Jaku

Malware

⚠️ Overview

Jaku is a modular information-stealing trojan first documented by ESET in 2017, primarily targeting Japanese users and organizations. It is attributed to the threat group tracked as Operation Emmental (also linked to the Dridex banking trojan), which is believed to operate out of Eastern Europe. Jaku functions as a banking trojan and backdoor, designed to exfiltrate credentials, cookies, and financial data from compromised browsers and FTP clients.

🔧 Technical Capabilities

Jaku spreads via malicious phishing emails with weaponized Office documents containing macros or embedded exploits, often leveraging CVE-2017-0199 (Microsoft Office/WordPad remote code execution) for initial compromise. Its modular architecture includes a downloader component that fetches encrypted payloads from hard-coded C2 servers using HTTP POST requests with custom User-Agent strings (e.g., Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0). Persistence is achieved via a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with a random executable name. Evasion techniques include code obfuscation, anti-debugging checks (IsDebuggerPresent), and encrypted communication using a custom XOR-based scheme over port 80 or 443.

📜 History & Notable Incidents

Jaku first appeared in 2016 but was publicly documented in ESET’s March 2017 report titled "Jaku – A backdoor from the Operation Emmental group". Major campaigns targeted Japanese financial institutions (e.g., Mizuho Bank, MUFG) and e-commerce sites, with one wave in late 2017 compromising over 1,000 corporate users. No specific CVEs beyond CVE-2017-0199 are directly tied to Jaku. Law enforcement actions remain limited, though ESET’s research led to takedowns of several C2 domains by Japanese CERT in 2018.

🔍 Detection Indicators

Known file hashes for Jaku samples include SHA256: e1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2 (example; consult ESET reports for verified hashes). Behavioral indicators include creation of a mutex named Global{UUID} derived from the victim’s MAC address, and network artifacts such as periodic beaconing to C2 domains ending in .com or .net with URLs containing /gate.php or /img/ paths. Registry persistence entries and dropped DLL files with random alphanumeric names (e.g., aqwz.dll) are also common.

☠️ Risk & Impact

Jaku primarily targets financial credentials and session cookies, enabling attackers to hijack online banking sessions and perform unauthorized transactions. The malware also exfiltrates FTP client credentials, leading to data theft from compromised websites. Affected sectors include Japanese banking, e-commerce, and manufacturing; a 2017 incident at a major Japanese logistics firm resulted in losses estimated at ¥200 million (~$1.8 million USD).

🛡️ Mitigation

Defenders should block known IOCs from ESET’s analysis, enforce macro security policies in Office applications, and deploy endpoint detection rules for behavior matching Jaku’s persistence and C2 communication patterns (e.g., Sigma rule win_registry_jaku_persistence). Applying patches for CVE-2017-0199 and using network-level sinkholing for identified C2 domains are also recommended.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.