Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2025, 18:12

General

  • Target

    JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe

  • Size

    405KB

  • MD5

    07c618d6272d79b520cb54605f34f7e7

  • SHA1

    4e829ee4f5474941197c1d60b3d5d874676f3297

  • SHA256

    c001a2e76fc51cd4b2862369465bf18d0a545c2bc2c0f9445b5e963db541c0c6

  • SHA512

    3b5da905d5816cecc173326f20d61f82078549b9892b3baa6596708f11c96b95fc403e435f352e3ed874e903ddd7872c433a719f857b4f35ed13403e7642ed3d

  • SSDEEP

    6144:Jh8cBzHLRMpZ4d1ZFlmznYo+iS6LMkIMS/Hb9HIrQ:QciZK1ZIy64k7rQ

Malware Config

Signatures

  • Detects Mofksys worm 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Mofksys

    Mofksys is a worm written in VisualBasic.

  • Mofksys family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5116
    • \??\c:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe 
      c:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe 
      2⤵
      • Executes dropped EXE
      PID:2816
    • C:\Users\Admin\AppData\Roaming\icsys.icn.exe
      C:\Users\Admin\AppData\Roaming\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4504
      • \??\c:\windows\userinit.exe
        c:\windows\userinit.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:812
        • \??\c:\windows\spoolsw.exe
          c:\windows\spoolsw.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:840
          • \??\c:\windows\swchost.exe
            c:\windows\swchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2016
            • \??\c:\windows\spoolsw.exe
              c:\windows\spoolsw.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5068
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\userinit.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3644
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4488
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\swchost.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:740
    • \??\c:\windows\swchost.exe
      c:\windows\swchost.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4660

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe 

          Filesize

          194KB

          MD5

          9d0d050170d47e778b624a28c90f23de

          SHA1

          e3f7684f2f22b73d371c5cd3da9eb4b92b415dab

          SHA256

          48528aa9eb0c9fb5086d992ef1f9556c8249d267c2e3d4e681d5c8b6bc316c71

          SHA512

          1277dbf43cb993a302e13e8512914023be6c9f5e28fa99aa6c0ee55ce8b25f4aa568a158d20912295ad633c027ee168463526eecdf9b61398331ce5d55aa560b

        • C:\Users\Admin\AppData\Local\mrsys.exe

          Filesize

          211KB

          MD5

          8b420720ca3ea988e940ea38a6c861d5

          SHA1

          65e248eb55ddb02b655b3292eff40ee928067139

          SHA256

          50b59c34be790d0f008b603b7bbcc71cee4ceead3f50500ebfce1445c2d478bf

          SHA512

          96095a0c533fcee4b4295388fe64eea42501f297d1fb4bbe1c86ae40977463c93430ace0677a2d17d875fcb86d0f0dbd6089049b2f4d3e6a1e79c4870baf221b

        • C:\Users\Admin\AppData\Roaming\icsys.icn.exe

          Filesize

          211KB

          MD5

          d1a54112c9c95aff82184ff9190141a8

          SHA1

          fff00d066ff5554173269e1616dfbbe224422f26

          SHA256

          a0979ffe86949a05698b76a5022069fc8d87301ea8c7e450c2e6bd293266ab67

          SHA512

          404d77821ea034b1c264b676490a9c4e5b21e8a6c596a97414c92fd97428c5c47fd7db63263ed93c033e1335e42d18366d77a34e91804a82f1be02fba18ffc0b

        • C:\Windows\spoolsw.exe

          Filesize

          211KB

          MD5

          fe58cdade164c187bbfc682e0e587f41

          SHA1

          3b0f4e00143d9617f24e94c2a9e9a440ebe819d4

          SHA256

          ce1621542a176abb1134e851f44beb51512b1b1b845de698f6fc8959ec61b1f3

          SHA512

          82e12bcfa06bdd61ba1b3da43de9a5df1d22b7f15191f52ca1ccbb3f770430b0a2ef32dac4d935d88748683f6b8470ebaaa12a654fb6911ad5166060aca37c8c

        • C:\Windows\swchost.exe

          Filesize

          211KB

          MD5

          f9a5169cfe7d2fcabc18748608782065

          SHA1

          e3207abdf4d8dddbab5da3e5665444e8afe9c118

          SHA256

          add7243a12646529055684282652cd0f07143907545413ad25f18de94c2e7ed6

          SHA512

          ea172dc53f15b5fccaa8f308a06e88b9f0067d4502f1635bf3501ccd872f3fb87384a4598a3badee0d5bedc001505cb4b413d1b9521fd1b1b007608da5070d32

        • C:\Windows\userinit.exe

          Filesize

          211KB

          MD5

          ddd2d1a232e0fdb439986325f92dbf41

          SHA1

          4f2bbf975757ac2c8097ce98f4b723b8c74c47c6

          SHA256

          6fb7f745dcea1e4d761ad6390040ddf5330913eb5410b54d85641027b12ff66b

          SHA512

          82e58d1cc1f1948c88c2b9ee78164db3999e31610fbebf7c28ad2d1135fb9356122a6d0a1e57cfe506070732ca2e186f4721503bd1d56aefb14c78cc0fe27c42