[Xylitol]

Tyupkin: Manipulating ATM Machines with Malware ~ http://securelist.com/blog/research/669 ... h-malware/
NCR ATM API Documentation Available on Baidu ~ http://www.f-secure.com/weblog/archives/00002751.html
Man arrested in Tyupkin malware cyber attack on UK ATMs ~ http://www.itgovernance.co.uk/blog/man- ... n-uk-atms/
Backdoor:MSIL/Sidkey.A ~ http://www.microsoft.com/security/porta ... ey.A#tab=2
Backdoor.Padpin ~ http://www.symantec.com/security_respon ... 99&tabid=2
XFS 3.20 in attachment for testing purpose, XFS can be downloaded also from the official site here: http://www.cen.eu/work/areas/ict/ebusin ... s-xfs.aspx

Backdoor.MSIL.Tyupkin.a:
https://www.virustotal.com/en/file/b670 ... 412753212/

Backdoor.MSIL.Tyupkin.c:
https://www.virustotal.com/en/file/1616 ... 412753210/
https://www.virustotal.com/en/file/8bb5 ... 412753217/

Backdoor.Win32.Tyupkin.d:
https://www.virustotal.com/en/file/853f ... 412753215/
interesting offsets:
0x41FCF8
0x41FB6D
0x41FACB
9 = Auto remove
3 = Time extend
2 = Dispense cassette menu
1 = Hide Tyupkin
0 = Show Tyupkin

[Xylitol]

Backdoor.MSIL.Tyupkin.b:
https://www.virustotal.com/en/file/639d ... 414591992/
https://www.virustotal.com/en/file/6c59 ... 414591994/

[harikrish093]

Hi,
Which is the best way to Reverse an MSIL malware file for finding an signature of that file?

[maximusdecimer]

You can use ILSpy and de4dot to analyze MSIL malwares.
http://ilspy.net/
https://github.com/0xd4d/de4dot

[Xylitol]

Tyupkin ATM Malware Analysis ~ http://resources.infosecinstitute.com/t ... -analysis/

[SomeUnusedName]

dotPeek is also very nice:

https://www.jetbrains.com/decompiler/

[Earth124]

Hey again Xylitol , I just started studying about this malware and so far im very interested. I appreciate your experience and skill because without you I wouldnt know what exactly I need to know. I dont want to get to personal on your thread but . I have a few questions; will the programs ; ploutus and or tyupkin work if installed correctly even though they are samples ? I know I will need physical access. What malware should be used for each brands of atm etc, I would like to know . From an expert like.yourself . I will be getting a laptop very soon I'm pretty poor low income job and not to mention I'm 19yo. I take this stuff serious and enjoy quality advice . Please email me . drizzl412@gmail.com or icq 697529503
TUTS of any type are welcome ! Have a good evening.

[Xylitol]

will the programs ; ploutus and or tyupkin work if installed correctly even though they are samples ?

No idea for ploutus, tyupkin should work, it just need a bit of tweaking.

I know I will need physical access.

Or just set up a atm/xfs emulator like ATMirage for testing, i believe most of ATM malwares are developed with such kind of environment.
coding ATM malwares using the xfs is a piece of cake.

What malware should be used for each brands of atm etc

ploutus, tyupkin > NCR
Ligsetrac > Diebold
For the rest it depend... most of malwares are based on WOSA/CEN/XFS standard, as ATMs tend to follow that and have their own implementations.. just try on different brands and you'll see.

I would like to know . From an expert like.yourself. I will be getting a laptop very soon I'm pretty poor low income job and not to mention I'm 19yo. I take this stuff serious and enjoy quality advice.

I'm not an expert and if you have a low income job, just get a new one. anyway i don't get why are you talking of your life on your last sentence.

[Earth124]

Appreciate your time, I will get back to you soon !
And Im on my last resort of as of right now :/

[Xylitol]

https://www.virustotal.com/en/file/3639 ... 433502745/
Video also, https://www.youtube.com/watch?v=tpzyWbPILzA