{
	"id": "aa5a1097-d3ca-4810-8d50-f2936d11ffd2",
	"created_at": "2026-04-06T00:06:16.287828Z",
	"updated_at": "2026-04-10T03:20:05.914211Z",
	"deleted_at": null,
	"sha1_hash": "efb25c90b53cb8f8d529a4487038c47047907005",
	"title": "JanelaRAT | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 101433,
	"plain_text": "JanelaRAT | ThreatLabz\r\nBy Gaetano Pellegrino, Sudeep Singh\r\nPublished: 2023-08-10 · Archived: 2026-04-05 13:16:43 UTC\r\nCapabilities\r\nCapture and check window data\r\nJanelaRAT captures the content of windows title bars and checks if they are interesting for the threat attacker. \"Interesting\"\r\ntitles will be related to financial and banking data.\r\nThe malware implements a periodic behavior triggered every second and consists of three consecutive stages.\r\nStage 1\r\nAt the first stage, JanelaRAT checks if it obtained a list of interesting title bars. If not, then the malware requests a text file\r\nnamed kepler186f.txt to the C2. The content is encrypted with the same algorithm used for the strings. (Since the campaign\r\nwas still active at the time of analysis, we were able to download an instance of such a file.) Once decrypted, you can see\r\nthat it consists of a pipe-separated (\"|\") list of capitalized windows titles.\r\nYou can see an excerpt of the decrypted content in the box below.\r\nExcerpt from an instance of kepler186f.txt\r\nBANCOAZTECATUBANCAENLNEASUEASDECIDESLOGRAS|BITCOIN|SOLANA|ACTINVER|ACCESOALSISTEMABURSANET|ACT\r\nACCESOCONSULTADESALDOS|EACTINVER|ACCESOABANCABANCOAZTECA|BIENVENIDOSALABANCAENLNEABBVAMXICO\r\nOBIERNOEMPRESASBBVAMXICO|INDEXBBVANET|BBVANETCASH|SANTANDERMXICOSPARTEDELABANCAELECTRNICA|BITC\r\nLE|ETHEREUM|CASADEVECTOR|SANTANDER|SANTANDERM|ENLACESANTANDERCOMMXLOGBETENSCHANNELDRIVERSSO\r\nRATIONNAMELOGINDSENEXTEVENTNAMESTARTDSEPROCESSORSTATEINITIALNOWCHECKINGCOOKIES|BANCOSANTANDE\r\nXWEBCENTERPORTALBANBAJIOHOME|ELBANCODECONFIANZAPARAPERSONASPYMESGOBIERNOYAGRONEGOCIOS|BANCA\r\nETBBCOMMX| … [REDACTED]\r\nKepler186f.txt file content is parsed as an array of strings and stored as a class field for future use.\r\nStage 2\r\nAt the second stage, JanelaRAT checks the same DLL directory for the block.blq file. This file has a slightly different\r\nstructure compared to the kepler186f.txt file. It is still composed of a single, pipe-separated, record but it only contains three\r\nfields: \r\na timestamp,\r\na base64-encoded image\r\na list of dash-separated (\"-\") window titles\r\nThe image below shows a snippet, belonging to the malware code, implementing the parsing logic for block.blq. If the file is\r\noutdated, then the malware deletes it. \r\nhttps://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech\r\nPage 1 of 4\n\nFigure 8: JanelaRAT code snippet implementing the parser for block.blq file content\r\nThe window titles included as the third field in block.blq are titles of windows the attacker wants to block. When the title of\r\nthe foreground window is included in the block.blq, the malware attempts to close it. The blocking mechanism is\r\nimplemented by invoking the SendMessage API with WM_CLOSE value for the Msg argument. JanelaRat also visualizes a\r\ndialog to the victim showing a fake error message.\r\nStage 3\r\nAt the third stage, the malware checks if the title of the window in the foreground is appealing. The check is made after\r\ngrabbing the title, capitalizing it, and eventually dropping all non-alphabetical characters. By \"appealing\", we mean what\r\nwas discussed at Stage 1  (i.e., the title was in a previously parsed instance of kepler186f.txt). If the check succeeds,\r\nJanelaRAT opens a C2 channel in the form of a socket as discussed earlier. This channel is later used for alerting the threat\r\nattacker about the victim opening interesting windows, sending key logs, mouse clicks, and implementing remote desktop\r\nsessions.\r\nAcquire host profile details\r\nJanelaRAT is capable of collecting and sending information about the compromised host to the attacker. This information is\r\nencapsulated in a packet containing the fields reported in the following table. As you can see, the field names don't always\r\ncorrelate with their actual content. Moreover, some fields are left to the default values. Those aspects suggest that the\r\noriginal malware source code has been eventually modified or repurposed to fit the new needs of the operator.\r\nJanelaRAT sends basic information about the compromised host to the attacker\r\nField Name Field Value\r\nVersion\r\nJanelaRAT version string. Hardcoded as 1.0.6.4 for the sample discussed in this section. One of the\r\nfew unencrypted strings embedded in the malware.\r\nOperatingSystem\r\nA pipe-separated string containing the following fields: OS version major, OS version minor, OS\r\nplatform, integer pointers size. Example: 0|4|2|32.\r\nAccountType\r\nA dash-separated string containing the following fields: \r\nRole of the user logged in at time of request. Supported values: Admin, User, Convidado (Guest\r\nin Portuguese), and Desconhecido (Unknown in Portuguese).\r\nCountry\r\nA string containing the title of the last “interesting” window opened by the user. For interesting, we\r\nmean that is included in the content of the kepler186f.txt file (previously discussed). All non-alphabetical symbols are removed from the original title bar and the chars are upper-cased.\r\nCountryCode Empty string.\r\nRegion Empty string.\r\nCity Empty string.\r\nImageIndex 0\r\nTrack mouse movements\r\nhttps://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech\r\nPage 2 of 4\n\nJanelaRAT is capable of sending mouse activity to through C2. It defines a packet class containing the following fields:\r\nx-position of the cursor\r\ny-position of the cursor\r\na boolean value set to true if the left button of the mouse is clicked\r\na boolean value set to true if the left button of the mouse was double clicked\r\nOnce serialized, an instance of this class is shipped.\r\nTrack system usage\r\nJanelaRAT is capable of gathering additional information about the infected system usage.\r\nSystem usage information gathered by JanelaRAT\r\nIndex Element\r\n0 User\r\n1 [username of the user currently logged in]\r\n2 PC\r\n3 [machine name]\r\n4 Ligado [connected in Portuguese, ed.]\r\n5\r\n[time elapsed since the last system reboot. It’s a string having the format {0}d : {1}h : {2}m : {3}s where {0},\r\n{1}, {2}, {3} are placeholders for the number of days, hours, minutes, and seconds respectively]\r\n6 IP\r\n7 [comma-separated list of IP addresses currently associated with the infected system]\r\nThe malware assembles an array of strings containing the elements shown in the table above. Once assembled, the array is\r\nsent to the C2.\r\nOpen message boxes on the infected system\r\nJanelaRAT gives a threat attacker the ability to open message boxes on the infected system, which may influence the\r\nbehaviour of the user. After having shown the message box, the malware sends an acknowledgment to the C2. The\r\nacknowledge is another packet class containing a single field of type string called \"Message\" and instantiated with the value\r\nMensagem mostrada (\"Message shown\" in Portuguese).\r\nPerform actions\r\nJanelaRAT is capable of performing a wide range of actions on the attacker’s behalf. Those actions are identified by an\r\ninteger number called \"Mode\". \r\nJanelaRAT is capable of performing action on behalf of the attacker\r\nMode Description\r\n1 Shuts down the infected system by issuing the shutdown shell command.\r\n2 Suspends the infected system.\r\n5\r\nEnables mouse synthesization. This mode allows the attacker to simulate the mouse and issue clicks or double-clicks for the left button.\r\n6 Enables sleep for one second.\r\n8 Enables sleep for one second.\r\n9 Create a file named 1.bat under the user directory. That file contains the following batch script:\r\n \r\ncmd /min /C set __COMPAT_LAYER=RUNASINVOKER \u0026\u0026 start  #1\r\ncmd /min /C REG ADD HKCUControl PanelDesktop /v Win8DpiScaling /t REG_DWORD /d 0x00000001 /f\r\ncmd /min /C REG ADD HKCUControl PanelDesktop /v LogPixels /t REG_DWORD /d 0x00000060 /f\r\nhttps://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech\r\nPage 3 of 4\n\nMode Description\r\nThe purpose of this script is to fix potential errors in rendering fonts. This script is executed with\r\n%SystemRoot%\\taskmgr.exe as its first argument, resulting in executing the Task Manager application\r\nwithout requesting administrative privileges. The task Manager window is immediately hidden by running\r\nShowWindow  API with the SW_HIDE value for the nCmdShow argument. Finally, 1.bat is removed.\r\n10 Deletes the file block.blq if it exists in the same folder as JanelaRAT.\r\n11 Sends a test email by starting a new process with mailto:teste@teste.com?subject=teste\u0026body=teste\r\n12 Enables Desktop Windows Manager composition and sets the Aero Windows theme.\r\n51 Disables mouse synthesization.\r\n52 Shows the last selected window, waits 300 milliseconds, and eventually maximizes it.\r\n80 Sends the {DOWN} key to the currently active application.\r\n81 Sends the {UP} key to the currently active application.\r\n82 Sends the {TAB} key to the currently active application.\r\n99\r\nUninstalls any hook installed by JanelaRAT to monitor keyboard events and mouse events. In this specific\r\ncase, there is no acknowledgement sent back to the attacker when the operation completes.\r\nAfter an action is performed, with the exception of Mode 99, the malware sends a notification to the C2 by encapsulating\r\nMode as the field of a packet class and shipping the serialized instance.\r\nCapture screenshots\r\nJanelaRAT is capable of capturing and shipping screenshots. It defines an packet class containing three fields:\r\nJanela (window, in Portuguese): Integer dictating the type of screenshot operation being requested. If Janela is set to\r\n1, the malware captures a magnified screenshot. If Janela is set to 2, then the malware live-captures a screenshot and\r\nsends it through the C2.\r\nMode: Integer that controls the encoding of the captured screenshot. If this field is set to a value bigger than 10, then\r\nthe screenshot is encoded as a PNG, otherwise it is encoded as a JPG.\r\nNumber: This field is not used.\r\nRun in special execution modes\r\nJanelaRat ships with the capability of running in special execution modes. Each execution mode affects the malware\r\nbehaviour and it is identified by a label. The attacker may request the malware to operate in any of those modes.\r\nAs an example, when in _blcoqueio_tempo_determinado mode, the malware creates a new block.blq file with a limited\r\nduration in minutes. The purpose of this behaviour is to temporarily prevent the user from opening windows with specific\r\ntitles. The file is created only if it doesn’t already exist in the malware directory.\r\nWhen in _modal_inicial mode, the malware shows a modal dialog that forces the user to interact with the malware by\r\ndisabling user interaction with the main window. The foreground image for the dialog is obtained from C2. The malware\r\nregisters a hook for both keyboard and mouse events. \r\nWhen in _modal_win_update mode, JanelaRAT displays a fake alert warning the user to not shut the system down while\r\nthe Windows updates are in progress. Most likely, this allows the attacker to operate on the compromised host while the fake\r\nwarning is shown to the user.\r\nFinally, when in _modal_loading, modal_error, or modal_tocalm, JanelaRAT operates in the same way: it shows an\r\nattacker-provided image to the user. The image is different in each mode, but we weren't able to obtain any of those at the\r\ntime of analysis.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech\r\nhttps://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech"
	],
	"report_names": [
		"janelarat-repurposed-bx-rat-variant-targeting-latam-fintech"
	],
	"threat_actors": [],
	"ts_created_at": 1775433976,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/efb25c90b53cb8f8d529a4487038c47047907005.pdf",
		"text": "https://archive.orkl.eu/efb25c90b53cb8f8d529a4487038c47047907005.txt",
		"img": "https://archive.orkl.eu/efb25c90b53cb8f8d529a4487038c47047907005.jpg"
	}
}