Janeleiro: A new old banking trojan that targets some of the biggest banks in Brazil

1. SHA-1 Description ESET detection name
2. CF117E5CA26594F497E0F15106518FEE52B88D8D MSI file MSIL/TrojanDownloader.Agent.FSC
3. D16AC192499192F06A3903192A4AA57A28CCCA5A Console.exe loader MSIL/TrojanDownloader.Agent.FSC
4. 462D6AD77860D3D523D2CAFBC227F012952E513C MSIL/Kryptik.TBD
5. 0A5BBEC328FDD4E8B2379AF770DF8B180411B05D LoadDllMSI.dll loader MSIL/TrojanDownloader.Agent.FSC
6. 0AA349050B7EF173BFA34B92687554E81EEB28FF System.Logins.Initial.dll MSIL/Agent.TIX
7. 5B19E2D1950ADD701864D5F0F18A1111AAABEA28
8. 186E590239083A5B54971CAB66A58301230164C2 System.Modules.Initial.dll
9. E1B2FD94F16237379E4CAD6832A6FCE7F543DC40 System.Modules.Initial.dll MSIL/Janeleiro.A
10. 4061B2FBEB7F1026E54EE928867169D1B001B7A5
11.  
12. Version 0.0.2A
13. SHA-1 Description ESET detection name
14. 8674E61B421A905DA8B866A194680D08D27D77AE Main Trojan Loader MSIL/Agent.AAI
15. 2E5F7D5F680152E738B8910E694651D48126382A MSIL/Janeleiro.A
16. 06E4F11A2A6EF8284C6AAC5A924D186410257650 Main Trojan MSIL/Agent.AAI
17.  
18. Version 0.0.2B
19. SHA-1 Description ESET detection name
20. 291A5F0DF18CC68FA0DA1B7F401EAD17C9FBDD7F MSI file MSIL/Janeleiro.A
21. FB246A5A1105B83DFA8032394759DBC23AB81529
22. 6F6FF405F6DA50B517E82FF9D1A546D8F13EC3F7 Main trojan
23. 742E0AEDC8970D47F16F5549A6B61D839485DE3C
24.  
25. Version 0.0.3
26. SHA-1 Description ESET detection name
27. 455FAF2A741C28BA1EFCE8635AC0FCE935C080FF MSI file MSIL/Janeleiro.A
28. D71EB97FC1F5FE50D608518D2820CB96F2A3376F
29. 158DA5AB85BFAC471DC2B2EE66FD99AEF7432DBB Main trojan
30. 6BFAEFCC0930DA5A2BAEC19723C8C835A003D1EC
31.  
32. Download URLs
33. In the following <NNNNNNNNNNN> is a random number between 10000000000 and 90000000000.
34.  
35. Downloading only Janeleiro
36. https://recuperaglobaldanfeonline.eastus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNNN>
37. https://protocolo-faturamento-servico.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
38. https://acessoriapremierfantasiafaturas.eastus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
39.  
40. Downloading Janeleiro and other Delphi banking trojans
41. https://portalrotulosfechamento.eastus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
42. https://servicosemitidosglobalnfe.southcentralus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
43. https://emissaocomprovanteatrasado.eastus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
44.  
45. Downloading Delphi bankers
46. https://emitidasfaturasfevereiro.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
47. https://dinamicoscontratosvencidos.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
48. https://arquivosemitidoscomsucesso.eastus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
49. https://fatura-digital-arquiv-lo.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
50. https://nota-eletronica-servicos.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
51. https://eletronicadanfe.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
52.  
53. C&C servers
54. These are the IP addresses of the C&C servers where Janeleiro connects to report, receive commands and send data:
55.  
56. 52.204.58[.]11
57. 35.174.60[.]172
58.  
59. These are the tracking URLs where Janeleiro sends information about the compromised system during installation:
60. http://tasoofile.us-east-1.elasticbeanstalk[.]com/count
61. http://slkvemnemim.us-east-1.elasticbeanstalk[.]com/count
62. http://checa-env.cf3tefmhmr.eu-north-1.elasticbeanstalk[.]com/cnt/
63.  
64. These are the URLs used by System.Logins.dll to exfiltrate the harvested data:
65. http://comunicador.duckdns[.]org/catalista/emails/checkuser.php
66. http://comunicador.duckdns[.]org/catalista/lixo/index.php
67. IPs associated with the domain:
68.  
69. 178.79.178[.]203
70. 138.197.101[.]4