Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 16:00 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe
-
Size
521KB
-
MD5
2fe998b5b614163c8904ebb4c3be78db
-
SHA1
d14914ccbbd6630f7e59c09ee56f890a6d4d6c84
-
SHA256
14c8612af64a329292bf1504569cdec8cb526dfb53e3766a65a174e89de899a4
-
SHA512
c2160be44aa189b74c9d4ba8ebc48f9f2abc84b6e9d1860c77d52d486c980c5da83bb14a82de471ec325a7bcf9235de4cbedda2388f1fb1ebb88de8b0afb9a22
-
SSDEEP
12288:z94hz08xqd0h7WgX3NaT9CP7acQXvQdgkyKL/IzGbUt577v:xWxq+hN3Nhdg/yqF
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1240 4744 WerFault.exe 89 -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4744 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe 4744 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe 4744 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe 4744 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe 4744 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe 4744 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe 4744 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe 4744 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe 4744 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe 4744 2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
PID:4744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 25482⤵
- Program crash
PID:1240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4744 -ip 47441⤵PID:3064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:81⤵PID:5064
Network
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestapi.getmagnoplay.comIN AResponse
-
Remote address:8.8.8.8:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A172.217.16.232
-
GEThttps://ssl.google-analytics.com/collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=Start_Application&el=3.2.650&ev=1&t=event2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exeRemote address:172.217.16.232:443RequestGET /collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=Start_Application&el=3.2.650&ev=1&t=event HTTP/1.1
Accept: */*
Proxy-authorization: Basic
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Host: ssl.google-analytics.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Pragma: no-cache
X-Content-Type-Options: nosniff
Cross-Origin-Resource-Policy: cross-origin
Server: Golfe2
Content-Length: 35
Date: Thu, 09 May 2024 21:39:10 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Age: 66119
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
Content-Type: image/gif
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://ssl.google-analytics.com/collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=UAC_YES&el=3.2.650&ev=2&t=event2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exeRemote address:172.217.16.232:443RequestGET /collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=UAC_YES&el=3.2.650&ev=2&t=event HTTP/1.1
Accept: */*
Proxy-authorization: Basic
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Host: ssl.google-analytics.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Pragma: no-cache
X-Content-Type-Options: nosniff
Cross-Origin-Resource-Policy: cross-origin
Server: Golfe2
Content-Length: 35
Date: Thu, 09 May 2024 20:55:31 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Age: 68738
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
Content-Type: image/gif
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://ssl.google-analytics.com/collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=Navigate2&el=3.2.650&ev=3&t=event2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exeRemote address:172.217.16.232:443RequestGET /collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=Navigate2&el=3.2.650&ev=3&t=event HTTP/1.1
Accept: */*
Proxy-authorization: Basic
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Host: ssl.google-analytics.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Pragma: no-cache
X-Content-Type-Options: nosniff
Cross-Origin-Resource-Policy: cross-origin
Server: Golfe2
Content-Length: 35
Date: Thu, 09 May 2024 20:55:31 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Age: 68738
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
Content-Type: image/gif
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Request232.16.217.172.in-addr.arpaIN PTRResponse232.16.217.172.in-addr.arpaIN PTRmad08s04-in-f81e100net232.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f8�H
-
Remote address:8.8.8.8:53Request232.16.217.172.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request195.187.250.142.in-addr.arpaIN PTRResponse195.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f31e100net
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request31.121.18.2.in-addr.arpaIN PTRResponse31.121.18.2.in-addr.arpaIN PTRa2-18-121-31deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.179.89.13.in-addr.arpaIN PTRResponse
-
172.217.16.232:443https://ssl.google-analytics.com/collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=Start_Application&el=3.2.650&ev=1&t=eventtls, http2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe2.5kB 6.0kB 13 9
HTTP Request
GET https://ssl.google-analytics.com/collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=Start_Application&el=3.2.650&ev=1&t=eventHTTP Response
200 -
172.217.16.232:443https://ssl.google-analytics.com/collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=Navigate2&el=3.2.650&ev=3&t=eventtls, http2fe998b5b614163c8904ebb4c3be78db_JaffaCakes118.exe2.6kB 6.6kB 16 10
HTTP Request
GET https://ssl.google-analytics.com/collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=UAC_YES&el=3.2.650&ev=2&t=eventHTTP Response
200HTTP Request
GET https://ssl.google-analytics.com/collect?v=1&tid=UA-61193665-1&ds=Cplus&z=E9535A1D-0C35-4545-9B6D-F147563C856F&cid=99E892E3-A034-4BBF-9202-99AFAB37A794&uid=1436473535535aIb7hra9wC&sc=start&dr=http://admin.getmagnoplay.com&cn=52a098095f1c1ee867000011&cs=540706f95f1c1e135400001c&cm=79_10194_15390&ck=ddl&cc=DDL&ci=VzPtIfRl&dl=admin.getmagnoplay.com&dh=LoadC&dp=admin.getmagnoplay.com&dt=MaxCore&cd=MaxCore&linkid=LoadC&ua==Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64;%20Trident/7.0;%20rv:11.0)%20like%20Gecko&ec=ExecutionCplus&ea=Navigate2&el=3.2.650&ev=3&t=eventHTTP Response
200 -
92 B 40 B 2 1
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
66 B 139 B 1 1
DNS Request
api.getmagnoplay.com
-
70 B 86 B 1 1
DNS Request
ssl.google-analytics.com
DNS Response
172.217.16.232
-
146 B 140 B 2 1
DNS Request
232.16.217.172.in-addr.arpa
DNS Request
232.16.217.172.in-addr.arpa
-
74 B 112 B 1 1
DNS Request
195.187.250.142.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
31.121.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
8.179.89.13.in-addr.arpa