Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions:
1.Card type 1 – request commands through the interface
2.Card type 2 – execute the command hardcoded in the Track2

After the card is ejected, the user will be presented with a form, asking them to insert the session key in less than 60 seconds. Now the user is authenticated, and the malware will accept 21 different codes for setting its activity. These codes should be entered from the pin pad.

Below is a list of the most important features:
1.Show installation details;
2.Dispense money – 40 notes from the specified cassette;
3.Start collecting the details of inserted cards;
4.Print collected card details;
5.Self delete;
6.Debug mode;
7.Update (the updated malware code is embedded on the card).

During its activity, the malware also creates the following files or NTFS streams (depending on the file system type). These files are used by the malware at different stages of its activity, such as storing the configuration, storing skimmed card data and logging its activity:

Securelist