Malware Analysis Report

2024-11-30 13:35

Sample ID 240604-fxf91aec6z
Target 93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118
SHA256 28c8a166dc636c9e43e962daee7b3a8ca63ea479576fcf38032ec6a1338699b4
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

28c8a166dc636c9e43e962daee7b3a8ca63ea479576fcf38032ec6a1338699b4

Threat Level: Shows suspicious behavior

The file 93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-04 05:14

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 05:14

Reported

2024-06-04 05:17

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI19882\NeoRbx.exe.manifest

MD5 3125b867a48e15afc4f9cb5b522454d7
SHA1 1563e10af374e377b5d938f2a32c99ca9e54c48b
SHA256 6fc996f998e917f728e4c537b88c161bd22c99affca81efa72dd2908ea008e66
SHA512 b6944143d150fc6f7afe9f47d0e3ffaa5759e3163baeb3e527896fdb91e5e5f60454cf0cc7ff8aa69f524d3e907c031d28ac5e8922a35380c80f96ed982bdf5b

C:\Users\Admin\AppData\Local\Temp\_MEI19882\python36.dll

MD5 e858ff34574ee03bcb8fd6ec7749a3af
SHA1 df44dd4e6a67f986d505fcf5da53ac3c55d71afe
SHA256 66587cdcfc128e67942feb92ccbf166ad1fac37e70df9626b9d75eb44264657a
SHA512 290adf8f6d116aa7472634a359dd54f67a6193ffc7b1735a76cdc4d5a8654f7acacc9964ded1b4c2a540f838e6ad35dbb6e6183f947d65fb44e210910246719d

C:\Users\Admin\AppData\Local\Temp\_MEI19882\VCRUNTIME140.dll

MD5 a2523ea6950e248cbdf18c9ea1a844f6
SHA1 549c8c2a96605f90d79a872be73efb5d40965444
SHA256 6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
SHA512 2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

C:\Users\Admin\AppData\Local\Temp\_MEI19882\base_library.zip

MD5 275b01e39b3933058980051fdcf29fac
SHA1 1956120ff0f4b12a5cc0c7c0ec470122b53389a2
SHA256 2aadc09c42391bea3f57ff4fd4d4a1ca5cfc6ca30914e35f675168d7b7da1c45
SHA512 faefa7e4b1eb7f341d9cb99c1b3713dcff7e692efd958df06d47efe5aae49b4b90cad28563714a1cf6f935c4d152184cb4341cff1f8ad52d13a2278c266f64ae

C:\Users\Admin\AppData\Local\Temp\_MEI19882\_ctypes.pyd

MD5 e48f77552b4272cd322a5871eaa04bb4
SHA1 a15add87ecddeea2665eb74ab428aa9da38d7913
SHA256 7502dde8293e19024230ecf8c26b7b9169b5be302c05f964675d3a69dcb12b98
SHA512 a44a6230e6b08ea58eb5aa1709f0121dbcdd88d94335c364bfc750be4bdd8abc288db4dea970e50464b9177e03e461cb3422d323287224396033442e132e8b1a

C:\Users\Admin\AppData\Local\Temp\_MEI19882\_lzma.pyd

MD5 ba76460479ea4a1c29b69810d8890e6c
SHA1 9d06f621d46937d02f57454a94bbaf606ad3ce10
SHA256 576f184f905ef008ecfd7c7f1cdb4eb1d7d62d1d8bacf53705d7011032ec4b35
SHA512 601a1b2b9fbc102b945c66d3267bb889687e4d39609c0c8c7e18491711dfb2520cd557540553da8e9fa43bc73ed0f15580cf838e0b12d87a0538427f27129900

C:\Users\Admin\AppData\Local\Temp\_MEI19882\_bz2.pyd

MD5 71e21c31f062e87128896b8479aa42e7
SHA1 82ebbb0f8e36b74b937988c5125e53283d7b787a
SHA256 7ac6b18230c416ed697dd5a7b4b256517582601ff7fb3a2054d6e76cc3e9ba6b
SHA512 9a3f9708fb5ccbee972227d7aa946be7a879129688da2b5e8d5d861e1a5512010792c40862fdc6d7dbe4396133c593a2ba8000c677a0b1abafa4b8df184e0f8b

C:\Users\Admin\AppData\Local\Temp\_MEI19882\_hashlib.pyd

MD5 60c61c3644981a26de376fa0b827cb07
SHA1 f16402e7475be9ff2a978c8d6712f026e353f658
SHA256 f86358ba06a4dd02dcac7e457724f10f0ba4f4618c8ae22660fa42ecd28ae284
SHA512 fb63605a68326dce7188248c8f60e6bb4b405820c60c9b556ecba93a204ad3d47692eaebcc23e754b079b56dedaaa9bc4436f82fd1882e4697d4b5cf675f7325

C:\Users\Admin\AppData\Local\Temp\_MEI19882\_ssl.pyd

MD5 0f43f328684423cc7b877d2b26b6af86
SHA1 558e5610661956957834e942aa26c01f8ccbebf7
SHA256 71e5c04d7b6fb5c93a3800b617213b38b1fa765350f767e80e4eefdbebd48afd
SHA512 edfa5daa40ad126ba3578e7a31f914d6af7d742663abfaa96e2ebb078553ec90c2ad61932a9db4df35ea6bdcb4c7cf497634334da0160a86d541a7ea5d80ed7b

C:\Users\Admin\AppData\Local\Temp\_MEI19882\select.pyd

MD5 5497a4fd07a72a0cd5e718556da11e4f
SHA1 2581217ccd9e42986a937342319005274453a300
SHA256 518452a64895022e77c85529da200779b60b8f644358fc78e8f976853ab263c0
SHA512 26275f9ad05c20e13448df251d1f752ea353867c2b19b42cbfa5a0ee310f990c200e84106ad5d1cf3699b3c9d78e08b45cc760479fc9cbe5ad52ad18c89e91b9

C:\Users\Admin\AppData\Local\Temp\_MEI19882\_socket.pyd

MD5 a4237fca7dce645bc07babcd7336426c
SHA1 106e2bf89c2467383795f53e730eb7f10af15a9f
SHA256 5b5da54aa1321f38e4738d4c6e3556e28770a750c61296e69cc35810d65e6675
SHA512 f905878ef039feb19f42c5c83517c1c33270fe4078ad364b7248e474284a1edd28b7addb5175c9ebef1d945cac1591859678c0725b2d2f9913fbd405121c01e9

C:\Users\Admin\AppData\Local\Temp\_MEI19882\tk86t.dll

MD5 a4b61a3c43a33b157085599e082e2958
SHA1 13578cae75ed6292a6eef5a5a22da5435ecfb732
SHA256 888b2c2c8e862e8215e74d59a255da18f7885e30da93bd8c9288c06a094a3ccd
SHA512 7d718d779c5a9aa0b0dd1cf638b45ee796bc41f595f587174c8e46e26c32e5d8622dec615bc027b67a07e10cbab840d3088a20d3b0470226f8cb9327ee93761d

C:\Users\Admin\AppData\Local\Temp\_MEI19882\tcl86t.dll

MD5 035f24e4f71db9fe2e5d0b233835b317
SHA1 e51d711b6d8d8348608227b27bc88305c98ce4f9
SHA256 b244e4db8095866ef3bc1be326dc0732f3e3266bab1672a24fe8caa6b42a4b4a
SHA512 23789d4b9fd55bda25afa0ad298030523586ab15bd355060eb839305011624053b7efcc0755a436497f29ae70b743974774960ffd64777c492201dd8edce1826

C:\Users\Admin\AppData\Local\Temp\_MEI19882\_tkinter.pyd

MD5 890dccf2312335d2b7033f43a50f6a1d
SHA1 f39497edb037ebdad6209ed309588196a39da509
SHA256 69176bc0a397253294da62c5ce797498992e35a1c33c24fad538a4bd876d322b
SHA512 cc7ad81299bbc03b623afb4e2a48e7d65ea7d6a3eb2fa94eeaca7e4522ffdfd7e342495041a0824b9f58f70f408aa150c202fa0f45c7056f5888d0058a67555a

C:\Users\Admin\AppData\Local\Temp\_MEI19882\unicodedata.pyd

MD5 78027ce0ab903b63daf977714463f476
SHA1 3c70a52d019f53bd9a30faf593755f0945d05a23
SHA256 1da14014649b632fb660c59d3a08dce35367af7ab41201142b0fa21b4b40702b
SHA512 15f8b287865f029e888ff03b45ea9a37aa982c02b819c73c8d12e5c1d75ce76b3f9288287e52d0da0f1175b3b9f0ed43e31333708bd47d031983e9735ae081d1

C:\Users\Admin\AppData\Local\Temp\_MEI19882\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 05:14

Reported

2024-06-04 05:17

Platform

win7-20240221-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe
PID 2084 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe
PID 2084 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe
PID 2084 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe
PID 2672 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2672 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2672 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2672 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\93b61cf1db70c74ef352b8cddeb41c77_JaffaCakes118.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic csproduct get uuid

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI20842\NeoRbx.exe.manifest

MD5 3125b867a48e15afc4f9cb5b522454d7
SHA1 1563e10af374e377b5d938f2a32c99ca9e54c48b
SHA256 6fc996f998e917f728e4c537b88c161bd22c99affca81efa72dd2908ea008e66
SHA512 b6944143d150fc6f7afe9f47d0e3ffaa5759e3163baeb3e527896fdb91e5e5f60454cf0cc7ff8aa69f524d3e907c031d28ac5e8922a35380c80f96ed982bdf5b

C:\Users\Admin\AppData\Local\Temp\_MEI20842\python36.dll

MD5 e858ff34574ee03bcb8fd6ec7749a3af
SHA1 df44dd4e6a67f986d505fcf5da53ac3c55d71afe
SHA256 66587cdcfc128e67942feb92ccbf166ad1fac37e70df9626b9d75eb44264657a
SHA512 290adf8f6d116aa7472634a359dd54f67a6193ffc7b1735a76cdc4d5a8654f7acacc9964ded1b4c2a540f838e6ad35dbb6e6183f947d65fb44e210910246719d

\Users\Admin\AppData\Local\Temp\_MEI20842\VCRUNTIME140.dll

MD5 a2523ea6950e248cbdf18c9ea1a844f6
SHA1 549c8c2a96605f90d79a872be73efb5d40965444
SHA256 6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
SHA512 2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

C:\Users\Admin\AppData\Local\Temp\_MEI20842\base_library.zip

MD5 275b01e39b3933058980051fdcf29fac
SHA1 1956120ff0f4b12a5cc0c7c0ec470122b53389a2
SHA256 2aadc09c42391bea3f57ff4fd4d4a1ca5cfc6ca30914e35f675168d7b7da1c45
SHA512 faefa7e4b1eb7f341d9cb99c1b3713dcff7e692efd958df06d47efe5aae49b4b90cad28563714a1cf6f935c4d152184cb4341cff1f8ad52d13a2278c266f64ae

C:\Users\Admin\AppData\Local\Temp\_MEI20842\_ctypes.pyd

MD5 e48f77552b4272cd322a5871eaa04bb4
SHA1 a15add87ecddeea2665eb74ab428aa9da38d7913
SHA256 7502dde8293e19024230ecf8c26b7b9169b5be302c05f964675d3a69dcb12b98
SHA512 a44a6230e6b08ea58eb5aa1709f0121dbcdd88d94335c364bfc750be4bdd8abc288db4dea970e50464b9177e03e461cb3422d323287224396033442e132e8b1a

C:\Users\Admin\AppData\Local\Temp\_MEI20842\_bz2.pyd

MD5 71e21c31f062e87128896b8479aa42e7
SHA1 82ebbb0f8e36b74b937988c5125e53283d7b787a
SHA256 7ac6b18230c416ed697dd5a7b4b256517582601ff7fb3a2054d6e76cc3e9ba6b
SHA512 9a3f9708fb5ccbee972227d7aa946be7a879129688da2b5e8d5d861e1a5512010792c40862fdc6d7dbe4396133c593a2ba8000c677a0b1abafa4b8df184e0f8b

\Users\Admin\AppData\Local\Temp\_MEI20842\_lzma.pyd

MD5 ba76460479ea4a1c29b69810d8890e6c
SHA1 9d06f621d46937d02f57454a94bbaf606ad3ce10
SHA256 576f184f905ef008ecfd7c7f1cdb4eb1d7d62d1d8bacf53705d7011032ec4b35
SHA512 601a1b2b9fbc102b945c66d3267bb889687e4d39609c0c8c7e18491711dfb2520cd557540553da8e9fa43bc73ed0f15580cf838e0b12d87a0538427f27129900

\Users\Admin\AppData\Local\Temp\_MEI20842\_socket.pyd

MD5 a4237fca7dce645bc07babcd7336426c
SHA1 106e2bf89c2467383795f53e730eb7f10af15a9f
SHA256 5b5da54aa1321f38e4738d4c6e3556e28770a750c61296e69cc35810d65e6675
SHA512 f905878ef039feb19f42c5c83517c1c33270fe4078ad364b7248e474284a1edd28b7addb5175c9ebef1d945cac1591859678c0725b2d2f9913fbd405121c01e9

C:\Users\Admin\AppData\Local\Temp\_MEI20842\select.pyd

MD5 5497a4fd07a72a0cd5e718556da11e4f
SHA1 2581217ccd9e42986a937342319005274453a300
SHA256 518452a64895022e77c85529da200779b60b8f644358fc78e8f976853ab263c0
SHA512 26275f9ad05c20e13448df251d1f752ea353867c2b19b42cbfa5a0ee310f990c200e84106ad5d1cf3699b3c9d78e08b45cc760479fc9cbe5ad52ad18c89e91b9

C:\Users\Admin\AppData\Local\Temp\_MEI20842\_ssl.pyd

MD5 0f43f328684423cc7b877d2b26b6af86
SHA1 558e5610661956957834e942aa26c01f8ccbebf7
SHA256 71e5c04d7b6fb5c93a3800b617213b38b1fa765350f767e80e4eefdbebd48afd
SHA512 edfa5daa40ad126ba3578e7a31f914d6af7d742663abfaa96e2ebb078553ec90c2ad61932a9db4df35ea6bdcb4c7cf497634334da0160a86d541a7ea5d80ed7b

C:\Users\Admin\AppData\Local\Temp\_MEI20842\_hashlib.pyd

MD5 60c61c3644981a26de376fa0b827cb07
SHA1 f16402e7475be9ff2a978c8d6712f026e353f658
SHA256 f86358ba06a4dd02dcac7e457724f10f0ba4f4618c8ae22660fa42ecd28ae284
SHA512 fb63605a68326dce7188248c8f60e6bb4b405820c60c9b556ecba93a204ad3d47692eaebcc23e754b079b56dedaaa9bc4436f82fd1882e4697d4b5cf675f7325

C:\Users\Admin\AppData\Local\Temp\_MEI20842\unicodedata.pyd

MD5 78027ce0ab903b63daf977714463f476
SHA1 3c70a52d019f53bd9a30faf593755f0945d05a23
SHA256 1da14014649b632fb660c59d3a08dce35367af7ab41201142b0fa21b4b40702b
SHA512 15f8b287865f029e888ff03b45ea9a37aa982c02b819c73c8d12e5c1d75ce76b3f9288287e52d0da0f1175b3b9f0ed43e31333708bd47d031983e9735ae081d1

C:\Users\Admin\AppData\Local\Temp\_MEI20842\_tkinter.pyd

MD5 890dccf2312335d2b7033f43a50f6a1d
SHA1 f39497edb037ebdad6209ed309588196a39da509
SHA256 69176bc0a397253294da62c5ce797498992e35a1c33c24fad538a4bd876d322b
SHA512 cc7ad81299bbc03b623afb4e2a48e7d65ea7d6a3eb2fa94eeaca7e4522ffdfd7e342495041a0824b9f58f70f408aa150c202fa0f45c7056f5888d0058a67555a

C:\Users\Admin\AppData\Local\Temp\_MEI20842\tcl86t.dll

MD5 035f24e4f71db9fe2e5d0b233835b317
SHA1 e51d711b6d8d8348608227b27bc88305c98ce4f9
SHA256 b244e4db8095866ef3bc1be326dc0732f3e3266bab1672a24fe8caa6b42a4b4a
SHA512 23789d4b9fd55bda25afa0ad298030523586ab15bd355060eb839305011624053b7efcc0755a436497f29ae70b743974774960ffd64777c492201dd8edce1826

C:\Users\Admin\AppData\Local\Temp\_MEI20842\tk86t.dll

MD5 a4b61a3c43a33b157085599e082e2958
SHA1 13578cae75ed6292a6eef5a5a22da5435ecfb732
SHA256 888b2c2c8e862e8215e74d59a255da18f7885e30da93bd8c9288c06a094a3ccd
SHA512 7d718d779c5a9aa0b0dd1cf638b45ee796bc41f595f587174c8e46e26c32e5d8622dec615bc027b67a07e10cbab840d3088a20d3b0470226f8cb9327ee93761d

C:\Users\Admin\AppData\Local\Temp\_MEI20842\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc