JanaWare Ransomware Unleashed: How Customized Adwind RAT Bypasses Geofencing to Target Turkish Systems – A Technical Deep Dive + Video

Listen to this Post

Featured Image

Introduction:

The Adwind remote access Trojan (also known as jRAT) has resurfaced in a highly customized variant, powering the “JanaWare” ransomware campaign exclusively targeting Turkish users. This Java-based malware employs polymorphic code, advanced obfuscation, and strict geofencing controls—only activating on systems with Turkish IP addresses or locale settings—making it a persistent and focused operation against home users and small-to-medium businesses.

Learning Objectives:

  • Analyze the customized Adwind RAT’s geofencing logic and polymorphic behavior to understand regional targeting tactics.
  • Perform static and dynamic analysis of malicious JAR files using Linux and Windows forensic tools.
  • Implement detection, mitigation, and recovery strategies against JAR-based ransomware delivered via phishing.

You Should Know:

1. Dissecting the Customized Adwind RAT (JanaWare Variant)

The JanaWare payload is distributed as a malicious Java Archive (.jar) file. Adwind RAT is cross‑platform, but this variant checks system language and geo‑IP before executing encryption routines. To analyze the JAR safely on Linux:

 Extract the JAR contents
unzip sample.jar -d jana_extracted/
cd jana_extracted/

View manifest and class files
cat META-INF/MANIFEST.MF

Use jd-gui (GUI) or procyon (CLI) to decompile .class files
procyon -jar /path/to/procyon.jar -o decompiled/ .class

Search for geofencing strings (Turkish locale, TR, 90, etc.)
grep -r "tr_TR|locale|getCountry|90|Turkey" decompiled/

Examine bytecode with javap
javap -c -p com/adwind/Main.class

Step‑by‑step guide:

  1. Isolate the suspect JAR in an air‑gapped or sandboxed Linux VM.
  2. Use `unzip` to extract resources; look for `config.properties` or encrypted resource files.
  3. Decompile classes to identify methods like `checkGeoFence()` or isTargetCountry().
  4. Look for hardcoded C2 domains, encryption keys, or user‑agent strings mimicking Turkish browsers.

2. Phishing Email and JAR Attachment Analysis

The initial vector is phishing emails with malicious JAR attachments. On Windows, never double‑click – analyze with command‑line tools and sandboxes:

Windows (PowerShell as Admin):

 Extract JAR metadata
jar tf malicious.jar

Verify if signed (most are unsigned)
jarsigner -verify malicious.jar

Use yara to scan for known Adwind signatures
yara64.exe -r adwind_rules.yar malicious.jar

Linux (static analysis):

 Extract strings and look for indicators
strings sample.jar | grep -E "http://|https://|\.php|cmd|exec"

Calculate hashes for threat hunting
sha256sum sample.jar
md5sum sample.jar

Step‑by‑step:

  1. Obtain the JAR from a quarantined email (use .eml or .msg extraction).
  2. Run `strings` and `grep` for C2 patterns, Turkish words (fidye, şifreleme), or ransom note filenames.
  3. Submit hash to VirusTotal or a private sandbox (Cuckoo, CAPE) with Turkish locale simulation.
  4. Extract any embedded DLLs or executables using binwalk -e sample.jar.

3. Geofencing Evasion and Polymorphic Behavior

The malware checks both IP geolocation and system locale. To simulate a Turkish environment for dynamic analysis:

Windows (locale & timezone):

 Set locale to Turkish
Set-WinSystemLocale tr-TR
Set-WinUserLanguageList tr-TR
 Set timezone to Istanbul
tzutil /s "Turkey Standard Time"
 Change region via registry
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Nls\Language" -Name "InstallLanguage" -Value "041F"

Linux (locale & proxy routing):

 Set locale to Turkish
sudo locale-gen tr_TR.UTF-8
export LANG=tr_TR.UTF-8
export LC_ALL=tr_TR.UTF-8

Route traffic through a Turkish VPN or proxy
export http_proxy="http://turkey-proxy:8080"
export https_proxy="http://turkey-proxy:8080"

Test geo‑spoofing with curl
curl --proxy turkey-proxy:8080 https://api.ipify.org

Step‑by‑step:

  1. Create a snapshot of a clean analysis VM.

2. Apply Turkish locale and timezone settings.

  1. Route all VM traffic through a Turkish exit node (VPN or SOCKS5).
  2. Execute the JAR in a monitored environment (ProcMon, Wireshark, Regshot) and observe if encryption triggers.

4. Network Forensics for Adwind RAT Communications

Adwind uses HTTP/HTTPS for C2 communication, often with custom headers or JA3 fingerprints. Capture and analyze traffic:

Linux (tcpdump & tshark):

 Capture live traffic to file
sudo tcpdump -i eth0 -s 1500 -w adwind_capture.pcap

Extract all HTTP requests from capture
tshark -r adwind_capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri

Filter for Java user‑agents (typical of Adwind)
tshark -r adwind_capture.pcap -Y "http.user_agent contains Java"

Calculate JA3 fingerprint (requires ja3 tool)
ja3 --pcap adwind_capture.pcap

Windows (Npcap + Wireshark):

 Start a circular capture
& 'C:\Program Files\Wireshark\tshark.exe' -i Ethernet -b filesize:10000 -w capture.pcapng

Use netstat to identify suspicious Java processes
netstat -ano | findstr "ESTABLISHED" | findstr "java"

Snort/Suricata rule example for Adwind detection:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Adwind RAT beacon"; flow:to_server,established; http.user_agent; content:"Java/"; http.uri; content:".php?uid="; nocase; sid:1000001; rev:1;)

5. Mitigation: Endpoint Detection and JAR Execution Prevention

Prevent JAR execution at the endpoint and monitor for suspicious Java processes.

Windows (AppLocker & PowerShell monitoring):

 Block .jar execution via AppLocker (default rule)
New-AppLockerPolicy -RuleType Exe -User Everyone -Path "%USERPROFILE%.jar" -Action Deny

Real‑time monitoring for java.exe launching JARs
Register-WmiEvent -Query "SELECT  FROM Win32_ProcessStartTrace WHERE ProcessName='java.exe'" -Action { Write-Host "Java process started at $(Get-Date)"; Get-Process -Name java | Format-List  }

Linux (auditd & iptables):

 Monitor all java process executions
sudo auditctl -w /usr/bin/java -p x -k java_execution

Block outbound to known bad IPs (example)
sudo iptables -A OUTPUT -d 185.130.5.253 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 443 -m string --string "adwind" --algo bm -j DROP

Isolate using cgroups or Firejail
firejail --net=eth0 --ip=10.10.10.2 java -jar suspect.jar

6. Ransomware Decryption and Recovery Strategies

JanaWare likely uses symmetric encryption (AES) with an embedded key or C2‑fetched key. No public decryptor yet, but recovery options exist.

Windows (Volume Shadow Copies):

 List available shadow copies
vssadmin list shadows

Restore a specific file from shadow copy (replace with actual path)
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\victim\Documents.encrypted C:\Recovered\

Enable shadow copies if not already
vssadmin create shadow /for=C:

Linux (Backup & forensics):

 Use testdisk to recover deleted files if ransomware deleted originals
sudo testdisk /dev/sda

Restore from incremental backups (rsync example)
rsync -avz /backup/latest/ /home/user/ --delete

Check for leftover encryption keys in memory (requires root)
sudo grep -a -o "AES_KEY." /proc/$(pidof java)/mem

Step‑by‑step:

1. Immediately isolate infected machine from network.

  1. Do not reboot – capture memory (FTK Imager, LiME) for possible key extraction.
  2. Check for shadow copies (Windows) or `.snap` directories (Linux).
  3. Restore from offline backups after verifying no backdoor remains.

7. Hardening Against Phishing and RAT Delivery

Prevent initial delivery through email filtering and user training.

Email security (SPF/DKIM/DMARC setup – Linux BIND example):

; SPF record to reject unauthorized senders
example.com. TXT "v=spf1 mx -all"

; DKIM selector (generated with opendkim)
default._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ..."

; DMARC policy (reject)
_dmarc.example.com. TXT "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]"

User training simulation (using Gophish or Evilginx):

 Deploy Gophish on Linux for internal phishing campaigns
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
sudo ./gophish
 Then configure landing page mimicking Turkish bank or postal service

Step‑by‑step:

  1. Implement email attachment sandboxing (e.g., Cuckoo, Joe Sandbox) to detonate JARs automatically.
  2. Disable Java browser plugins and set `deployment.webconsole.enabled=false` in Java Control Panel.

3. Conduct quarterly phishing simulations with Turkish‑language lures.

  1. Enforce application whitelisting – only allow signed or hashed JARs.

What Undercode Say:

  • Geofencing as an evasion tactic – Adwind’s Turkish‑only activation reduces detection in global sandboxes and AV telemetry, forcing analysts to localize their environments.
  • Java is still a viable attack vector – Despite declining browser use, JAR attachments bypass many email filters because organizations overlook Java security policies. Hardening `java.policy` and disabling legacy JREs is critical.
  • Polymorphic JARs require multi‑layered defense – Signature‑based AV fails; combine network JA3 fingerprinting, process behavior monitoring, and YARA rules for class‑level indicators.

The JanaWare campaign demonstrates how mature RATs like Adwind can be repurposed into ransomware with minimal changes – only geofencing and encryption modules. Small businesses in Turkey are now at high risk because they rarely segment networks or maintain offline backups. The attackers likely chose Turkey due to lower cybersecurity awareness in SMBs and the prevalence of outdated Java installations. Undercode analysts predict a surge in “RAT‑as‑a‑Ransomware” hybrids, where initial access brokers sell RAT footholds that later deploy encryptors.

Prediction:

Within the next 12 months, we will see similar geofenced ransomware campaigns targeting Brazil, India, and Indonesia – countries with large populations of home users running legacy Java apps. Attackers will integrate AI‑generated phishing lures in local languages and automate polymorphic JAR repacking using tools like `Allatori` or Zelix KlassMaster. Cloud sandboxes will counter by offering region‑specific VM images (e.g., Turkish Windows 10), but the cat‑and‑mouse game will escalate. Organizations must adopt Zero Trust principles: block JARs at email gateways, enforce endpoint detection for `java.exe` child processes, and maintain immutable backups. The era of one‑size‑fits‑all ransomware is ending – regional customization is the new normal.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Gbhackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky