Jorik Trojan — Description & Removal Guide

by Robert Bailey
August 11, 2023

Jorik is a prolific trojan malware notorious for its skillful exploitation of phishing and social engineering. It thrives on deceptive downloads, email attachments, untrustworthy sources, scams, malvertising, and fake updates. Armed with capabilities like keylogging and media recording, Jorik poses a multifaceted threat to systems and data.

Jorik Trojan Overview

Jorik is formidable trojan-type malware that slithers into its victims’ machines with stealth and precision, ready to execute a series of malicious operations. Trojans, classified as high-risk threats, demand swift eradication from operating systems upon detection to thwart their nefarious intents. The key purpose of this malware is not clear, though detailed analysis of this trojan shows its downloader capabilities.

Jorik Trojan VirusTotal

Jorik Trojan analysis on VirusTotal

Threat Analysis

Once inside a system, Jorik springs into action. First, it decrypts an embedded file, then deposits it into a temporary directory (C:/Users/%username%/Temp). This file serves as a key to establish a connection with the cybercriminals’ Command and Control (C&C) server. With this link, the trojan gains the power to get additional files from this server.

As I mentioned above, Jorik boasting the capability to download and install additional harmful components can trigger an array of infections, spanning from ransomware to trojans and cryptominers. However, these rogue programs have their boundaries – some only inject malicious code, others confine themselves to installing specific modules or infiltrating distinct breeds of malware.

Name Jorik
Detection Worm.Win32.Slenfbot.cc, Worm:Win32/Slenfbot, Win32:Crypt-MWK [Trj]
Category Dropper/Downloader
Similar behavior Worm, App, Trojandownloader
Damage Exploits your hardware to mine cryptocurrencies without your permission.

Technical details

Activities in the infected system

Click to expand
  • Executable code extraction. Cybercriminals often use binary packers to hinder the malicious code from reverse-engineered by malware analysts. A packer is a tool that compresses, encrypts, and modifies a malicious file’s format. Sometimes packers can be used for legitimate ends, for example, to protect a program against cracking or copying.
  • Injection (inter-process);
  • Injection (Process Hollowing);
  • Creates RWX memory. There is a security trick with memory regions that allows an attacker to fill a buffer with a shellcode and then execute it. Filling a buffer with shellcode isn’t a big deal, it’s just data. The problem arises when the attacker is able to control the instruction pointer (EIP), usually by corrupting a function’s stack frame using a stack-based buffer overflow, and then changing the flow of execution by assigning this pointer to the address of the shellcode.
  • A process attempted to delay the analysis task.;
  • Attempts to connect to a dead IP:Port (6 unique times);
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option;
  • Performs some HTTP requests;
  • Unconventionial language used in binary resources: Hebrew;
  • The binary likely contains encrypted or compressed data. In this case, encryption is a way of hiding virus’ code from antiviruses and virus’ analysts.
  • Detects Sandboxie through the presence of a library;
  • Executed a process and injected code into it, probably while unpacking;
  • Attempts to remove evidence of file being downloaded from the Internet;
  • Attempts to repeatedly call a single API many times in order to delay analysis time. This significantly complicates the work of the virus analyzer. Typical malware tactics!
  • A system process is generating network traffic likely as a result of process injection;
  • Installs itself for autorun at Windows startup. There is simple tactic using the Windows startup folder located at:
    C:\Users\[user-name]\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup. Shortcut links (.lnk extension) placed in this folder will cause Windows to launch the application each time [user-name] logs into Windows.

    The registry run keys perform the same action, and can be located in different locations:

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • Creates a hidden or system file. The malware adds the hidden attribute to every file and folder on your system, so it appears as if everything has been deleted from your hard drive.
  • Checks the presence of disk drives in the registry, possibly for anti-virtualization;
  • Creates a copy of itself;
  • Anomalous binary characteristics. This is a way of hiding virus’ code from antiviruses and virus’ analysts.

File info

Click to expand
crc32: 41B49EC0md5: 98a39525e778e2dc12d61ac200fa08c5name: 98A39525E778E2DC12D61AC200FA08C5.mlwsha1: 2365a1f9446453b0dda4609777f2e6d586e5c54bsha256: 64497afa3609c20f9a33bdfd25cfbefb3385ae24f1f97e3609ba823d838964a1sha512: cb343bdab55a494b6a6887ebb0c71385cafa8ee1fbcec7ea27bbaa83517df69d157184f09397b3133f490430f75219a98d92143a62db9cc25cfb1d2fdc091d51ssdeep: 1536:cInb5/IyQjGP6yF2H74C6oL0c6l2kjnG3xxqtRZLO/A7fslpd3pUk4m44j444n4:cIV/Iy/PKz6lQfcRtGA7fsl73pUFtype: PE32 executable (GUI) Intel 80386, for MS Windows

Version Info:

LegalCopyright: Copyright (C) 2017, dfgirgeththFileVersion: 6.3.6.8ProductVersion: 6.3.6.8Translation: 0x0809 0x04b0

Alternative detection names

Click to expand
GridinSoft Trojan.Ransom.Gen
Bkav W32.AIDetect.malware1
K7AntiVirus Trojan ( 0053305e1 )
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader26.13159
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.Chapak.ZZ6
ALYac Trojan.BRMon.Gen.3
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.1398735
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (D)
K7GW Trojan ( 0053305e1 )
Cybereason malicious.5e778e
Cyren W32/S-b2c95f94!Eldorado
Symantec Packed.Generic.525
ESET-NOD32 a variant of Win32/Kryptik.GCLG
APEX Malicious
Avast Win32:Malware-gen
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Trojan.BRMon.Gen.3
NANO-Antivirus Trojan.Win32.Jorik.exjsoy
MicroWorld-eScan Trojan.BRMon.Gen.3
Tencent Malware.Win32.Gencirc.10c89a70
Ad-Aware Trojan.BRMon.Gen.3
Sophos Mal/Generic-R + Mal/GandCrab-D
Comodo TrojWare.Win32.Ransom.Foreign.A@7i19jk
BitDefenderTheta Gen:NN.ZexaF.34690.hu0@aqnwU@bG
VIPRE Trojan.Win32.Generic!BT
TrendMicro Ransom_HPGANDCRAB.SMONT
McAfee-GW-Edition Packed-ZG!98A39525E778
FireEye Generic.mg.98a39525e778e2dc
Emsisoft Trojan.BRMon.Gen.3 (B)
Jiangmin Trojan.Banker.NeutrinoPOS.bo
Avira HEUR/AGEN.1126869
eGambit Unsafe.AI_Score_95%
Antiy-AVL Trojan/Generic.ASMalwS.24400F8
Microsoft Trojan:Win32/Gandcrab.GM!MTB
GData Win32.Trojan-Ransom.GandCrab.N
TACHYON Banker/W32.NeutrinoPOS.125440
AhnLab-V3 Trojan/Win32.MalCrypted.R244796
Acronis suspicious
McAfee Packed-ZG!98A39525E778
MAX malware (ai score=99)
VBA32 Trojan.Jorik
Malwarebytes Trojan.SmokeLoader
Panda Trj/Genetic.gen
TrendMicro-HouseCall Ransom_HPGANDCRAB.SMONT
Rising Trojan.Kryptik!8.8 (CLOUD)
Yandex Trojan.GenAsa!obBZgHb9xfo
Ikarus Trojan.Win32.Crypt
Fortinet W32/GenKryptik.CNAR!tr
AVG Win32:Malware-gen
Paloalto generic.ml

Despite its menacing capabilities, Jorik’s modus operandi remains unknown. The prevailing trend in malware infestations leans towards data theft. Certain programs excel in filching files and prying precious information from installed applications, leaving a trail of digital havoc in their wake. So possibly, this trojan may be a part of an infection chain that ends up with stealer or spyware.

The information targeted in infostealer campaigns typically encompasses a wide array of different data. This includes browsing history, Internet cookies, login credentials, personally identifiable information, as well as sensitive financial records. Aside from that, such malware is commonly capable of voice/video recording and keystroke logging.

How did I get infected with Jorik?

Jorik’s infiltration into your computer hinges on a web of cunning strategies, with its primary conduits being phishing and social engineering tactics. These sophisticated maneuvers serve as the foundation for malware proliferation, with the following array of distribution methods serving as the malicious orchestra’s instruments:

  • Deceptive downloads. Jorik employs stealthy drive-by downloads, surreptitiously luring unsuspecting users into unwittingly downloading its treacherous payload.
  • Email spam. Malicious attachments and insidious links, cunningly embedded within spam emails and messages, entice recipients to set the stage for Jorik’s intrusion.
  • Deceptive websites as software sources. Unscrupulous domains and dubious download sources, ranging from freeware and third-party websites to Peer-to-Peer sharing networks, become fertile grounds for Jorik’s dissemination.
  • Malicious advertising. Malvertising, the nefarious marriage of advertising and malware, serves as yet another avenue through which Jorik breaches digital defenses.
  • Software cracks. Unlawful program activation tools, colloquially known as “cracks,” provide a gateway for Jorik to insinuate itself into unsuspecting systems.
  • Forged software updates. Jorik cunningly disguises itself as a legitimate update, capitalizing on users’ trust in order to infiltrate and conquer.

Frequently Asked Questions (FAQ)

My computer is infected with Jorik malware, should I format my storage device to get rid of it?
Reformatting your storage device should only be considered as a last resort for removing Jorik malware. Prior to taking such drastic action, it is advisable to perform a comprehensive scan using trustworthy antivirus or
What are the biggest issues that malware can cause?
Malware poses a significant risk to the security and privacy of sensitive information, potentially leading to identity theft, financial loss, and unauthorized access to personal accounts. Furthermore, it can disrupt the normal operation of a system, causing performance issues, system crashes, and data corruption.
What is the purpose of Jorik?
The purpose of Jorik is to enable remote access and control of compromised devices. It allows threat actors to perform various malicious activities, such as unauthorized access, data theft, system manipulation, and disabling security measures, potentially causing significant harm to individuals and organizations.
Will Gridinsoft Anti-Malware protect me from malware?
Nevertheless, it is crucial to recognize that sophisticated malware can remain hidden deep within the system. Consequently, conducting a complete system scan is imperative to detect and eradicate malware.

About the author

Robert Bailey

Security engineer focused on malware behavior, removal workflows, and Windows hardening. Robert reviews threat articles for practical accuracy, checking detection names, symptoms, and cleanup steps before publication.

View all posts

Leave a Comment