Analysis Overview
SHA256
c001a2e76fc51cd4b2862369465bf18d0a545c2bc2c0f9445b5e963db541c0c6
Threat Level: Known bad
The file JaffaCakes118_07c618d6272d79b520cb54605f34f7e7 was found to be: Known bad.
Malicious Activity Summary
Detects Mofksys worm
Mofksys family
Modifies WinLogon for persistence
Mofksys
Modifies visiblity of hidden/system files in Explorer
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-22 18:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-22 18:12
Reported
2025-05-22 18:15
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Detects Mofksys worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" | \??\c:\windows\userinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" | \??\c:\windows\swchost.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\swchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\userinit.exe | N/A |
Mofksys
Mofksys family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | \??\c:\windows\swchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\swchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\swchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | \??\c:\windows\swchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\userinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" | \??\c:\windows\userinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" | \??\c:\windows\swchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" | \??\c:\windows\swchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\userinit.exe | N/A |
| N/A | N/A | \??\c:\windows\spoolsw.exe | N/A |
| N/A | N/A | \??\c:\windows\swchost.exe | N/A |
| N/A | N/A | \??\c:\windows\spoolsw.exe | N/A |
| N/A | N/A | \??\c:\windows\swchost.exe | N/A |
| N/A | N/A | \??\c:\windows\userinit.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" | \??\c:\windows\userinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" | \??\c:\windows\userinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" | \??\c:\windows\swchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" | \??\c:\windows\swchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\system\udsys.exe | \??\c:\windows\userinit.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\spoolsw.exe | \??\c:\windows\userinit.exe | N/A |
| File opened for modification | \??\c:\windows\swchost.exe | \??\c:\windows\spoolsw.exe | N/A |
| File opened for modification | \??\c:\windows\userinit.exe | \??\c:\windows\userinit.exe | N/A |
| File opened for modification | \??\c:\windows\swchost.exe | \??\c:\windows\swchost.exe | N/A |
| File opened for modification | \??\c:\windows\userinit.exe | C:\Users\Admin\AppData\Roaming\icsys.icn.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\userinit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\swchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\spoolsw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\swchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\userinit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\spoolsw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\userinit.exe | N/A |
| N/A | N/A | \??\c:\windows\swchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\icsys.icn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\userinit.exe | N/A |
| N/A | N/A | \??\c:\windows\userinit.exe | N/A |
| N/A | N/A | \??\c:\windows\spoolsw.exe | N/A |
| N/A | N/A | \??\c:\windows\spoolsw.exe | N/A |
| N/A | N/A | \??\c:\windows\swchost.exe | N/A |
| N/A | N/A | \??\c:\windows\swchost.exe | N/A |
| N/A | N/A | \??\c:\windows\spoolsw.exe | N/A |
| N/A | N/A | \??\c:\windows\spoolsw.exe | N/A |
| N/A | N/A | \??\c:\windows\userinit.exe | N/A |
| N/A | N/A | \??\c:\windows\userinit.exe | N/A |
| N/A | N/A | \??\c:\windows\swchost.exe | N/A |
| N/A | N/A | \??\c:\windows\userinit.exe | N/A |
| N/A | N/A | \??\c:\windows\userinit.exe | N/A |
| N/A | N/A | \??\c:\windows\swchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c618d6272d79b520cb54605f34f7e7.exe"
\??\c:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe
c:\users\admin\appdata\local\temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe
C:\Users\Admin\AppData\Roaming\icsys.icn.exe
C:\Users\Admin\AppData\Roaming\icsys.icn.exe
\??\c:\windows\userinit.exe
c:\windows\userinit.exe
\??\c:\windows\spoolsw.exe
c:\windows\spoolsw.exe SE
\??\c:\windows\swchost.exe
c:\windows\swchost.exe
\??\c:\windows\spoolsw.exe
c:\windows\spoolsw.exe PR
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\userinit.exe RO
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\swchost.exe RO
\??\c:\windows\swchost.exe
c:\windows\swchost.exe RO
\??\c:\windows\userinit.exe
c:\windows\userinit.exe RO
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 216.58.213.67:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\jaffacakes118_07c618d6272d79b520cb54605f34f7e7.exe
| MD5 | 9d0d050170d47e778b624a28c90f23de |
| SHA1 | e3f7684f2f22b73d371c5cd3da9eb4b92b415dab |
| SHA256 | 48528aa9eb0c9fb5086d992ef1f9556c8249d267c2e3d4e681d5c8b6bc316c71 |
| SHA512 | 1277dbf43cb993a302e13e8512914023be6c9f5e28fa99aa6c0ee55ce8b25f4aa568a158d20912295ad633c027ee168463526eecdf9b61398331ce5d55aa560b |
C:\Users\Admin\AppData\Roaming\icsys.icn.exe
| MD5 | d1a54112c9c95aff82184ff9190141a8 |
| SHA1 | fff00d066ff5554173269e1616dfbbe224422f26 |
| SHA256 | a0979ffe86949a05698b76a5022069fc8d87301ea8c7e450c2e6bd293266ab67 |
| SHA512 | 404d77821ea034b1c264b676490a9c4e5b21e8a6c596a97414c92fd97428c5c47fd7db63263ed93c033e1335e42d18366d77a34e91804a82f1be02fba18ffc0b |
C:\Windows\userinit.exe
| MD5 | ddd2d1a232e0fdb439986325f92dbf41 |
| SHA1 | 4f2bbf975757ac2c8097ce98f4b723b8c74c47c6 |
| SHA256 | 6fb7f745dcea1e4d761ad6390040ddf5330913eb5410b54d85641027b12ff66b |
| SHA512 | 82e58d1cc1f1948c88c2b9ee78164db3999e31610fbebf7c28ad2d1135fb9356122a6d0a1e57cfe506070732ca2e186f4721503bd1d56aefb14c78cc0fe27c42 |
C:\Windows\spoolsw.exe
| MD5 | fe58cdade164c187bbfc682e0e587f41 |
| SHA1 | 3b0f4e00143d9617f24e94c2a9e9a440ebe819d4 |
| SHA256 | ce1621542a176abb1134e851f44beb51512b1b1b845de698f6fc8959ec61b1f3 |
| SHA512 | 82e12bcfa06bdd61ba1b3da43de9a5df1d22b7f15191f52ca1ccbb3f770430b0a2ef32dac4d935d88748683f6b8470ebaaa12a654fb6911ad5166060aca37c8c |
C:\Windows\swchost.exe
| MD5 | f9a5169cfe7d2fcabc18748608782065 |
| SHA1 | e3207abdf4d8dddbab5da3e5665444e8afe9c118 |
| SHA256 | add7243a12646529055684282652cd0f07143907545413ad25f18de94c2e7ed6 |
| SHA512 | ea172dc53f15b5fccaa8f308a06e88b9f0067d4502f1635bf3501ccd872f3fb87384a4598a3badee0d5bedc001505cb4b413d1b9521fd1b1b007608da5070d32 |
C:\Users\Admin\AppData\Local\mrsys.exe
| MD5 | 8b420720ca3ea988e940ea38a6c861d5 |
| SHA1 | 65e248eb55ddb02b655b3292eff40ee928067139 |
| SHA256 | 50b59c34be790d0f008b603b7bbcc71cee4ceead3f50500ebfce1445c2d478bf |
| SHA512 | 96095a0c533fcee4b4295388fe64eea42501f297d1fb4bbe1c86ae40977463c93430ace0677a2d17d875fcb86d0f0dbd6089049b2f4d3e6a1e79c4870baf221b |