xylitol » Mon May 04, 2015 4:48 pm

Earth124 wrote:will the programs ; ploutus and or tyupkin work if installed correctly even though they are samples ?

No idea for ploutus, tyupkin should work, it just need a bit of tweaking.
Earth124 wrote:I know I will need physical access.

Or just set up a atm/xfs emulator like ATMirage for testing, i believe most of ATM malwares are developed with such kind of environment.
coding ATM malwares using the xfs is a piece of cake.
Earth124 wrote:What malware should be used for each brands of atm etc

ploutus, tyupkin > NCR
Ligsetrac > Diebold
For the rest it depend... most of malwares are based on WOSA/CEN/XFS standard, as ATMs tend to follow that and have their own implementations.. just try on different brands and you'll see.
Earth124 wrote:I would like to know . From an expert like.yourself. I will be getting a laptop very soon I'm pretty poor low income job and not to mention I'm 19yo. I take this stuff serious and enjoy quality advice.

I'm not an expert and if you have a low income job, just get a new one. anyway i don't get why are you talking of your life on your last sentence.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Backdoor.MSIL.Tyupkin

Postby Earth124 » Tue May 05, 2015 12:15 am

Appreciate your time, I will get back to you soon !
And Im on my last resort of as of right now :/
Earth124
 
Posts: 4
Joined: Fri May 01, 2015 5:24 am
Reputation point: 0

Re: Backdoor.MSIL.Tyupkin

Postby Xylitol » Fri Jun 05, 2015 11:14 am

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 7 guests