{
	"id": "a14152e2-6a6f-4a10-8e70-be5790d902d4",
	"created_at": "2026-04-06T00:06:36.95795Z",
	"updated_at": "2026-04-10T03:20:02.615667Z",
	"deleted_at": null,
	"sha1_hash": "a7b7c907ea15111179c7dfe170a808413cc139af",
	"title": "Why would you even bother?! - javalocker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 370210,
	"plain_text": "Why would you even bother?! - javalocker\r\nBy f0wL\r\nPublished: 2020-03-18 · Archived: 2026-04-05 22:56:18 UTC\r\nWed 18 March 2020 in Ransomware\r\nToday we'll take a look at a windows ransomware built with Java. As you might have guessed this will get ugly\r\nand is therefore not for the faint of heart.\r\nHey there, yeah it has been a while. I've been quite busy with university stuff for the past weeks, so I'm trying to\r\nget back into the analysis/blogging thing. I've been looking for interesting/\"innovative\" samples that differ from\r\nthe common tricks and techniques. It was unavoidable that I would have to look at a ransomware strain written in\r\nthe most beautiful programming language there is sooner or later: Java. Let's get it over with.\r\nThis strain is without a doubt still in it's testing phase, so it is possible that there will be another version of it with\r\nproper encryption routines and other fixes in the next few days.\r\nJavaLocker @ AnyRun | VirusTotal | HybridAnalysis --\u003e sha256\r\n9cb578d8517dc1763db9351d3aa9d6958be57ac0b49e3b851f7148eee57ca18b\r\nFirst of all, this is the GUI that the vicitim is presented after a reboot. The Ransomware will encrypt the files on\r\nthe systems without a delay, but this window isn't shown immediately after, so it's easily missed by Sandboxes like\r\nAnyRun that don't reboot for analysis. Apart from the terrible design and english grammar there's nothing more to\r\nthis screen.\r\nhttps://dissectingmalwa.re/why-would-you-even-bother-javalocker.html\r\nPage 1 of 6\n\nTo display the Window with the ransomnote it will copy itself to the Startup Folder.\r\nTo decompile the JAR file that I pulled from AnyRun I'm using JD-GUI. To preserve the eyesight of potential\r\nreaders I later opted to copy the code to a dark-mode capable texteditor.\r\nThe Ransomware implements four classes in addition to JavaFX for the GUI:\r\nJAVABASIC : Handles the core functions of the Malware.\r\nEncryption : Derives a password for the encryption routine and hashes it with MD5.\r\ncrea : Writes another instance of the ransomware to the disk.\r\nhttps://dissectingmalwa.re/why-would-you-even-bother-javalocker.html\r\nPage 2 of 6\n\nkey : Holds the encryption and decryption routines.\r\nThe \"scanner\" function looks for other attached drives connected to the vicitims PC. One thing to take note of is\r\nthat the ransomware will only check the drive letters from C through H, so naming and mounting your network\r\ndrives X:, Y: or Z: might actually save you to some extent.\r\nA few things that stand out in the next screenshot: The ransomware will spare the C:\\Windows path. Secondly the\r\ndropped ransomnote will be named \"readmeonnotepad.javaencrypt\" with the following content:\r\n\"Q: What Happen to my computer?\\n A:Your personal files are encrypted by javalocker!\\nQ How can I\r\nrecover my Files? A You need to send 300$ of bitcoins to the following\r\nhttps://dissectingmalwa.re/why-would-you-even-bother-javalocker.html\r\nPage 3 of 6\n\nadress:BAW4VM2dhxYgXeQepOHKHSQVG6NgaEb94 then contact soviet@12334@gmail.com!\"\r\nAnother interesting fact is that the wallet address mentioned in the ransomnote is just a random string (another\r\nindicator for a test build). The address format doesn't match any of the ones used in mainnet, bchtest or testnet.\r\nFor the BTC mainnet it would have to start with either 1, 3 or bc1 and it also contains an illegal character (\"O\").\r\nFor further reference I would recommend this guide by AllPrivateKeys.\r\nThe functions find2 and ret are also pretty redundant which indicates lack of knowledge or time spent on it.\r\nLet's check which filetypes are affected at the moment. Normally these extension lists are sorted alphabetically,\r\nbut this one is not. Looks like they cobbled this one together rather than using one of the premade \"popular file\r\nextensions\" lists.\r\n\".accdb\", \".pub\", \".reg\", \".ico\", \".mui\", \".onetoc2\", \".dwg\", \".wk1\", \".wks\", \".vsdx\", \".vsd\", \".eml\r\nThis build of the ransomware uses DES via javax.crypto.Cipher to encrypt the victim's files. The Seed Value for\r\nthe DES SecureRandom function is hardcoded and held in variable td.\r\nhttps://dissectingmalwa.re/why-would-you-even-bother-javalocker.html\r\nPage 4 of 6\n\nFellow researcher @jishuzhain found that the DES key derived from the td seed is static which should enable\r\nvictims affected by this exact version to get their files back.\r\nAnd this is where we come to the point of the article headline. Why would someone even bother to: 1. build a\r\nRansomware in JAVA; 2. build it from scratch, because there are, of course, open source ransomware projects on\r\nGithub like the one below (I selected this one because it can't be directly weaponized, but you probably know my\r\nstance on OSS ransomware) 🙄.\r\nMITRE ATT\u0026CK\r\nT1179 --\u003e Hooking --\u003e Persistence\r\nhttps://dissectingmalwa.re/why-would-you-even-bother-javalocker.html\r\nPage 5 of 6\n\nT1179 --\u003e Hooking --\u003e Privilege Escalation\r\nT1179 --\u003e Hooking --\u003e Credential Access\r\nT1114 --\u003e Email Collection --\u003e Collection\r\nIOCs\r\nJavalocker\r\nJAVABASIC.jar --\u003e SHA256: 9cb578d8517dc1763db9351d3aa9d6958be57ac0b49e3b851f7148eee57ca18b\r\n SSDEEP: 768:/OJ3GtaE64BWRRJcU99iOZlkp8DOJ3GtaE64BWRRJcU9+0de:/O4tG4cJb9XnLDO4tG4cJD\r\nAssociated Files\r\nJAVABASIC.jar\r\nreadmeonnotepad.javaencrypt\r\nDESkey.dat\r\nSource: https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html\r\nhttps://dissectingmalwa.re/why-would-you-even-bother-javalocker.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html"
	],
	"report_names": [
		"why-would-you-even-bother-javalocker.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433996,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7b7c907ea15111179c7dfe170a808413cc139af.pdf",
		"text": "https://archive.orkl.eu/a7b7c907ea15111179c7dfe170a808413cc139af.txt",
		"img": "https://archive.orkl.eu/a7b7c907ea15111179c7dfe170a808413cc139af.jpg"
	}
}