Malware Analysis Report

2025-06-16 05:40

Sample ID 250522-wtj5gsbq7x
Target JaffaCakes118_07c618d6272d79b520cb54605f34f7e7
SHA256 c001a2e76fc51cd4b2862369465bf18d0a545c2bc2c0f9445b5e963db541c0c6
Tags
mofksys defense_evasion discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c001a2e76fc51cd4b2862369465bf18d0a545c2bc2c0f9445b5e963db541c0c6

Threat Level: Known bad

The file JaffaCakes118_07c618d6272d79b520cb54605f34f7e7 was found to be: Known bad.

Malicious Activity Summary

mofksys defense_evasion discovery persistence worm

Detects Mofksys worm

Mofksys family

Modifies WinLogon for persistence

Mofksys

Modifies visiblity of hidden/system files in Explorer

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-22 18:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-22 18:12

Reported

2025-05-22 18:15

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\swchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\swchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\userinit.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\swchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\system\udsys.exe \??\c:\windows\userinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\spoolsw.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe N/A
File opened for modification \??\c:\windows\userinit.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\swchost.exe N/A
File opened for modification \??\c:\windows\userinit.exe C:\Users\Admin\AppData\Roaming\icsys.icn.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\userinit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\swchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\spoolsw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\swchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\userinit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\spoolsw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\icsys.icn.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe \??\c:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe 
PID 5116 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe \??\c:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe 
PID 5116 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe C:\Users\Admin\AppData\Roaming\icsys.icn.exe
PID 5116 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe C:\Users\Admin\AppData\Roaming\icsys.icn.exe
PID 5116 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe C:\Users\Admin\AppData\Roaming\icsys.icn.exe
PID 4504 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\icsys.icn.exe \??\c:\windows\userinit.exe
PID 4504 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\icsys.icn.exe \??\c:\windows\userinit.exe
PID 4504 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\icsys.icn.exe \??\c:\windows\userinit.exe
PID 812 wrote to memory of 840 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 812 wrote to memory of 840 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 812 wrote to memory of 840 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 840 wrote to memory of 2016 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 840 wrote to memory of 2016 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 840 wrote to memory of 2016 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2016 wrote to memory of 5068 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2016 wrote to memory of 5068 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2016 wrote to memory of 5068 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 740 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe \??\c:\windows\swchost.exe
PID 740 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe \??\c:\windows\swchost.exe
PID 740 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe \??\c:\windows\swchost.exe
PID 3644 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe \??\c:\windows\userinit.exe
PID 3644 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe \??\c:\windows\userinit.exe
PID 3644 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe \??\c:\windows\userinit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe"

\??\c:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe 

c:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe 

C:\Users\Admin\AppData\Roaming\icsys.icn.exe

C:\Users\Admin\AppData\Roaming\icsys.icn.exe

\??\c:\windows\userinit.exe

c:\windows\userinit.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe SE

\??\c:\windows\swchost.exe

c:\windows\swchost.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\userinit.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\swchost.exe RO

\??\c:\windows\swchost.exe

c:\windows\swchost.exe RO

\??\c:\windows\userinit.exe

c:\windows\userinit.exe RO

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.213.67:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe 

MD5 9d0d050170d47e778b624a28c90f23de
SHA1 e3f7684f2f22b73d371c5cd3da9eb4b92b415dab
SHA256 48528aa9eb0c9fb5086d992ef1f9556c8249d267c2e3d4e681d5c8b6bc316c71
SHA512 1277dbf43cb993a302e13e8512914023be6c9f5e28fa99aa6c0ee55ce8b25f4aa568a158d20912295ad633c027ee168463526eecdf9b61398331ce5d55aa560b

C:\Users\Admin\AppData\Roaming\icsys.icn.exe

MD5 d1a54112c9c95aff82184ff9190141a8
SHA1 fff00d066ff5554173269e1616dfbbe224422f26
SHA256 a0979ffe86949a05698b76a5022069fc8d87301ea8c7e450c2e6bd293266ab67
SHA512 404d77821ea034b1c264b676490a9c4e5b21e8a6c596a97414c92fd97428c5c47fd7db63263ed93c033e1335e42d18366d77a34e91804a82f1be02fba18ffc0b

C:\Windows\userinit.exe

MD5 ddd2d1a232e0fdb439986325f92dbf41
SHA1 4f2bbf975757ac2c8097ce98f4b723b8c74c47c6
SHA256 6fb7f745dcea1e4d761ad6390040ddf5330913eb5410b54d85641027b12ff66b
SHA512 82e58d1cc1f1948c88c2b9ee78164db3999e31610fbebf7c28ad2d1135fb9356122a6d0a1e57cfe506070732ca2e186f4721503bd1d56aefb14c78cc0fe27c42

C:\Windows\spoolsw.exe

MD5 fe58cdade164c187bbfc682e0e587f41
SHA1 3b0f4e00143d9617f24e94c2a9e9a440ebe819d4
SHA256 ce1621542a176abb1134e851f44beb51512b1b1b845de698f6fc8959ec61b1f3
SHA512 82e12bcfa06bdd61ba1b3da43de9a5df1d22b7f15191f52ca1ccbb3f770430b0a2ef32dac4d935d88748683f6b8470ebaaa12a654fb6911ad5166060aca37c8c

C:\Windows\swchost.exe

MD5 f9a5169cfe7d2fcabc18748608782065
SHA1 e3207abdf4d8dddbab5da3e5665444e8afe9c118
SHA256 add7243a12646529055684282652cd0f07143907545413ad25f18de94c2e7ed6
SHA512 ea172dc53f15b5fccaa8f308a06e88b9f0067d4502f1635bf3501ccd872f3fb87384a4598a3badee0d5bedc001505cb4b413d1b9521fd1b1b007608da5070d32

C:\Users\Admin\AppData\Local\mrsys.exe

MD5 8b420720ca3ea988e940ea38a6c861d5
SHA1 65e248eb55ddb02b655b3292eff40ee928067139
SHA256 50b59c34be790d0f008b603b7bbcc71cee4ceead3f50500ebfce1445c2d478bf
SHA512 96095a0c533fcee4b4295388fe64eea42501f297d1fb4bbe1c86ae40977463c93430ace0677a2d17d875fcb86d0f0dbd6089049b2f4d3e6a1e79c4870baf221b