{
	"id": "c32bbe35-742a-4874-a070-991cc5d15679",
	"created_at": "2026-04-06T00:15:38.682182Z",
	"updated_at": "2026-04-10T13:13:08.6502Z",
	"deleted_at": null,
	"sha1_hash": "8be8af571bc285e371b6de0a610dc7ed0dfeba55",
	"title": "ATMii: a small but effective ATM robber",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 214132,
	"plain_text": "ATMii: a small but effective ATM robber\r\nBy Konstantin Zykov\r\nPublished: 2017-10-10 · Archived: 2026-04-02 12:40:40 UTC\r\nWhile some criminals blow up ATMs to steal cash, others use less destructive methods, such as infecting the ATM\r\nwith malware and then stealing the money. We have written about this phenomenon extensively in the past and\r\ntoday we can add another family of malware to the list – Backdoor.Win32.ATMii.\r\nATMii was first brought to our attention in April 2017, when a partner from the financial industry shared some\r\nsamples with us. The malware turned out to be fairly straightforward, consisting of only two modules: an injector\r\nmodule (exe.exe, 3fddbf20b41e335b6b1615536b8e1292) and the module to be injected (dll.dll,\r\ndc42ed8e1de55185c9240f33863a6aa4). To use this malware, criminals need direct access to the target ATM,\r\neither over the network or physically (e.g. over USB). ATMii, if it is successful, allows criminals to dispense all\r\nthe cash from the ATM.\r\nexe.exe – an injector and control module\r\nThe injector is an unprotected command line application, written in Visual C with a compilation timestamp: Fri\r\nNov 01 14:33:23 2013 UTC. Since this compilation timestamp is from 4 years ago – and we do not think this\r\nthreat could have gone unnoticed for 4 years – we believe it is a fake timestamp. What’s also interesting is the OS\r\nthat is supported by the malware: One more recent than Windows XP. We can see this in the image below, where\r\nthe first argument for the OpenProcess() function is 0x1FFFFu.\r\nOpenProcess call with the PROCESS_ALL_ACCESS constant\r\nIt is the PROCESS_ALL_ACCESS constant, but this constant value differs in older Windows versions such as\r\nWindows XP (see the picture below). This is interesting because most ATMs still run on Windows XP, which is\r\nthus not supported by the malware.\r\nhttps://securelist.com/atmii-a-small-but-effective-atm-robber/82707/\r\nPage 1 of 6\n\nA list of PROCESS_ALL_ACCESS values per Windows version\r\nThe injector, which targets the atmapp.exe (proprietary ATM software) process, is fairly poorly written, since it\r\ndepends on several parameters. If none are given, the application catches an exception. The parameters are pretty\r\nself-explanatory:\r\nparam  short description\r\n/load Tries to inject dll.dll into atmapp.exe process\r\n/cmd Creates/Updates C:\\ATM\\c.ini file to pass commands and params to infected library\r\n/unload Tries to unload injected library from atmapp.exe process, while restoring its state.\r\n/load param\r\n\u003cexe.exe\u003e /load\r\nThe application searches for a process with the name atmapp.exe and injects code into it that loads the “dll.dll”\r\nlibrary (which has to be in the same folder as the exe.exe file). After it has been loaded it calls the DLLmain\r\nfunction.\r\n/unload param\r\n\u003cexe.exe\u003e /unload\r\nAs the name already suggests, it is the opposite of the /load parameter; it unloads the injected module and restores\r\nthe process to its original state.\r\n/cmd param\r\n\u003cexe.exe\u003e /cmd [cmd] [params]\r\nhttps://securelist.com/atmii-a-small-but-effective-atm-robber/82707/\r\nPage 2 of 6\n\nThe application creates/updates C:\\ATM\\c.ini which is used by the injected DLL to read commands. The file is\r\nupdated each time the .exe is run with the /cmd param.\r\nContents of c.ini after execution of “exe.exe /cmd info”\r\nThe executable understands the following set of commands:\r\ncommand description\r\nscan Scans for the CASH_UNIT XFS service\r\ndisp\r\nStands for “dispense”. The injected module should dispense “amount” cash of “currency”\r\n(amount and currency are used as parameters)\r\ninfo Gets info about ATM cash cassettes, all the returned data goes to the log file.\r\ndie Injected module removes C:\\ATM\\c.ini file\r\ndll.dll injecting module\r\nAfter injection and execution of the DllMain function, the dll.dll library loads msxfs.dll and replaces the\r\nWFSGetInfo function with a special wrap function, named mWFSGetInfo.\r\nAt the time of the first call to the fake WFSGetInfo function, C:\\ATM\\c.ini is ignored and the library tries to find\r\nthe ATM’s CASH_UNIT service id and stores the result, basically in the same way as the scan command does. If\r\nthe CASH_UNIT service is not found, dll.dll won’t function. However, if successful, all further calls go to the\r\nmWFSGetInfo function, which performs the additional logic (reading, parsing and executing the commands from\r\nthe C:\\ATM\\c.ini file).\r\nContents of C:\\ATM\\c.ini after execution of “exe.exe /cmd disp RUB 6000”\r\nBelow is an output of the strings program uncovering some interesting log messages and the function names to be\r\nimported. The proprietary MSXFS.DLL library and its functions used in the ATMii malware are marked with red\r\nboxes.\r\nhttps://securelist.com/atmii-a-small-but-effective-atm-robber/82707/\r\nPage 3 of 6\n\n“scan” command\r\nBecause of the architecture of XFS, which is divided into services, the injected library first needs to find the\r\ndispense service. This command must be successfully called, because the disp and info commands depend on the\r\nservice id retrieved by scan. Scan is automatically called after the dll has been injected into atmapp.exe.\r\nAfter collecting the WFS_INF_CDM_STATUS data, additional data gets added to the tlogs.log. An example can\r\nbe found below:\r\n…\r\n(387):cmd_scan() Searching valid service\r\n(358):FindValidService() Checking device index=0\r\n(70):CheckServiceForValid() ————————————————\r\n(72):CheckServiceForValid() Waiting for lock\r\nhttps://securelist.com/atmii-a-small-but-effective-atm-robber/82707/\r\nPage 4 of 6\n\n(76):CheckServiceForValid() Device was locked\r\n(86):CheckServiceForValid() WFSGetInfo Success 0\r\n(182):CheckServiceForValid() Done-\u003e szDevice: WFS_CDM_DEVONLINE, szDispenser:\r\nWFS_CDM_DISPOK, szIntermediateStacker: WFS_CDM_ISEMPTY, szSafeDoor:\r\nWFS_CDM_DOORCLOSED\r\n(195):CheckServiceForValid() Unlocking device\r\n(390):cmd_scan() Service found 0\r\n…\r\nPart of a tlogs.log possible log after successfully executed “scan” command\r\n“info” command\r\nBefore the criminals can dispense cash, they first need to know the exact contents of the different cassettes. For\r\nthis, they use the info command which provides exhaustive information on all cassettes and their contents. The list\r\nof used XFS API functions is the same as with the scan command, but this time WFSGetInfo is called with the\r\nWFS_INF_CDM_CASH_UNIT_INFO (303) constant passed as a param.\r\nBelow is an example of the data in log file returned by the info command.\r\n…\r\n(502):ExecuteCmd() Executing cmd\r\n(506):ExecuteCmd() CMD = info\r\n(402):cmd_info() ! hFoundGlobalService = 0\r\n(213):GetDeviceInformation() ————————————————\r\n(220):GetDeviceInformation() Device locked 0\r\n(337):GetDeviceInformation() Module: C:\\program files\\dtatmw\\bin\\atmapp\\atmapp.exe\r\nCash Unit # 1, name=SOMENAME\r\nType: 3\r\nStatus: HIGH\r\nCurrency ID: 0x52-0x55-0x42\r\nNote Value: 5000\r\nNotes Count: 3000\r\nNotes Initial Count: 3000\r\nNotes Minimum Count: 10\r\nNotes Maximum Count: 0\r\n…\r\nExample5 Part of a tlogs.log possible log after successfully executed “info” command\r\n“disp” command\r\nThe dispense command is followed by two additional params in the command file: currency and amount.\r\nCurrency must contain one of the three-letter currency codes of notes kept in the CASH_UNIT_INFO structure\r\nhttps://securelist.com/atmii-a-small-but-effective-atm-robber/82707/\r\nPage 5 of 6\n\n(currency codes are described in ISO_4217 e.g. RUB, EUR). The amount code holds the amount of cash to\r\ndispense and this value must be a multiple of ten.\r\n“die” command\r\nDoes nothing except deleting C:\\ATM\\c.ini command file.\r\nConclusion\r\nATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code\r\nto dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny\r\npolicies and device control. The first measure prevents criminals from running their own code on the ATM’s\r\ninternal PC, while the second measure will prevent them from connecting new devices, such as USB sticks.\r\nSource: https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/\r\nhttps://securelist.com/atmii-a-small-but-effective-atm-robber/82707/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/"
	],
	"report_names": [
		"82707"
	],
	"threat_actors": [],
	"ts_created_at": 1775434538,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8be8af571bc285e371b6de0a610dc7ed0dfeba55.pdf",
		"text": "https://archive.orkl.eu/8be8af571bc285e371b6de0a610dc7ed0dfeba55.txt",
		"img": "https://archive.orkl.eu/8be8af571bc285e371b6de0a610dc7ed0dfeba55.jpg"
	}
}