{
	"id": "59e98e31-f60b-481a-bbb5-bc1099978bb1",
	"created_at": "2026-04-29T08:21:15.392814Z",
	"updated_at": "2026-04-29T10:42:01.392022Z",
	"deleted_at": null,
	"sha1_hash": "317449535450f702a57b41ab9eae0af5b5822150",
	"title": "Janeleiro, the time traveler: A new old banking trojan in Brazil",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 862048,
	"plain_text": "Janeleiro, the time traveler: A new old banking trojan in Brazil\r\nBy Facundo MuñozMatías Porolli\r\nArchived: 2026-04-29 07:40:03 UTC\r\nUPDATE (April 6th, 2021):\r\nAlthough we have not received any official response from GitHub, when we checked April 6th at around 18:00 UTC, the\r\nmalicious repositories used by Janeleiro had been taken down.\r\nESET Research has been tracking a newly discovered banking trojan that has been targeting corporate users in Brazil since\r\n2019 across many verticals affecting sectors such as engineering, healthcare, retail, manufacturing, finance, transportation,\r\nand government.\r\nThis new threat, which we've named Janeleiro, attempts to deceive its victims with pop-up windows designed to look like\r\nthe websites of some of the biggest banks in Brazil. These pop-ups contain fake forms, aiming to trick the malware’s victims\r\ninto entering their banking credentials and personal information that the malware captures and exfiltrates to its C\u0026C servers.\r\nJaneleiro follows exactly the same blueprint for the core implementation of this technique as some of the most prominent\r\nmalware families targeting the region: Casbaneiro, Grandoreiro, Mekotio, Amavaldo, and Vadokrist, among others.\r\nIn contrast to those well-known malware families, Janeleiro is written in Visual Basic .NET, a big deviation from the favored\r\nDelphi programming language that threat actors in the region have been using for years. Janeleiro has been evolving towards\r\nthe objective of giving more control to the operators to manipulate and adjust its fake pop-up windows based on what they\r\nneed to pull off the attack, send mouse clicks and keystrokes, and recording user input and the screen in real time. The\r\nnature of these types of attack is not characterized by their automation capabilities, but rather by the hands-on approach: in\r\nmany cases the operator must adjust the windows via commands in real time.\r\nThe operators seem comfortable using GitHub to store their modules, administering their organization page, and uploading\r\nnew repositories every day where they store the files with the lists of C\u0026C servers that the trojans retrieve to connect to their\r\noperators. Having your malware depend on a single source is an interesting move - but what if we told you that the newest\r\nversion of Janeleiro only lives for one day?\r\nTarget: Brazil\r\nBased on our telemetry data, we can affirm that this malware targets only corporate users. Malicious emails are sent to\r\ncompanies in Brazil and, even though we do not think these are targeted attacks, they seem to be sent in small batches.\r\nAccording to our telemetry, the affected sectors are engineering, healthcare, retail, manufacturing, finance, transportation\r\nand government.\r\nAn example of a phishing email is shown in Figure 1: a false notification regarding an unpaid invoice. It contains a link that\r\nleads to a compromised server. The retrieved page simply redirects to the download of a ZIP archive hosted in Azure. Some\r\nother emails sent by these attackers don’t have a redirection via a compromised server but lead directly to the ZIP archive.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 1 of 19\n\nFigure 1. Example of a malicious email\r\nThe servers that host these ZIP archives with Janeleiro have URLs that follow the same convention as other URLs that we\r\nsaw delivering other banking trojan families (see the Indicators of Compromise section). In some cases, these URLs have\r\ndistributed both Janeleiro and other Delphi bankers at different times. This suggests that either the various criminal groups\r\nshare the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not\r\nyet determined which hypothesis is correct.\r\nAn overview of the attack is shown in Figure 2.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 2 of 19\n\nFigure 2. Janeleiro attack overview (simplified)\r\nThe ZIP archive contains an MSI installer that loads the main trojan DLL. Using an MSI installer is a favored technique of\r\nseveral malware families in the region. Janeleiro retrieves the computer’s public IP address and uses a web service to\r\nattempt to geolocate it. If the returned country code value does not match BR, the malware exits. If the geolocation check\r\npasses, Janeleiro gathers information of the compromised machine, including:\r\nCurrent date and time\r\nMachine name and username\r\nOS full name and architecture\r\nMalware version\r\nRegion name obtained when geolocating the computer\r\nThe information is uploaded to a website with the purpose of tracking successful attacks. After that, Janeleiro retrieves the IP\r\naddresses of the C\u0026C servers from a GitHub organization page apparently created by the criminals. Then it is ready to start\r\nits core functionality and wait for commands from an operator.\r\nIn 2020 ESET published a white paper detailing findings about interconnectivity of the most prominent Latin American\r\nfamilies of banking trojans including Casbaneiro, Grandoreiro, Amavaldo among others.  The similarities described in that\r\npaper are in the implementation of the trojan’s core: notifying the operator when there is an active window with an\r\ninteresting name or title based on a predefined keyword list, and using a fake pop-up window to trick potential victims into\r\nthinking they are entering sensitive information on a legitimate website. This process is illustrated by the flowchart in Figure\r\n3.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 3 of 19\n\nFigure 3. Typical core implementation of banking trojans from Latin America\r\nJaneleiro follows the exact blueprint for its core implementation as eleven other malware families that target Brazil. As\r\nshown in Figure 4, we can see some of the fake pop-up windows created by Janeleiro.\r\nFigure 4. Fake pop-up windows used by Janeleiro\r\nJaneleiro in action\r\nJaneleiro begins enumerating windows and checking their titles to find interesting keywords (as shown in Figure 5) that\r\nwould indicate that the user is visiting the website of a banking entity of interest, especially those that are supported by its\r\nimplementation of fake pop-up windows.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 4 of 19\n\nFigure 5. List of keywords that Janeleiro searches for in window titles\r\nWhen one of the keywords is found, Janeleiro immediately attempts to retrieve the addresses of its C\u0026C servers from\r\nGitHub and connects to them. These fake pop-up windows are dynamically created on demand and controlled by the\r\nattacker via commands to the malware, as they go through several stages to trick the user while the attacker, in real time,\r\nreceives screen captures, the logged keystrokes and information that is entered in the fake forms.\r\nThe fact that threat actors abuse GitHub is nothing new; however, Janeleiro does it in quite interesting ways: the operators\r\nhave created a GitHub organization page that they rename every day in the form SLK\u003cdd/mm/yyyy\u003e where \u003cdd/mm/yyyy\u003e\r\nis the current date.\r\nA screenshot of the GitHub organization page as it looked on 15 March 2021 is shown in Figure 6.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 5 of 19\n\nFigure 6. GitHub organization page with repositories used by the operators of Janeleiro\r\nDaily, the operator novoescritorio1-alberto creates a new repository following this naming format. The purpose of the\r\nrepository is to contain a file that has the list of IP addresses for Janeleiro’s C\u0026C servers where it connects to report to its\r\noperators, to receive commands and to exfiltrate information in real time.\r\nA screenshot showing one of the repositories in the GitHub organization page attributed to Janeleiro’s operators is shown in\r\nFigure 7, including the username of the account that does the commits.\r\nFigure 7. Main branch with the SLK file for Janeleiro version 3\r\nA screenshot of the secondary branch in the repository is shown in Figure 8.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 6 of 19\n\nFigure 8. SLK branch with the SLK file for Janeleiro version 2\r\nWe have notified GitHub of this activity but at the time of writing no actions have been taken against the organization page\r\nnor the account that creates the repository with new C\u0026C server addresses.\r\nIn the newest version of Janeleiro, version 0.0.3, the developers introduced an interesting encryption/decryption feature\r\nusing an open-source library called EncryptDecryptUtils. The new procedure for decryption is shown in Figure 9.\r\nFigure 9. Procedure for decryption implemented by Janeleiro version 0.0.3\r\nTo decrypt a string, Janeleiro encrypts the string resulting from the current date and the result is then used as a passphrase\r\nand salt value to create a new key for decryption. This has an extremely important effect: the newest version of Janeleiro\r\ncan only decrypt its strings on one intended day. That could be the same day the strings were encrypted or one day in the\r\nfuture; on any other day, the decryption fails.\r\nThis is also true for the contents of the SLK file in the main branch: the encrypted and base 64 encoded list of C\u0026C servers\r\nas shown in shown in Figure 10.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 7 of 19\n\nFigure 10. Contents of the SLK file in the main branch.\r\nThe contents are encrypted with the same procedure: when Janeleiro decrypts the contents of the file it must be on one\r\nspecific date – the current date – to work as intended.\r\nEvolution of Janeleiro\r\nJaneleiro has an internal version value (as shown in Figure 11) that can be used by the attackers to identify which version of\r\ntheir malware successfully compromised a machine. As of March 2021, we have identified four versions, but with two of\r\nthem sharing the same internal version number.\r\nFigure 11. Configuration values used by version 0.0.2A from 2020\r\nWhile in 2021 we have seen versions 0.0.2 and 0.0.3, we were interested in finding a missing key piece in the evolution of\r\nJaneleiro: version 0.0.1, which should have been in existence in late 2019 or early 2020. To our surprise we found version\r\n0.0.4 samples instead dating to 2019. These new samples of the trojan were deployed by a DLL loader component in tandem\r\nwith a password stealer, which means the group behind Janeleiro has other tools in their arsenal.\r\nAn overview of Janeleiro’s versions from 2019 through 2021 is shown in Figure 12.\r\nFigure 12. Janeleiro’s strange evolution timeline, based in the internal version of the malware\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 8 of 19\n\nThe inconsistency in the timeline and internal versioning of the malware suggests that it was under development as far back\r\nas 2018, and in 2020 they decided to switch to a previous version of their code and to improve that and refine its command\r\nprocessing for the operator to have better control of the trojan during the attack.\r\nBreaker and keeper of traditions\r\nWhile Janeleiro follows the same blueprint for the core implementation of its fake pop-up windows, along with other\r\nmalware families that ESET has documented in the region, it sets itself apart from those malware families in several ways:\r\nIt is written in Visual Basic .NET: The curious case of Brazil is that it is mostly targeted by banking trojans\r\ndeveloped in Delphi – the programming language of choice for several threat actors that are apparently working\r\ntogether sharing tools and infrastructure. Janeleiro’s preference for VB.NET is a notable deviation from what appears\r\nto be the norm for the region.\r\nNo binary obfuscation: While Janeleiro does make use of light obfuscation by generating random names for its\r\nclasses, modules, method names, parameters, and string encryption, it does not employ packers to make detection and\r\nanalysis harder. Other trojans such as Grandoreiro, Mekotio, Ousaban, Vadokrist and Guildma make heavy use of\r\nThemida and binary padding techniques.\r\nNo custom encryption algorithms: Janeleiro’s developers rely on cryptographic functions provided by the .NET\r\nFramework as well as open-source projects for string encryption/decryption, with a preference for AES and RSA\r\nalgorithms. Trojans such as Casbaneiro, Grandoreiro, Amavaldo, Mispadu, and Guildma, among others, use custom\r\nencryption algorithms, including obfuscation techniques using string tables.\r\nSimple method of execution: The MSI installer does not deploy other components besides the main trojan DLL or\r\nexecute further instructions other than load and execute one of the exports of the DLL that installs itself in the\r\nsystem. We have found no samples of an MSI installer executing obfuscated scripts, unpacking support tools, or\r\ncomponents for DLL side-loading, which is popular with other malware families in the region.\r\nNo defense against security software: Some of the biggest banks in Brazil require a security module to be installed\r\nby their customers before allowing them access to their bank accounts online; for example, Warsaw anti-fraud\r\nsoftware. It’s often the case that LATAM banking trojans try to find out if such software is installed in the\r\ncompromised machine and report it to the attackers. Some malware families such as Grandoreiro and Guildma\r\nattempt to disable it in Windows Firewall or disable its driver.\r\nUses code from NjRAT: Janeleiro is far from being another incarnation of the well-known NjRAT, but it does use\r\nNjRAT’s SocketClient and Remote Desktop capture functions, as well as other miscellaneous functions. NjRAT is\r\nnot commonly used – at least by LATAM baking trojans – perhaps because of their preference to use custom-made\r\ntrojans in Delphi. However, among other malware, NjRAT has been used in Operation Spalax, a campaign that\r\ntargets Colombia specifically.\r\nCommands\r\nCommands with parameters are received from the C\u0026C server in encrypted form with the same algorithm used to encrypt\r\nstrings (see section Appendix A). A typical command format is like this:\r\n%CommandName%%PredefinedSeparatorKeyword%%Parameters%.\r\nAfter decryption the command is split into an array of strings; each part of the command is separated by a predefined\r\nkeyword hardcoded in the malware’s configuration – all versions we analyzed use |'meio'|, which separates the command\r\nname and each parameter.\r\nFigure 13 shows how Janeleiro checks the name of the command and executes the requested action.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 9 of 19\n\nFigure 13. Example of Version 0.0.2B processing command startinfo\r\nWhen Janeleiro sends data back to the operator, it does it in a similar format:\r\n%CommandName%%PredefinedSeparatorKeyword%%Encoded data%.\r\nThe majority of Janeleiro’s commands are for controlling windows, the mouse and keyboard, and its fake pop-up windows.\r\nAs the development evolved from Version 0.0.2A to 0.0.3, more commands were added that offered the operator a more\r\nrefined control:\r\nCommands to control specific window\r\nEnumerate and send information about windows (title, class, handle)\r\nAdjust specific window size, minimize, maximize\r\nDimensions of the screen\r\nKill all chrome.exe processes, and restart chrome.exe with arguments --disable-gpu\r\nCapture the screen in real time\r\nKeylogging in real time\r\nSend keys and mouse clicks\r\nDisplay or close a specific fake pop-up window\r\nShow or close a specific fake pop-up window\r\nMiscellaneous commands such as: send date and time, disconnect socket, terminate own process\r\nConclusion\r\nThe experimental nature of Janeleiro, going back and forth between different versions, tell us about an actor who is still\r\ntrying to find the right way to do it but is no less experienced than the competition: Janeleiro follows the unique blueprint for\r\nthe core implementation of the fake pop-up windows as many LATAM banking trojans, this does not seem to be a\r\ncoincidence or inspiration: this actor employs and distributes Janeleiro sharing the same infrastructure as some of the most\r\nprominent of these active malware families. As we continue to track the activities of this actor, time will tell what new\r\ndevelopments they will come up with in the future.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nSpecial thanks to Johnatan Camargo Zacarias from Itaú bank for his help with the investigation.\r\nIndicators of Compromise (IoCs)\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nSHA-1 hashes\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 10 of 19\n\nVersion 0.0.4\r\nSHA-1 Description ESET detection name\r\nCF117E5CA26594F497E0F15106518FEE52B88D8D MSI file MSIL/TrojanDownloader.Agent.FSC\r\nD16AC192499192F06A3903192A4AA57A28CCCA5A Console.exe loader MSIL/TrojanDownloader.Agent.FSC\r\n462D6AD77860D3D523D2CAFBC227F012952E513C #rowspan# MSIL/Kryptik.TBD\r\n0A5BBEC328FDD4E8B2379AF770DF8B180411B05D LoadDllMSI.dll loader MSIL/TrojanDownloader.Agent.FSC\r\n0AA349050B7EF173BFA34B92687554E81EEB28FF System.Logins.Initial.dll MSIL/Agent.TIX\r\n5B19E2D1950ADD701864D5F0F18A1111AAABEA28 #rowspan# #rowspan#\r\n186E590239083A5B54971CAB66A58301230164C2 System.Modules.Initial.dll #rowspan#\r\nE1B2FD94F16237379E4CAD6832A6FCE7F543DC40 System.Modules.Initial.dll MSIL/Janeleiro.A\r\n4061B2FBEB7F1026E54EE928867169D1B001B7A5 #rowspan# #rowspan#\r\nVersion 0.0.2A\r\nSHA-1 Description ESET detection name\r\n8674E61B421A905DA8B866A194680D08D27D77AE Main Trojan Loader MSIL/Agent.AAI\r\n2E5F7D5F680152E738B8910E694651D48126382A #rowspan# MSIL/Janeleiro.A\r\n06E4F11A2A6EF8284C6AAC5A924D186410257650 Main Trojan MSIL/Agent.AAI\r\nVersion 0.0.2B\r\nSHA-1 Description ESET detection name\r\n291A5F0DF18CC68FA0DA1B7F401EAD17C9FBDD7F MSI file MSIL/Janeleiro.A\r\nFB246A5A1105B83DFA8032394759DBC23AB81529 #rowspan# #rowspan#\r\n6F6FF405F6DA50B517E82FF9D1A546D8F13EC3F7 Main trojan #rowspan#\r\n742E0AEDC8970D47F16F5549A6B61D839485DE3C #rowspan# #rowspan#\r\nVersion 0.0.3\r\nSHA-1 Description ESET detection name\r\n455FAF2A741C28BA1EFCE8635AC0FCE935C080FF MSI file MSIL/Janeleiro.A\r\nD71EB97FC1F5FE50D608518D2820CB96F2A3376F #rowspan# #rowspan#\r\n158DA5AB85BFAC471DC2B2EE66FD99AEF7432DBB Main trojan #rowspan#\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 11 of 19\n\nSHA-1 Description ESET detection name\r\n6BFAEFCC0930DA5A2BAEC19723C8C835A003D1EC #rowspan# #rowspan#\r\nDownload URLs\r\nIn the following \u003cNNNNNNNNNNN\u003e is a random number between 10000000000 and 90000000000.\r\nDownloading only Janeleiro\r\nhttps://recuperaglobaldanfeonline.eastus.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNNN\u003e\r\nhttps://protocolo-faturamento-servico.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nhttps://acessoriapremierfantasiafaturas.eastus.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nDownloading Janeleiro and other Delphi banking trojans\r\nhttps://portalrotulosfechamento.eastus.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nhttps://servicosemitidosglobalnfe.southcentralus.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nhttps://emissaocomprovanteatrasado.eastus.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nDownloading Delphi bankers\r\nhttps://emitidasfaturasfevereiro.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nhttps://dinamicoscontratosvencidos.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nhttps://arquivosemitidoscomsucesso.eastus.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nhttps://fatura-digital-arquiv-lo.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nhttps://nota-eletronica-servicos.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nhttps://eletronicadanfe.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=\u003cNNNNNNNNNN\u003e\r\nC\u0026C servers\r\nThese are the IP addresses of the C\u0026C servers where Janeleiro connects to report, receive commands and send data:\r\n52.204.58[.]11\r\n35.174.60[.]172\r\nThese are the tracking URLs where Janeleiro sends information about the compromised system during installation:\r\nhttp://tasoofile.us-east-1.elasticbeanstalk[.]com/count\r\nhttp://slkvemnemim.us-east-1.elasticbeanstalk[.]com/count\r\nhttp://checa-env.cf3tefmhmr.eu-north-1.elasticbeanstalk[.]com/cnt/\r\nThese are the URLs used by System.Logins.dll to exfiltrate the harvested data:\r\nhttp://comunicador.duckdns[.]org/catalista/emails/checkuser.php\r\nhttp://comunicador.duckdns[.]org/catalista/lixo/index.php\r\nIPs associated with the domain:\r\n178.79.178[.]203\r\n138.197.101[.]4\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 12 of 19\n\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 8 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1584.004\r\nCompromise Infrastructure:\r\nServer\r\nIn some cases, malicious emails sent to targets\r\ncontain links to a compromised server that\r\nredirects to the download of Janeleiro.\r\nInitial Access T1566.002 Phishing: Spearphishing Link\r\nAttackers send malicious emails that have a\r\ndownload link for Janeleiro malware.\r\nExecution T1204.001 User Execution: Malicious Link\r\nPhishing emails sent by the attackers contain a\r\nlink to download a ZIP archive that holds an\r\nMSI installer with Janeleiro malware.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nJaneleiro achieves persistence by adding itself to\r\nthe Run registry key (in v0.0.3 of the malware).\r\nT1547.009\r\nBoot or Logon Autostart\r\nExecution: Shortcut Modification\r\nJaneleiro creates a LNK file for persistence (in\r\nv0.0.4, v0.0.2A and v0.0.2B of the malware).\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nJaneleiro v0.0.2B is obfuscated and its strings\r\nare RSA-encrypted. Version 0.0.3 uses AES for\r\nstring encryption.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers\r\nJaneleiro v0.0.4 can download a DLL that steals\r\npasswords from Chrome, Firefox and Opera\r\nbrowsers.\r\nT1552.001\r\nUnsecured Credentials:\r\nCredentials In Files\r\nJaneleiro v0.0.4 can download a DLL that\r\nobtains passwords stored in files from several\r\napplications such as FileZilla, Pidgin and\r\nThunderbird.\r\nDiscovery\r\nT1087.003\r\nAccount Discovery: Email\r\nAccount\r\nJaneleiro v0.0.4 can download a DLL that\r\ncollects Gmail addresses.\r\nT1010 Application Window Discovery\r\nJaneleiro collects information about open\r\nwindows so the attacker can decide to inject\r\npop-ups.\r\nT1082 System Information Discovery\r\nJaneleiro collects information from the victim’s\r\nmachine, such as username, OS and architecture.\r\nT1033 System Owner/User Discovery\r\nJaneleiro collects the username from the victim’s\r\nmachine.\r\nT1124 System Time Discovery\r\nJaneleiro collects current date and time when the\r\nvictim is compromised.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 13 of 19\n\nTactic ID Name Description\r\nCollection\r\nT1115 Clipboard Data\r\nJaneleiro uses a clipboard event handler to\r\naccess clipboard data.\r\nT1056.001 Input Capture: Keylogging Janeleiro can perform keylogging.\r\nT1113 Screen Capture\r\nJaneleiro can capture screenshots of the victim’s\r\ndesktop.\r\nT1056.002\r\nInput Capture: GUI Input\r\nCapture\r\nJaneleiro displays fake forms on top of banking\r\nsites to intercept credentials from victims.\r\nCommand and\r\nControl\r\nT1095 Non-Application Layer Protocol Janeleiro uses TCP for C\u0026C communications.\r\nT1102.001\r\nWeb Service: Dead Drop\r\nResolver\r\nJaneleiro uses GitHub repositories to store C\u0026C\r\ninformation.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nJaneleiro exfiltrates data over the same channel\r\nused for C\u0026C.\r\nAppendix A: Overview of Janeleiro’s malware family\r\nHere is each incarnation we have found of Janeleiro from 2019 until March 2021.\r\nVersion 0.0.4\r\nPeriod of activity: 2019 – Possibly still active.\r\nThe first version of Janeleiro - that we know of - came in the form of an MSI installer and at least two variants:\r\nVariant 1: MSI installer loads a DLL called LoadDllMSI.dll internally\r\nVariant 2: MSI installer executes Console.exe, which checks privileges and loads an embedded DLL assembly\r\ncalled LoadSystem.dll.\r\nBoth LoadDllMSI.dll and LoadSystem.dll perform the same tasks:\r\nCreate an installation folder\r\nDownload and store two modules: Logins.Initial.dll and System.Modules.Initial.dll. The two modules are\r\ndownloaded from a GitHub account that, at the time of writing, has been closed.\r\nCreate several Shortcuts in strategic places\r\nLog the successful compromise of the system to a tracking website\r\nSystem.Logins: It is a password stealer for Google Chrome, FileZilla, Mozilla Firefox, Opera, Pidgin, and Mozilla\r\nThunderbird. Additionally, it harvests email information from Gmail. All the information is exfiltrated to two websites.\r\nVersion 0.0.4 is the only one that is deployed with this malicious tool.\r\nSystem.Modules: Janeleiro’s main trojan, implemented as a Windows Forms application compiled as DLL. This version\r\nhad the capacity to dynamically create fake pop-up windows using several Forms for several banking entities, including\r\nbanks operating in Mexico, but it is unknown if this version was distributed in Mexico at any point.\r\nThis version used two GitHub organization pages to download the IP addresses of its C\u0026C servers: the names of the pages\r\nare generated by encrypting the current date with SLK as suffix as shown in Figure 14.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 14 of 19\n\nFigure 14. Version 0.0.4 attempts to read file in a GitHub repository that contains the encrypted list of C\u0026C servers\r\nAt the time of writing, we believe that the operators have abandoned this version of the malware. We couldn’t find any\r\nactive GitHub pages by following the name generation algorithm used by Janeleiro.\r\nMany commands for the trojan were left unimplemented, some were implemented and other discarded in newer versions\r\nused in 2020 and 2021.\r\nVersion 0.0.2A\r\nPeriod of activity: 2020 – Unknown.\r\nInternal Malware Version: 0.0.2\r\nThe MSI installer loads a DLL that borrows from LoadSystem installation and persistence procedures but unpacks the\r\nembedded main trojan DLL from its resources. The main trojan was implemented as a Windows Forms application compiled\r\nas DLL.\r\nThis version of Janeleiro only uses one Form to create the fake pop-up windows with more commands supported by the\r\noperator but with fewer targets: Mexican banking entities were discarded. All of the images used to cover the screen and\r\ntrick the user are for Brazilian banks.\r\nThis version also appears to have been abandoned and cannot contact its C\u0026C servers by retrieving the IP lists from a\r\nGitHub page. It uses the same algorithm as Version 0.0.4 with the same key vhpjzqqtpo, suggesting that the operators where\r\nusing the same GitHub page as for Version 0.0.4. Figure 15 shows the code that attempts to retrieve the list from GitHub.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 15 of 19\n\nFigure 15. Version 0.0.2A attempts to download a new list of C\u0026C servers from a repository on a GitHub organization page\r\nVersion 0.0.2B\r\nPeriod of activity: 2021 – Still active.\r\nInternal Malware Version: 0.0.2\r\nNew characteristics of this version:\r\nImplemented as a Windows Presentation Foundation application\r\nMajor restructuration of the code combining the loader code with the main trojan\r\nGeolocation of the compromised machine\r\nImplementation of clipboard hijacking to replace bitcoin addresses\r\nExpanded set of supported commands\r\nStrings encrypted/decrypted with the RSA algorithm\r\nFigure 16 shows the implementation of clipboard hijacking by Janeleiro; when a bitcoin address is found, it randomly picks\r\none from its own list of bitcoin addresses and replaces it.\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 16 of 19\n\nFigure 16. Janeleiro's implementation of clipboard hijacking\r\nIn this version a simplified procedure was implemented to retrieve the addresses of its C\u0026C servers from a GitHub\r\norganization page; the name scheme this time is a simple concatenation of SLK with the current date time without the\r\nslashes, as shown in Figure 17.\r\nFigure 17. Version 0.0.2B procedure to retrieve its list of C\u0026C servers. We have decrypted some strings for clarity.\r\nThe code attempts to download the contents of a file in a secondary branch. The file contains, in plaintext, the list of the\r\nC\u0026C IP addresses and ports. At the time of writing, the GitHub organization pages can be found using the procedure as they\r\ncontinue to operate with this recent version of Janeleiro.\r\nVersion 0.0.3\r\nPeriod of activity: Since March 2021 – Still active.\r\nInternal Malware Version: 0.0.3\r\nNew characteristics of this version:\r\nImplemented as a Windows Forms application\r\nA recombination of Version 0.0.2A and 0.0.2B code and technique implementations\r\nNew persistence method using Windows Registry Run Key\r\nExpanded set of supported commands\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 17 of 19\n\nUses AES algorithm to encrypt/decrypt its strings\r\nThis version uses the same procedure as Version 0.0.2B to get the C\u0026C servers from the GitHub organization page, with the\r\ndifference that it uses the main branch within the repository and the list is encrypted and encoded with base64 as shown in\r\nFigure 18.\r\nFigure 18. Main repository containing an encrypted list of C\u0026C servers\r\nThis procedure is also used when decrypting the list of C\u0026C servers, therefore there must exist a repository containing the\r\nfile in the main branch, with the encrypted list intended for that day. Otherwise this version cannot contact the operators as\r\ndecryption will fail.\r\nAppendix B: Third-party tools used by Janeleiro\r\nJaneleiro uses several third-party, open-source libraries for various purposes:\r\nTool Description Used by\r\nFody\r\nUsed to load every other third-party tool, or trojan component, such\r\nas LoadSystem in version 0.0.4.\r\nAll versions\r\nincluding\r\nSystem.Logins\r\nMimekit, Mailkit, Xnet,\r\nBouncyCastle, uPREC\r\nUsed to collect emails and login information. System.Logins\r\nSharpClipboard\r\nUsed for clipboard hijacking: when the user copies a bitcoin\r\naddress, Janeleiro replaces it with one randomly chosen from a list\r\nof its own.\r\nInterestingly, the Janeleiro developers don’t seem to have\r\ndownloaded SharpClipboard’s source code to compile their own\r\nversion: they obtained a compiled copy from another GitHub\r\nrepository; we don’t believe that user is in any way related to the\r\ndevelopment of this threat.\r\nVersion 0.0.2B\r\nVersion 0.0.3\r\nSharpVectors\r\nUsed to load SVG images contained in resources. These images are\r\nlogos of several banks used by the fake pop-up windows.\r\nVersion 0.0.2B\r\nVersion 0.0.3\r\nNewtonsoft JSON Used to parse the data returned by the geoPlugin web service.\r\nVersion 0.0.2B\r\nVersion 0.0.3\r\nEncryptDecryptUtils\r\nUsed to encrypt and decrypt its strings. Functions were modified to\r\ncontain the key, so it’s not present in the trojan’s code.\r\nVersion 0.0.3\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 18 of 19\n\nSource: https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nhttps://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/"
	],
	"report_names": [
		"janeleiro-time-traveler-new-old-banking-trojan-brazil"
	],
	"threat_actors": [
		{
			"id": "64d750e4-67db-4461-bae2-6e75bfced852",
			"created_at": "2022-10-25T16:07:24.01415Z",
			"updated_at": "2026-04-29T10:39:55.445987Z",
			"deleted_at": null,
			"main_name": "Operation Spalax",
			"aliases": [],
			"source_name": "ETDA:Operation Spalax",
			"tools": [
				"AsyncRAT",
				"Bladabindi",
				"Jorik",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Socmer",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1777450875,
	"ts_updated_at": 1777459321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/317449535450f702a57b41ab9eae0af5b5822150.pdf",
		"text": "https://archive.orkl.eu/317449535450f702a57b41ab9eae0af5b5822150.txt",
		"img": "https://archive.orkl.eu/317449535450f702a57b41ab9eae0af5b5822150.jpg"
	}
}