Jaku Botnet

The Jaku Botnet is a large network of infected computers, generally referred to as 'zombies' or 'bots' that can be used to carry out coordinated attacks. There are more than 19,000 bots in the Jaku Botnet currently, making it a powerful tool for illicit operations. Using the Jaku Botnet, third parties may carry out highly effective DDoS (Distributed Denial of Service) attacks or send out massive quantities of spam email. While threat infections like Trojans and ransomware are quite harmful, botnets like the Jaku Botnet may be the backbone of most threat campaigns. The con artists that create threat infections may enlist the services of a botnet like the Jaku Botnet to deliver their corrupted email attachments or social media spam to thousands of potential victims. PC security researchers have observed connections between the Jaku Botnet and various high-profile cases of threats around the world. This botnet, in particular, is connected to Darkhotel attacks carried out in 2014. This group, known as Dark Seoul is connected to a group of hackers located in North Korea and part of the infamous Lazarus Group.

The Jaku Botnet and Its Associated Harmful Activities

The Jaku Botnet has grown in number gradually in the past year, containing more than 19,000 bots currently. Most of the bots in the Jaku Botnet are located in Asian countries, especially in Japan and South Korea. The Jaku Botnet is named after Jakku, a Star Wars reference. Most of the Jaku Botnet victims are located in the two countries mentioned above, which is responsible for 73 percent of all the Jaku Botnet infections. However, the bots associated with the Jaku Botnet are spread out in more than 134 different countries, even if this means that one country may only have one or two infected computers. This distribution makes the Jaku Botnet particularly effective since it can be used to hide Web traffic and can be involved in activities such as money laundering or the traffic of child pornography.

The Jaku Botnet is one of the strongest botnets actives today and has proven quite difficult to take down. The first attacks related to the Jaku Botnet first appeared in September of 2015. In the six months since then, the Jaku Botnet has grown enormously, especially compared to other botnets. The Jaku Botnet is controlled through various Command and Control servers located in the Asian Pacific region, especially the Southeastern Asia in countries like Thailand and Singapore. The Jaku Botnet uses multiple Command and Control mechanisms and databases that are heavily obfuscated on the client side as well, meaning that the configuration files are already difficult to access by PC security researchers.

How the Jaku Botnet may be Used to Attack Computer Users

The Jaku Botnet can be used to send out massive quantities of spam email, which may be used to deliver corrupted email attachments via various social engineering tactics. The Jaku Botnet also may be used to carry out DDoS attacks, which are used to overload a server through continued requests by using thousands of computers to overload a server with traffic, which makes a website to go offline. PC security analysts have associated hoaxes involving steganography with the Jaku Botnet, meaning that third parties deliver corrupted code by hiding it in image files. The Jaku Botnet infects computers through corrupted torrent files, often placed on public file sharing websites. Although the people responsible for the Jaku Botnet tend to target computers associated with high profile targets, individual users also may become part of the Jaku Botnet as well. Computers at risk may belong to NGOs, engineering firms, universities, scientists and government offices, which is understandable when one considers the potential high value of the data that could be collected from these sources.

Analysis Report

General information

Family Name:	Trojan.TrickBot.R
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 84f8fa117ae5412a29e778be98a78a17 SHA1: 42a1e583430199d68e467c5ada2c287adaa07545 SHA256: 0EA7C76F6807472F1C19B416B9651B041EB1A84468F5D84428DA15838ABA8746 File Size: 118.30 KB, 118304 bytes

MD5: a844bdcdfc00fe4ac7e6e8e529ba33ad SHA1: 2d30bafd2d6509951ccfaa6b843c4d97bf364342 SHA256: FAB1879C5B1C7AF49974D4A435E886596AB798406D91384C81FDA8F3FFBF2C7A File Size: 517.15 KB, 517152 bytes

MD5: a70cd6fe455f4daf23d40c4b61366f3d SHA1: 37803d6d6853b57659c70d58800a85cd09b552cb SHA256: 74D11FB360A06260B1C215237D3EA1E41694FEE314601CB5A23B74846BD4C936 File Size: 102.79 KB, 102789 bytes

MD5: ef4f6fd9e6787d10d55352213501eaf1 SHA1: db97b88f40d3346177baa87353d3bab6a3cbe5b8 SHA256: AE227729B25FE98D5C66E25A9C3785691A9EC3466E1A89AFA2ED68E78177C83E File Size: 39.97 KB, 39968 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have resources
• File doesn't have security information
• File is 32-bit executable
• File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

Show More

• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

File Traits

• big overlay
• HighEntropy
• No Version Info
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	123
Potentially Malicious Blocks:	2
Whitelisted Blocks:	106
Unknown Blocks:	15

Visual Map

0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• Agent.XXA
• Burnwoo.A
• DCom.B
• Keylogger.DD
• PSW.Agent.AK

Show More

• Recslurp.A
• TrickBot.R

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\downloads\mensaje	Generic Write,Read Attributes