explaingit

pnwcomputers/jwrapper-screenconnect-rat-remediation-toolkit

Analysis updated 2026-05-18

1PowerShellAudience · ops devopsComplexity · 3/5Setup · moderate

TLDR

A PowerShell incident response toolkit for detecting and fully removing a ScreenConnect-based malware infection linked to ransomware access brokers.

Mindmap

mindmap
  root((repo))
    What it does
      Scans for infection
      Removes malware
      Verifies cleanup
    Tech stack
      PowerShell
    Use cases
      Scan without changes
      Remove confirmed infection
      Verify removal succeeded
    Audience
      IT admins
      Incident responders

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a Windows machine for signs of the ScreenConnect and SimpleHelp backdoor without making changes.

USE CASE 2

Remove a confirmed infection by killing processes, deleting services, and cleaning the registry.

USE CASE 3

Verify removal succeeded and re-check for persistence in Safe Mode startup.

What is it built with?

PowerShell

How does it compare?

pnwcomputers/jwrapper-screenconnect-rat-remediation-toolkitc0urag1/break-risk-intel-skillnickalaslight/fable-sonnet-orchestrator-kit
Stars111
LanguagePowerShellPowerShellPowerShell
Setup difficultymoderateeasymoderate
Complexity3/52/53/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires administrator privileges on Windows, removal steps are destructive and require typing YES to confirm.

In plain English

This PowerShell toolkit is an incident response tool for detecting and fully removing a specific malware infection that abuses legitimate remote access software. The infection is associated with Initial Access Brokers, attackers who break into computers and sell that access to ransomware operators, in this case those deploying Medusa ransomware. The malware works by silently installing two legitimate remote access tools, ScreenConnect and software called JWrapper running SimpleHelp, with all visible alerts and tray icons disabled. Because these are real, digitally signed programs rather than custom malware, standard antivirus tools typically do not flag them. The attacker also registers the backdoor in the Windows Safe Mode startup sequence, meaning the remote access persists even if someone boots into Safe Mode to clean the machine. The toolkit has three main files. The detection scanner, system_check.ps1, scans the machine without making any changes and produces a timestamped report covering running processes, Windows services, registry entries, file system artifacts, active network connections, and file hashes, then opens it in Notepad. The remediation script, Fix.ps1, performs cleanup in seven steps, killing processes, removing services, scrubbing registry keys, deleting files, removing firewall rules, flushing DNS cache, and re-verifying removal. The launcher, RUN_ME.bat, provides a simple menu and requires typing YES before any destructive action runs. The README warns that removing the malware does not undo data accessed during the intrusion, so passwords should be rotated after cleanup. The full README is longer than what was provided.

Copy-paste prompts

Prompt 1
Help me run system_check.ps1 first to scan for this malware without making any changes.
Prompt 2
Explain what Fix.ps1's seven remediation steps each do before I run it.
Prompt 3
Walk me through using RUN_ME.bat safely, including its YES confirmation step.
Prompt 4
Show me what to rotate or check after remediation since prior data access isn't undone.

Frequently asked questions

What is jwrapper-screenconnect-rat-remediation-toolkit?

A PowerShell incident response toolkit for detecting and fully removing a ScreenConnect-based malware infection linked to ransomware access brokers.

What language is jwrapper-screenconnect-rat-remediation-toolkit written in?

Mainly PowerShell. The stack also includes PowerShell.

How hard is jwrapper-screenconnect-rat-remediation-toolkit to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is jwrapper-screenconnect-rat-remediation-toolkit for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.