Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Agent.JFA

Trojan.Agent.JFA

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 24,451
Threat Level: 80 % (High)
Infected Computers: 1
First Seen: June 16, 2023
Last Seen: April 28, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Agent.JFA
Packers: UPX
Signature status: No Signature

Known Samples

MD5: 471d39a51a79f342033c5b0636c244dc
SHA1: b0324ddd99677d9b0458c7328879f8fde268effc
SHA256: 1154535130D546EAA33BBC9051A9CB91E2B0E3A3991286C3D5B0A708110C9AA7
File Size: 2.80 MB, 2801690 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

  • big overlay
  • No Version Info
  • packed
  • x86

Block Information

Total Blocks: 552
Potentially Malicious Blocks: 182
Whitelisted Blocks: 370
Unknown Blocks: 0

Visual Map

x x x x x x x x 0 x x 0 x x 0 x x 0 x x 0 x x 0 x x x x x x 0 x x 0 x x 0 x x x x x x x x x x x x 0 x x 0 x x x 0 x x x 0 x x x 0 x x x x 0 x x x 0 x x x 0 x x 0 x x 0 x x 0 x x x x 0 x 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 0 x x 0 0 x x x x 0 0 0 0 x 0 x x 0 x 0 x x 0 0 x x x x x x x 0 x x x x x x 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 x 0 x x x x x 0 x x x x x x x x x x x x x x x x 0 0 x x x 0 x x x x x x x 0 x x 0 x x x x x x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x 0 x x x x 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 1 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.JFA

Files Modified

File Attributes
\device\harddisk0\dr0 Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\program files (x86)\wina\instructions.xml Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\wina\onstartup.xml Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\wina\onstartup_fallback.xml Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\wina\uninstallparti.xml Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\wina\uninstallpartii.xml Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\wina\wina.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\wina\wina.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\bombermania.exedir\bombermania.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
Show More
c:\users\user\appdata\local\temp\is-jl9qr.tmp\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-v68lk.tmp\is-021v2.tmp Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\antivirus live update.lnk Synchronize,Write Attributes
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\live update.lnk Synchronize,Write Attributes
c:\users\user\downloads\_bombermania.exe Generic Write,Read Attributes
c:\users\user\downloads\_bombermania.exe Synchronize,Write Attributes
c:\users\user\downloads\instructions.xml Generic Write,Read Attributes
c:\users\user\downloads\instructions.xml Synchronize,Write Attributes
c:\users\user\downloads\multipurposeagent_myfilenamereport.xml Generic Write,Read Attributes
c:\users\user\downloads\multipurposeagent_myfilenamereport.xml Synchronize,Write Attributes
c:\users\user\downloads\onstartup.xml Generic Write,Read Attributes
c:\users\user\downloads\onstartup.xml Synchronize,Write Attributes
c:\users\user\downloads\onstartup_fallback.xml Generic Write,Read Attributes
c:\users\user\downloads\onstartup_fallback.xml Synchronize,Write Attributes
c:\users\user\downloads\uninstallparti.xml Generic Write,Read Attributes
c:\users\user\downloads\uninstallparti.xml Synchronize,Write Attributes
c:\users\user\downloads\uninstallpartii.xml Generic Write,Read Attributes
c:\users\user\downloads\uninstallpartii.xml Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\windows\currentversion\run::live update C:\Program Files (x86)\WinA\WinA.exe OnStartup.xml RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::live update C:\Program Files (x86)\WinA\WinA.exe OnStartup_FallBack.xml RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\wina::displayname WinA RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\wina::uninstallstring C:\Program Files (x86)\WinA\WinA.exe UninstallPartI.xml RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 陋ȁ獖} RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
  • ShellExecute

Shell Command Execution

open C:\Users\Oickdydo\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
"C:\Users\Oickdydo\AppData\Local\Temp\is-V68LK.tmp\is-021V2.tmp" /SL4 $E0390 C:\Users\Oickdydo\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe 2384405 50688

Trending

Most Viewed

Loading...