Pyrogenic – The JAR-Based Malware Spreading Across Africa and the Middle East

Time Frame

3rd November, 2019 – Current


The NaijaSecForce team have detected a new wave of malware spreading across Africa and the Middle East. This malware comes in form of a spam campaign targeting corporate mailboxes within Africa and the Middle east. We started receiving reports of this malware campaign on the 3rd of November. The pyrogenic malware started initial propagation in August 2019 – but then, it went quiet till November 2019 when we noticed a massive spike

Technical Description

At first glance, it looks to be a simple, harmless email with a supposed attachment. However, on closer look, what looks like an attachment, is an image with a hyperlink.

The hyperlink is https[:]//bandirmaad[.]com/RA.html and it redirects to cevrimiciciftci[.]com/Remittance_pdf.jar where a file gets downloaded to the victim’s PC.

This malware relies on the victim to open the .jar file. The malicious .jar file is portrayed as a “Supplier Remittance” pdf file, which is a fairly typical lure used in malware campaigns. Upon launching the malicious file “Remittance_pdf.jar”, we noticed an outbound connection to the CnC server on port 80.

Shortly after, two DLL files get dropped and loaded,it created a file – ImageLoaded: C:\Users\Naijasecforce\AppData\Local\Temp\sqlite-

ImageLoaded: C:\Users\Naijasecforce\AppData\Local\Temp\jna-874362087\jna1710670949295234061.dll

CMD.exe Launches for Command execution.

We also noticed that cmd.exe automatically launches spawning off a powershell command.

CommandLine: cmd.exe /c chcp 1252 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command –

The Trojan then connects a remote location ( gather the external IP address of the compromised computer:

Current Detection

We ran this malware against Virustotal and had only 1/59 detections.Only fortinet detected the malware.

S/NDescriptionDetailed Information
1Malware Hosting sites (links in email)hxxps://, hxxp://
2Malicious Filenames ObservedRemittance_pdf.jar, BankPaymAdviceVend_LLCRep.jar, Remittance_Advice(E-Mail)_pdf.jar, E-mail_Remittance_Layout.jar, Remittance_Advice_IN33092319_pdf.jar, Remittance_Advice_HEAD0000I00231_pdf.jar
3File Hashes for Malicious File (.jar)sha256: 36da271e39083cacdbade996fdc388bd4beef4d00e7d0780de4eb53fd31794db
4Dropped executable file and Hashes%temp%/sqlite-
Sha256: 51cc105f172859e6866f3cad5c99188663be503cd4bb618c946b0c83faabf0b8
Sha256: 1b2af8b31416f68051db213bcdcf82775e29191b6d069c327988e02e654030ad
6Network Connections157.245.160.150

HTTP/HTTPS requests


In order to avoid and mitigate the impact of the threat, we highly recommend the following:

  • Ensure that all IOCs are blocked.
  • Avoid and restrict execution of unknown files / programs / powershell scripts.
  • Ensure that attachments and links in emails are sandboxed analysed before delivery to users.
  • Monitor emails for any phishing activity and malicious links/attachments.
  • Monitor the network for any suspicious/anomalous activity
  • Implement more cybersecurity awareness workshops
  • Communication to the malicious Command-and-Control server should be blocked.
  • Malicious domains should be blocked using URL filterring for web
Credits to AppAnyRun for the name “Pyrogenic”.

About the Author:

NaijaSecForce Threat Advisory Team – Rotimi Akinyele

NaijaSecForce Threat Advisory Team includes security experts and researchers responsible for analyzing and eliminating threats within Africa and also, investigating the global threat landscape. The team shares its research and insights with the industry at large to help promote a safer internet.

The NaijaSecForce Threat Advisory Team is under the body of the NaijaSecForce team which is the brain behind NaijaSecCon – a conference dubbed as Nigeria’s foremost technical cybersecurity conference which holds annually.