Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2025, 18:12
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe
-
Size
405KB
-
MD5
07c618d6272d79b520cb54605f34f7e7
-
SHA1
4e829ee4f5474941197c1d60b3d5d874676f3297
-
SHA256
c001a2e76fc51cd4b2862369465bf18d0a545c2bc2c0f9445b5e963db541c0c6
-
SHA512
3b5da905d5816cecc173326f20d61f82078549b9892b3baa6596708f11c96b95fc403e435f352e3ed874e903ddd7872c433a719f857b4f35ed13403e7642ed3d
-
SSDEEP
6144:Jh8cBzHLRMpZ4d1ZFlmznYo+iS6LMkIMS/Hb9HIrQ:QciZK1ZIy64k7rQ
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x0007000000024119-8.dat family_mofksys behavioral1/files/0x0010000000023f7e-17.dat family_mofksys behavioral1/files/0x000800000002411d-25.dat family_mofksys behavioral1/files/0x0009000000024116-33.dat family_mofksys behavioral1/files/0x000900000002411f-44.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe -
Executes dropped EXE 8 IoCs
pid Process 2816 jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe 4504 icsys.icn.exe 812 userinit.exe 840 spoolsw.exe 2016 swchost.exe 5068 spoolsw.exe 4660 swchost.exe 4488 userinit.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\system\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe swchost.exe File opened for modification \??\c:\windows\userinit.exe icsys.icn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4504 icsys.icn.exe 4504 icsys.icn.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 2016 swchost.exe 2016 swchost.exe 2016 swchost.exe 2016 swchost.exe 812 userinit.exe 812 userinit.exe 2016 swchost.exe 2016 swchost.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 2016 swchost.exe 2016 swchost.exe 2016 swchost.exe 2016 swchost.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 812 userinit.exe 2016 swchost.exe 2016 swchost.exe 812 userinit.exe 812 userinit.exe 2016 swchost.exe 2016 swchost.exe 812 userinit.exe 812 userinit.exe 2016 swchost.exe 2016 swchost.exe 2016 swchost.exe 812 userinit.exe 2016 swchost.exe 812 userinit.exe 2016 swchost.exe 2016 swchost.exe 812 userinit.exe 812 userinit.exe 2016 swchost.exe 2016 swchost.exe 812 userinit.exe 812 userinit.exe 2016 swchost.exe 2016 swchost.exe 812 userinit.exe 812 userinit.exe 2016 swchost.exe 2016 swchost.exe 812 userinit.exe 812 userinit.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 812 userinit.exe 2016 swchost.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 5116 JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe 5116 JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe 4504 icsys.icn.exe 4504 icsys.icn.exe 812 userinit.exe 812 userinit.exe 840 spoolsw.exe 840 spoolsw.exe 2016 swchost.exe 2016 swchost.exe 5068 spoolsw.exe 5068 spoolsw.exe 812 userinit.exe 812 userinit.exe 4660 swchost.exe 4488 userinit.exe 4488 userinit.exe 4660 swchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 5116 wrote to memory of 2816 5116 JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe 87 PID 5116 wrote to memory of 2816 5116 JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe 87 PID 5116 wrote to memory of 4504 5116 JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe 88 PID 5116 wrote to memory of 4504 5116 JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe 88 PID 5116 wrote to memory of 4504 5116 JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe 88 PID 4504 wrote to memory of 812 4504 icsys.icn.exe 90 PID 4504 wrote to memory of 812 4504 icsys.icn.exe 90 PID 4504 wrote to memory of 812 4504 icsys.icn.exe 90 PID 812 wrote to memory of 840 812 userinit.exe 91 PID 812 wrote to memory of 840 812 userinit.exe 91 PID 812 wrote to memory of 840 812 userinit.exe 91 PID 840 wrote to memory of 2016 840 spoolsw.exe 92 PID 840 wrote to memory of 2016 840 spoolsw.exe 92 PID 840 wrote to memory of 2016 840 spoolsw.exe 92 PID 2016 wrote to memory of 5068 2016 swchost.exe 93 PID 2016 wrote to memory of 5068 2016 swchost.exe 93 PID 2016 wrote to memory of 5068 2016 swchost.exe 93 PID 740 wrote to memory of 4660 740 cmd.exe 98 PID 740 wrote to memory of 4660 740 cmd.exe 98 PID 740 wrote to memory of 4660 740 cmd.exe 98 PID 3644 wrote to memory of 4488 3644 cmd.exe 99 PID 3644 wrote to memory of 4488 3644 cmd.exe 99 PID 3644 wrote to memory of 4488 3644 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exec:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe2⤵
- Executes dropped EXE
PID:2816
-
-
C:\Users\Admin\AppData\Roaming\icsys.icn.exeC:\Users\Admin\AppData\Roaming\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\windows\userinit.exec:\windows\userinit.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\windows\swchost.exec:\windows\swchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\userinit.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\windows\userinit.exec:\windows\userinit.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\swchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\windows\swchost.exec:\windows\swchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4660
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194KB
MD59d0d050170d47e778b624a28c90f23de
SHA1e3f7684f2f22b73d371c5cd3da9eb4b92b415dab
SHA25648528aa9eb0c9fb5086d992ef1f9556c8249d267c2e3d4e681d5c8b6bc316c71
SHA5121277dbf43cb993a302e13e8512914023be6c9f5e28fa99aa6c0ee55ce8b25f4aa568a158d20912295ad633c027ee168463526eecdf9b61398331ce5d55aa560b
-
Filesize
211KB
MD58b420720ca3ea988e940ea38a6c861d5
SHA165e248eb55ddb02b655b3292eff40ee928067139
SHA25650b59c34be790d0f008b603b7bbcc71cee4ceead3f50500ebfce1445c2d478bf
SHA51296095a0c533fcee4b4295388fe64eea42501f297d1fb4bbe1c86ae40977463c93430ace0677a2d17d875fcb86d0f0dbd6089049b2f4d3e6a1e79c4870baf221b
-
Filesize
211KB
MD5d1a54112c9c95aff82184ff9190141a8
SHA1fff00d066ff5554173269e1616dfbbe224422f26
SHA256a0979ffe86949a05698b76a5022069fc8d87301ea8c7e450c2e6bd293266ab67
SHA512404d77821ea034b1c264b676490a9c4e5b21e8a6c596a97414c92fd97428c5c47fd7db63263ed93c033e1335e42d18366d77a34e91804a82f1be02fba18ffc0b
-
Filesize
211KB
MD5fe58cdade164c187bbfc682e0e587f41
SHA13b0f4e00143d9617f24e94c2a9e9a440ebe819d4
SHA256ce1621542a176abb1134e851f44beb51512b1b1b845de698f6fc8959ec61b1f3
SHA51282e12bcfa06bdd61ba1b3da43de9a5df1d22b7f15191f52ca1ccbb3f770430b0a2ef32dac4d935d88748683f6b8470ebaaa12a654fb6911ad5166060aca37c8c
-
Filesize
211KB
MD5f9a5169cfe7d2fcabc18748608782065
SHA1e3207abdf4d8dddbab5da3e5665444e8afe9c118
SHA256add7243a12646529055684282652cd0f07143907545413ad25f18de94c2e7ed6
SHA512ea172dc53f15b5fccaa8f308a06e88b9f0067d4502f1635bf3501ccd872f3fb87384a4598a3badee0d5bedc001505cb4b413d1b9521fd1b1b007608da5070d32
-
Filesize
211KB
MD5ddd2d1a232e0fdb439986325f92dbf41
SHA14f2bbf975757ac2c8097ce98f4b723b8c74c47c6
SHA2566fb7f745dcea1e4d761ad6390040ddf5330913eb5410b54d85641027b12ff66b
SHA51282e58d1cc1f1948c88c2b9ee78164db3999e31610fbebf7c28ad2d1135fb9356122a6d0a1e57cfe506070732ca2e186f4721503bd1d56aefb14c78cc0fe27c42