JanaWare is delivered primarily through phishing emails, often sent via Microsoft Outlook, containing malicious Java Archive (JAR) files hosted on Google Drive. The initial infection vector is a heavily obfuscated variant of the Adwind Remote Access Trojan (RAT), which acts as a loader for the ransomware payload. Upon execution, the malware performs a series of locale, language, and external IP geolocation checks to ensure it is running on a Turkish system. If these checks fail, the malware terminates, effectively preventing analysis and execution outside Turkey.
Once the environment is validated, JanaWare encrypts user files and drops a ransom note written in Turkish, instructing victims to contact the attackers via qTox, a decentralized, peer-to-peer chat application based on the Tox protocol. In some cases, communication is also facilitated through Tor-based .onion sites. The ransomware employs advanced obfuscation techniques, including the use of Stringer and Allatori obfuscators, and polymorphic JARs that generate unique hashes for each infection, complicating detection and analysis.
The malware’s persistence mechanisms leverage the capabilities of Adwind RAT, enabling boot or logon autostart execution. Network communications are routed through the Tox protocol and, in some instances, through Tor, further hindering attribution and takedown efforts. Known command-and-control (C2) infrastructure includes domains such as elementsplugin.duckdns.org on ports 49152 and 49153, with observed IP addresses like 151.243.109.115.
