{
	"id": "8019c984-42ed-4d43-a845-355daf1d5db9",
	"created_at": "2026-04-06T01:29:30.545607Z",
	"updated_at": "2026-04-10T03:34:23.592872Z",
	"deleted_at": null,
	"sha1_hash": "03dcaed4682e313126373ca495588fbabc77c812",
	"title": "Janicab Series: Attibution and IoCs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47894,
	"plain_text": "Janicab Series: Attibution and IoCs\r\nPublished: 2022-05-31 · Archived: 2026-04-06 01:19:43 UTC\r\nIn late April 2022, I was requested to analyze a software artifact. It was an instance of Janicab, a software with\r\ninfostealing and spying capabilities known since 2013. Differently to other analyses I do as part of my job, in this\r\nparticular case I can disclose parts of it with you readers. I’m addressing those parts in a post series. Based on this\r\nspecific sample, here I’going to discuss a bit about the attribution. Furthermore, I’m going to collect the Indicators\r\nof Compromise (IoCs) related to thi specific infection chain. If you want to know more about the various stages of\r\nthe infection, I recommend you reading the previous posts of this series: first part, second part, and third part.\r\nAttribution\r\nGiven the body of knowledge consisting of the artifacts involved in the infection chain, provided by the previous\r\nsections, I am now in a good position to briefly discuss why I believe to have dealt with a Janicab instance.\r\nJanicab was first disclosed in 2013 by F-Secure Labs. The name Janicab appears in their first publication on this\r\ntopic within the signature created by the analysts for the antivirus product: Backdoor:Python/Janicab.A . That\r\npublication is about a malware targeting Mac operating systems. Despite of its briefness, the article is long enough\r\nfor us to observe a distinctive technique adopted by the malware: the use of C2 published on social media like\r\nYouTube. In that primordial case, the C2 url was directly published as a YouTube video description. I discuss a\r\nvery similar technique, regarding an artifact belonging to this infection chain, in this post. F-Secure Lab published\r\nanother article about Janicab in 2015. The similarities between the sample discussed in this report and that one\r\naddressed by F-Secure Lab post are manifold. Most of the similarities are about the techniques:\r\nUse of a LNK file with hidden target arguments as a first link of the infection chain.\r\nC2 ip address obtained starting from a numeric seed posted in a YouTube comment to a video. In the case\r\ndiscussed by F-Secure analysts, the comment pattern was slightly different: our (.*)th psy\r\nanniversary .\r\nSame conversion function from the C2 numeric seed to the C2 ip address.\r\nSame C2 resources and requests parameters.\r\nAn interesting and relevant post concerning Janicab was published by Securelist (Kaspersky) in 2020. In this\r\npublication, the analysts claim that Janicab is operated by the same group as Powersing and Evilnum malware.\r\nThe claim is supported by several observations such as:\r\nDistribution via LNK files embedding other artifacts.\r\nC2 obtained from dead drop resolvers with regular expression matched on public posts.\r\nPartial code overlap and/or code similarities.\r\nAlthough I don’t have access to a reliable source of information concerning Janicab victimology, the claim made\r\nby Kaspersky analysts provides for some potentially interesting leads. By including Evilnum and Powersing\r\noperations and targets, they hypothesize that the group behind Janicab acts as a mercenary outfit mostly involved\r\nin intelligence operations. The main targets seem to be law firms and fintech companies.\r\nhttps://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/\r\nPage 1 of 3\n\nIndicators of Compromise\r\nIndicator Type Artifact\r\n7057bcfa5d994af8829819762643e8ae MD5 SMTP-error.txt.lnk\r\nb2aaa5c7b64231dbf25c0fac70eb9d7118468b2f SHA1 SMTP-error.txt.lnk\r\ne4a000e5d39ca4915cbe2f0dd4dcd17fc9a6f0b059634b37d39c18f40cb2773f SHA256 SMTP-error.txt.lnk\r\nfb4a625c222ef53201e224b48d3f3f28 MD5 cab.cab\r\n9e145251a4fd70c3de7d0b397115ed49c669dc87 SHA1 cab.cab\r\n5c5d2aab69939c6a6037f2e93de32d8ffe8cbcf602578e89784038e141f0b515 SHA256 cab.cab\r\n2fec5b88e18705db18310a52e495c6aa MD5 2.vbe\r\n031e1981c18a55015abc3eac4ef1162e4bfd0fa8 SHA1 2.vbe\r\ne4210de7e526bdb7661d7631edc4f84a66eb361935f4b7412e63074ca76f4b40 SHA256 2.vbe\r\na927e643f42ee4f979c03346e9142bfb MD5 .vbe\r\na08e881bb1d73764becffc49930b4093ba1dc8a7 SHA1 .vbe\r\n1a55fdf465ec4a4565a12fc44d48308545884f4cfa545c524529792dcdac81b4 SHA256 .vbe\r\nd627882fd4311454646e6f653e2ae0cc MD5 k.dll\r\ndfa7f4b0647170712a5b7ff3d7ee03c5ef2d7f2d SHA1 k.dll\r\n192f058c4d756b9e4f3779b8dd880064cadbf5f8bb43529599b7f4a29c4770cf SHA256 k.dll\r\n3b91704b9d500f33019d3d2bb43f3d46 MD5 SMTP-error.txt\r\ndc3bf7b3ff83a12a5e8120f800d067cc9adde46d SHA1 SMTP-error.txt\r\n7e4df228c9d9c84fcac9474798d71f053cb217336e784dde84d5cb1242f19575 SHA256 SMTP-error.txt\r\nd822313bbed34ac72451d3174ec06937 MD5 replacer.py\r\nb0c20bb39a559d378f989161365ebd826000dff7 SHA1 replacer.py\r\n6b3e2feeb3fafe32586f547296028fcaabd32fdae0cddf18afbf68523ce0d7ff SHA256 replacer.py\r\ne0c0c90742083433b2adbbb13f9286e6 MD5\r\nMicrosoftMicrosoft\r\nSync Services.lnk\r\nde0e5b035d214b47c722b9fc985d58145f2b3e18 SHA1\r\nMicrosoftMicrosoft\r\nSync Services.lnk\r\nhttps://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/\r\nPage 2 of 3\n\nIndicator Type Artifact\r\n2b7dd592b5a3c756ff109d83707ac36717fb577d19369dbb0e30c4f9cc01a8a2 SHA256\r\nMicrosoftMicrosoft\r\nSync Services.lnk\r\n2b3d0c7fd1f3a7abd6d016f7eaa1c0d2 MD5 runOnce.reg\r\n4810dc9dead5d4ec82e147363d70d5cc5feb0083 SHA1 runOnce.reg\r\n5e989c4940741407f04bb7a630c0a41af8738dd377a395936a3652308ca1f68f SHA256 runOnce.reg\r\n3cafc122e092ba0d0ef446882ebdf07a MD5 vista.reg\r\n0d9138fad68568d6cb139735b18d0de85c8ad311 SHA1 vista.reg\r\n646f87d1fdc1b63d558b739aca164e24812ac668c9016185b985ec5f8816c22c SHA256 vista.reg\r\nThis post closes the series about Janicab. As always, if you want to share comments or feedbacks (rigorously in\r\nbroken Italian or broken English) do not esitate to drop me a message at admin[@]malwarology.com.\r\nSource: https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/\r\nhttps://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/"
	],
	"report_names": [
		"janicab-series-attibution-and-iocs"
	],
	"threat_actors": [
		{
			"id": "059b16f8-d4e0-4399-9add-18101a2fd298",
			"created_at": "2022-10-25T15:50:23.29434Z",
			"updated_at": "2026-04-10T02:00:05.380938Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"Evilnum"
			],
			"source_name": "MITRE:Evilnum",
			"tools": [
				"More_eggs",
				"EVILNUM",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd",
			"created_at": "2023-01-06T13:46:39.153487Z",
			"updated_at": "2026-04-10T02:00:03.232006Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"EvilNum",
				"Jointworm",
				"KNOCKOUT SPIDER",
				"DeathStalker",
				"TA4563"
			],
			"source_name": "MISPGALAXY:Evilnum",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "39ea99fb-1704-445d-b5cd-81e7c99d6012",
			"created_at": "2022-10-25T16:07:23.601894Z",
			"updated_at": "2026-04-10T02:00:04.684134Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"G0120",
				"Jointworm",
				"Operation Phantom in the [Command] Shell",
				"TA4563"
			],
			"source_name": "ETDA:Evilnum",
			"tools": [
				"Bypass-UAC",
				"Cardinal RAT",
				"ChromeCookiesView",
				"EVILNUM",
				"Evilnum",
				"IronPython",
				"LaZagne",
				"MailPassView",
				"More_eggs",
				"ProduKey",
				"PyVil",
				"PyVil RAT",
				"SONE",
				"SpicyOmelette",
				"StealerOne",
				"Taurus Loader Stealer Module",
				"Taurus Loader TeamViewer Module",
				"Terra Loader",
				"TerraPreter",
				"TerraStealer",
				"TerraTV"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438970,
	"ts_updated_at": 1775792063,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/03dcaed4682e313126373ca495588fbabc77c812.pdf",
		"text": "https://archive.orkl.eu/03dcaed4682e313126373ca495588fbabc77c812.txt",
		"img": "https://archive.orkl.eu/03dcaed4682e313126373ca495588fbabc77c812.jpg"
	}
}