Overview

overview

10

Static

static

3

7b13d92a5b...18.exe

windows7-x64

7

7b13d92a5b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    7b13d92a5bfc7ee0ee5d9c86eb07ce23

  • SHA1

    c2f5566d2a142388b9b7887c6e86ad9c619f8003

  • SHA256

    0e4e50cd144c54ef6eaae2464d15977f3b60b2001118cfe6392731ccc671137c

  • SHA512

    9e824a2ea95ffae8da28ec88ca6288250681a6064b8ac61210d12382f798121466d688ded6d18add1ddb85463a793d7b92cd97b13369598d832a1f6138600de1

  • SSDEEP

    24576:Rj/ZAILiXtDtrn+LCHVYmpRqQYAe9GIdUfd40Qb4B/cWy52:RT+gibn++HV3pcQY7bdU1Qu/BM2

Score
10/10
renamerdiscoverypersistenceworm

Malware Config

Signatures

  • Detects Renamer worm. 2 IoCs

    Renamer aka Grename is worm written in Delphi.

  • Renamer family
    renamer
  • Renamer, Grenam

    Renamer aka Grenam is a worm written in Delphi.

    wormrenamer
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 19 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 17 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe"
          4⤵
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1892
          • C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe"
            5⤵
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1444
            • C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe"
              6⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4408
              • C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe
                "C:\Users\Admin\AppData\Local\Temp\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe"
                7⤵
                • Drops startup file
                • Drops autorun.inf file
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:3932
            • C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3508
              • C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2984
                • C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3744
                  • C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4952
                    • C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
                      "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2936
                      • C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3420
                        • C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
                          "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4832
                        • C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
                          "C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"
                          12⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4792
                      • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
                        11⤵
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4504
          • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:624
            • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:984
              • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1144
                • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4144
                  • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3236
                    • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
                      "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2208
                      • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4868
                        • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
                          "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
                          12⤵
                          • Executes dropped EXE
                          • Drops autorun.inf file
                          • Drops file in Program Files directory
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          PID:2616
                      • C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"
                        11⤵
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5076
                    • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
                      "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
                      10⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7zFM.exe
    Filesize

    1.2MB

    MD5

    2fea9c25557997180f296578d43e2246

    SHA1

    8fcb9c13ee91282ced82a47b6fefb6bff0c99450

    SHA256

    7f87a34e9949886fd2b56ff7e8ebd89075a0b4ba49e07389e6445e0f59169e71

    SHA512

    86ef07fd665133c6790f4f21c34a45a6c121f4f811334ed210b526662b3f5df07c9a743af3c546d5ff8d427e39ee81b8533df2ffd995b473d5ef38b8b3b7cf51

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
    Filesize

    1.2MB

    MD5

    dbb014d07ab980eec4dc9a875a65cf2b

    SHA1

    756a2130d03b5215cbe14915accd260062b7d396

    SHA256

    57d58e6a79b0508780598cd05ebb0330c44e58a998fae723502e9cc81388ecd6

    SHA512

    a1947fd65d6095013d522fdcbe68234b1fdc9e9cae82f80aa2045bd09c42625498a9cc4d6979db3828cd0f44bb515d11a59f5b43758cda7dbf3da887308a3a34

    Download Submit

  • C:\Program Files\Java\jdk-1.8\bin\vjavaws.ico
    Filesize

    4KB

    MD5

    38b41d03e9dfcbbd08210c5f0b50ba71

    SHA1

    2fbfde75ce9fe8423d8e7720bf7408cedcb57a70

    SHA256

    611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5

    SHA512

    ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9

    Download Submit

  • C:\Program Files\Microsoft Office 15\ClientX64\vIntegratedOffice.ico
    Filesize

    4KB

    MD5

    3ea9bcbc01e1a652de5a6fc291a66d1a

    SHA1

    aee490d53ee201879dff37503a0796c77642a792

    SHA256

    a058bfd185fe714927e15642004866449bce425d34292a08af56d66cf03ebe6c

    SHA512

    7c740132f026341770b6a20575786da581d8a31850d0d680978a00cc4dfca1e848ef9cdc32e51bae680ea13f6cc0d7324c38765cb4e26dcb2e423aced7da0501

    Download Submit

  • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.ico
    Filesize

    4KB

    MD5

    fc27f73816c9f640d800cdc1c9294751

    SHA1

    e6c3d8835d1de4e9606e5588e741cd1be27398f6

    SHA256

    3cc5043caa157e5f9b1870527b8c323850bdae1e58d6760e4e895d2ab8a35a05

    SHA512

    9e36b96acc97bc7cd45e67a47f1ae7ab7d3818cc2fdaad147524ce9e4baedfaac9cd012923ec65db763bfd850c65b497376bb0694508bee59747f97bf1591fd4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe.log
    Filesize

    676B

    MD5

    3bc2150211e33cd343b025da5a9b1457

    SHA1

    a180ee6e62a496a226590390651a1d3708c7b89c

    SHA256

    ff2e05f53cc9b927bed429bb2df53290223b459c49be1bea6b0ef13c52903787

    SHA512

    e192903a8d0855203615c2ddd60c45c791492327fcd8a025e1dd1744cc2a526a4e90b8619e19b170f3ed808f3cbe4c839dc86fc70d97c5b0fb86ea529b78442c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LookupSvi.exe.log
    Filesize

    128B

    MD5

    a5dcc7c9c08af7dddd82be5b036a4416

    SHA1

    4f998ca1526d199e355ffb435bae111a2779b994

    SHA256

    e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

    SHA512

    56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
    Filesize

    7KB

    MD5

    54b446b04c83570cc974ed428b416a63

    SHA1

    f6e9eb6319a45d381baef998ce45e50f247cbc7d

    SHA256

    ead396edbe63927c734b30f9275e52c4dde8fd3c1e53963cfdafb24f53e9fab4

    SHA512

    0d0129553c623c107d70d756c1d023f8f4463cd6d6517639e5ca2c79944285cfd23dffe98a3ca6c12b9d33501830de05c599d89d12a3ae5514ddd6c18b28e939

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
    Filesize

    13KB

    MD5

    cf7e259dd0225ae86a29f5952bcb5b4d

    SHA1

    4c6b2363a754bcaa07edeee5b4837b464cfb5d5c

    SHA256

    bcf654651c834ff5f885a6ab272d000aa48acea1ebe68ce146c68c863c4736a8

    SHA512

    91c469f7b4d3c95177ccb013e3c16fe61fffa1fd631857f44bb335382b6c0c80d8bb178e72140178716312f49efbee45ccbe3467a01099561ab3ddf33b412b3a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
    Filesize

    1.2MB

    MD5

    7b13d92a5bfc7ee0ee5d9c86eb07ce23

    SHA1

    c2f5566d2a142388b9b7887c6e86ad9c619f8003

    SHA256

    0e4e50cd144c54ef6eaae2464d15977f3b60b2001118cfe6392731ccc671137c

    SHA512

    9e824a2ea95ffae8da28ec88ca6288250681a6064b8ac61210d12382f798121466d688ded6d18add1ddb85463a793d7b92cd97b13369598d832a1f6138600de1

    Download Submit

  • F:\autorun.inf
    Filesize

    102B

    MD5

    5513829683bff23161ca7d8595c25c72

    SHA1

    9961b65bbd3bac109dddd3a161fc30650e8a7096

    SHA256

    94e323bd9071db7369ade16f45454e7a0dbfb6a39efddc1234c4719d1f7ee4c2

    SHA512

    308c84446106cda0a71e37b0de46aaf4b7361f9ddcc3c4c29f8e87da8acb606525dce8a42caf9d74e708c56b31c524f9535a2f5f4757c6c357401da1c495ddb6

    Download Submit

  • memory/1444-22-0x0000000000400000-0x0000000000500000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1892-16-0x0000000000400000-0x000000000051A000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1892-17-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1892-19-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1892-39-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2372-12-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2372-15-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2372-14-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2372-18-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2372-11-0x0000000000400000-0x0000000000528000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2992-9-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2992-13-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2992-10-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2992-7-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2992-4-0x0000000000400000-0x0000000000534000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3932-65-0x0000000000400000-0x00000000004DB000-memory.dmp

    Filesize

    876KB

    Download

  • memory/3932-66-0x0000000000400000-0x00000000004DB000-memory.dmp

    Filesize

    876KB

    Download

  • memory/4608-0-0x0000000074F92000-0x0000000074F93000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-8-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4608-3-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4608-2-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4608-1-0x0000000074F90000-0x0000000075541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4868-369-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

    Download