{
	"id": "5cc3ce95-145c-4108-adf9-5d37c5e132d3",
	"created_at": "2026-04-06T00:12:05.309653Z",
	"updated_at": "2026-04-10T03:21:44.990168Z",
	"deleted_at": null,
	"sha1_hash": "114e211cfd0dcb6f34f0481d567f5ba7a25ba957",
	"title": "Janicab Series: First Steps in the Infection Chain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 152977,
	"plain_text": "Janicab Series: First Steps in the Infection Chain\r\nPublished: 2022-05-24 · Archived: 2026-04-05 13:33:22 UTC\r\nIn late April 2022, I was requested to analyze a software artifact. It was an instance of Janicab, a software with\r\ninfostealing and spying capabilities known since 2013. Differently to other analyses I do as part of my job, in this\r\nparticular case I can disclose parts of it with you readers. I’m addressing those parts in a post series. Here, I’ll\r\ndiscuss about the first stages of a Janicab infection on Microsoft Windows targets, based on this specific sample.\r\nSMPT-error.txt.lnk\r\nThe infection chain starts with a Shell Link Binary file (LNK) called SMPT-error.txt.lnk. This file is suspicious for\r\nseveral reasons. First, it tries to mask itself as an innocent text file since the last extension (.lnk) gets hidden by\r\ndefault setting in Microsoft Windows. A user could just see SMPT-error.txt once it was downloaded. Second, the\r\nfile size is considerably big for a LNK file: 3.25 MB. Third, as you can see from Figure 1, it targets the command\r\nprompt executable.\r\nFigure 1\r\n-\r\nSMPT-error.txt.lnk targets the command prompt executable\r\nhttps://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/\r\nPage 1 of 4\n\nFigure 2\r\n-\r\nSMTP-error.txt.lnk hidden arguments\r\nBy parsing the LNK structure for SMPT-error.txt.lnk, and more precisely the COMMAND_LINE_ARGUMENTS\r\nstructure included into the StringData set, I was able to obtain the arguments intended to be passed to the\r\ncommand prompt when triggering the execution of the link. As Figure 2 may prove, the arguments form a\r\ncommand prompt script. Such a script is decomposable in the following consecutive steps:\r\n1. Copy SMPT-error.txt.lnk into the temporary files directory. The “SMP*.txt.lnk” glob expression will likely\r\nmatch just that file. The temporary files directory is that directory referenced by the %TMP% environment\r\nvariable.\r\n2. Move to the temporary files directory by issuing the CD command.\r\n3. Add read permissions (+r) to any file having .lnk extension into the temporary files directory. This is\r\nachieved by issuing the ATTRIB command.\r\n4. For each system file (/s argument of DIR command)having the .lnk extensions and located into the current\r\ndirectory, take the filename (/b argument of DIR command) and:\r\nRead the file content by issuing the TYPE command. Notice that the loop iteration variable %a\r\ncontains a file name and the prefix $~f points to the absolute path.\r\nWithin the file, find any line containing the pattern ”#@~^”. This is achieved with the command\r\nFIND.\r\nRedirect those lines matching the pattern to a file called .vba and stored into the temporary files\r\ndirectory.\r\nExecute the .vba file with the CSCRIPT command. This evidence suggests that the content of .vba\r\nshould be some script accepting the path to SMTP-error.txt.lnk as an argument.\r\nhttps://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/\r\nPage 2 of 4\n\nFigure 3\r\n-\r\nSMPT-error.txt.lnk embeds an obfuscated script\r\nBased on what reported, I conclude this section by considering SMPT-error.txt.lnk as a dropper for a second stage\r\nartifact along the infection chain. Indeed, such a second stage is originally embedded into the LNK file and stored\r\non disk only after the user having double clicked on the link. Figure 3 shows the script as it can be found in the\r\nLNK file with the FIND command. The next section discusses that script with greater detail.\r\n.vbe\r\nAs already pointed out in the previous section, I know that what shown in Figure 3 is a script. It gets executed by\r\nissuing the CSCRIPT command and it expects a single argument consisting of the absolute path to the SMTP-error.txt.lnk file. The script is encoded with the Windows Script Encoder, a tool originally developed and\r\ndistributed by Microsoft to provide for a shallow protection for various forms of scripts such as VBScript,\r\nJavaScript, and more. I’m sure about the encoding because the marker ”#@~^”, used to find the .vbe script within\r\nthe is SMTP-error.txt.lnk, is a well-known opening tag for the scripts encoded with the Windows Script Encoder.\r\nhttps://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/\r\nPage 3 of 4\n\nFigure 4\r\n-\r\n.vbe script content as it appears after the decoding\r\nBy knowing the encoding algorithm, I was able to decode the script. The full content is showed in Figure 4. As\r\nyou may notice from that listing, the goal of .vbe consists of extracting a further chunk of SMTP-error.txt.lnk,\r\nstore that chunk on disk, and eventually execute the chunk by using CScript.exe. Therefore, I need to consider\r\n.vbe as a dropper for a further script along the infection chain. I close this section with a few annotations about the\r\nlisting of Figure 4:\r\nThe dropped script is stored in the same directory where .vba is located, namely the temporary files\r\ndirectory (%TMP%), with filename 2.vbe.\r\nI know that 2.vbe is a script because it is executed with Cscript.exe (line 10).\r\nThe dropped script lies at the char offset 3644 of SMTP-error.txt.lnk and it is 5042 chars long. Those are\r\nthe values passed to the MID function at line 20 as start and length, respectively. Those values are set at\r\nline 6 and line 7.\r\nThe dropped script is prefixed with the already mentioned ”#@~^” marker, before being stored on disk as\r\n2.vbe. From that evidence, I may suppose that 2.vba contains a further encoded script.\r\nThe execution of 2.vbe is attempted at line 10. This shell execution will not show any window because the\r\nintWindowStyle argument of WScript.Shell.Run is forced to 0 (corresponding to the hide setting).\r\nSimilarly to what I have observed for .vbe, the absolute path of SMTP-error.txt.lnk is passed as a parameter\r\nto 2.vbe when the latter gets executed.\r\nAfter having launched 2.vbe, .vbe kills any process running the command prompt or powershell. That is\r\nthe purpose of the function killRunningCmdInstances, called two times at line 11 and line 12 with\r\n“cmd.exe” and “powershell.exe” as its argument, respectively.\r\nkillRunningCmdInstances searches the processes by name with the Windows Management Instrumentation\r\n(WMI) API for VBScript (lines 28-31).\r\nThe next post of this series will push the analysis further along the infection chain, by starting from 2.vbe. As\r\nalways, if you want to share comments or feedbacks (rigorously in broken Italian or broken English) do not esitate\r\nto drop me a message at admin[@]malwarology.com.\r\nSource: https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/\r\nhttps://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/"
	],
	"report_names": [
		"janicab-series-first-steps-in-the-infection-chain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434325,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/114e211cfd0dcb6f34f0481d567f5ba7a25ba957.pdf",
		"text": "https://archive.orkl.eu/114e211cfd0dcb6f34f0481d567f5ba7a25ba957.txt",
		"img": "https://archive.orkl.eu/114e211cfd0dcb6f34f0481d567f5ba7a25ba957.jpg"
	}
}