renamer | e2d1b0d24ef3372c4e89cab1cd52a0cbd862a76d9dcec3b3d8e9173da4791685 | Triage

Submit
Reports

Overview

overview

Static

static

3

6f39bef2b9...18.exe

windows7-x64

6f39bef2b9...18.exe

windows10-2004-x64

Sharing

General

Target

6f39bef2b991c3a0af1b5f6627d86a35_JaffaCakes118
Size

1.2MB
Sample

241023-q13yaaveqn
MD5

6f39bef2b991c3a0af1b5f6627d86a35
SHA1

2fdacae9eece2a9ce3490c3a387d6c490335a2d6
SHA256

e2d1b0d24ef3372c4e89cab1cd52a0cbd862a76d9dcec3b3d8e9173da4791685
SHA512

6cface4c65f11246f74afa3d2cb9592950a42946e959219c2d49ab7dfb29cc727b7f5b0e20dc9dfc523bbf0136d21517a7b99149ea6bdae0bbd3618f9e0b0a78
SSDEEP

24576:IMc1bS0R6crXjYp36O1aNjoWBFJDq9SpCxfzs2o2SV/deDrgO:IMcxS0RTrzYp3/oNEWxq8pCRzro2SV/u

Score

10^/10

renamer discovery worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6f39bef2b991c3a0af1b5f6627d86a35_JaffaCakes118.exe

Resource

win7-20240903-en

renamer discovery worm

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

6f39bef2b991c3a0af1b5f6627d86a35_JaffaCakes118.exe

Resource

win10v2004-20241007-en

renamer discovery worm

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  6f39bef2b991c3a0af1b5f6627d86a35_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  6f39bef2b991c3a0af1b5f6627d86a35
- SHA1
  
  2fdacae9eece2a9ce3490c3a387d6c490335a2d6
- SHA256
  
  e2d1b0d24ef3372c4e89cab1cd52a0cbd862a76d9dcec3b3d8e9173da4791685
- SHA512
  
  6cface4c65f11246f74afa3d2cb9592950a42946e959219c2d49ab7dfb29cc727b7f5b0e20dc9dfc523bbf0136d21517a7b99149ea6bdae0bbd3618f9e0b0a78
- SSDEEP
  
  24576:IMc1bS0R6crXjYp36O1aNjoWBFJDq9SpCxfzs2o2SV/deDrgO:IMcxS0RTrzYp3/oNEWxq8pCRzro2SV/u
Score

10^/10

renamer discovery worm
- Detects Renamer worm.
  Renamer aka Grename is worm written in Delphi.
- Renamer, Grenam
  Renamer aka Grenam is a worm written in Delphi.
  worm renamer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

renamerdiscoveryworm

behavioral2

renamerdiscoveryworm

© 2018-2024

Terms | Privacy