renamer | 2812cb2490f12a37dc179559ed92d77db00ac0ea67e44d0c17185627bcb006e3

Analysis

max time kernel
140s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
Size

816KB
MD5

8bbcaa08f92a14c34530dcccf8a0e495
SHA1

a81533447e350db90507b54490c821531f9fbc69
SHA256

2812cb2490f12a37dc179559ed92d77db00ac0ea67e44d0c17185627bcb006e3
SHA512

c6e6556264921e9eae4b2cabe3d4a7f57748e3e5625fcf0e48af714840c436f6e38be94caf32104538f7329b2fcdafa288d04373c66fdeaa0590e956531fea6d
SSDEEP

12288:gqkAx8i7pC8PapFTUt6xIuFrb9OKcEKfBKSNqvnSNgFCV4tuR8888888888888WX:N8i7pjPapFTUt6xIyHGBKSNqvn5m4tkh

Score

10^/10

renamer discovery persistence worm

Malware Config

Signatures

Detects Renamer worm. 3 IoCs

Renamer aka Grename is worm written in Delphi.

resource	yara_rule
behavioral2/files/0x00050000000227cb-8.dat	family_renamer
behavioral2/memory/448-377-0x0000000000400000-0x00000000004D8000-memory.dmp	family_renamer
behavioral2/memory/5848-379-0x0000000000400000-0x00000000004D8000-memory.dmp	family_renamer

Renamer family
renamer
Renamer, Grenam
Renamer aka Grenam is a worm written in Delphi.
worm renamer

Executes dropped EXE 1 IoCs

pid	Process
448	Paint.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Paint.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Paint.exe"	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	Paint.exe
File opened for modification	F:\autorun.inf	Paint.exe
File opened for modification	F:\autorun.inf	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\autorun.inf	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.exe	Paint.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui	Paint.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	Paint.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	Paint.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX6C60.tmp	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Paint.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Paint.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui	Paint.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	Paint.exe
File opened for modification	C:\Program Files\Windows Media Player\setup_wm.exe	Paint.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\vcookie_exporter.ico	Paint.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX6C10.tmp	Paint.exe
File created	C:\Program Files\Mozilla Firefox\vcrashreporter.ico	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vAppVShNotify.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\vjavaws.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	Paint.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vOfficeC2RClient.exe	Paint.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\vchrome.exe.sig	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Paint.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\vjarsigner.exe	Paint.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX6CB2.tmp	Paint.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Paint.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui	Paint.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\vchrmstp.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vidlj.ico	Paint.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\vjava.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	Paint.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui	Paint.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\vmisc.ico	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui	Paint.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Paint.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Paint.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCX6AB6.tmp	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	Paint.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vMavInject32.ico	Paint.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui	Paint.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Paint.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	Paint.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\RCX6A29.tmp	Paint.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCX6A77.tmp	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vcookie_exporter.exe	Paint.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui	Paint.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe	Paint.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File created	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\7-Zip\RCX6766.tmp	Paint.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vjavap.ico	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	Paint.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	Paint.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Paint.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bfsvc.exe	Paint.exe
File opened for modification	C:\Windows\bfsvc.exe	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paint.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 448	2020	cmd.exe	89
PID 2020 wrote to memory of 448	2020	cmd.exe	89
PID 2020 wrote to memory of 448	2020	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bbcaa08f92a14c34530dcccf8a0e495.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Paint.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\Paint.exe
  C:\Users\Admin\AppData\Roaming\Paint.exe
  2⤵
  - Executes dropped EXE
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\vMicrosoftEdgeUpdate.ico

Filesize
4KB

MD5
cc254d98086f62d8f1ac846e2b457791

SHA1
19c513a45447c9b050f7cc8d53d17537d2ab5694

SHA256
ee17bf1d6e10e84f02b7bf2c40c2e4eaaaff12393b2506d8f40aefb7dbee4f9b

SHA512
76f9f66717f8fe0ebb575a52a42b8bffa0977f7e363ad4a7a759c552e1668e171509ed59d0d5a270b4abdf5bd4a380de1a1f52104cce5e4a8451b4d7cd4d589a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\vjavaw.ico

Filesize
4KB

MD5
38b41d03e9dfcbbd08210c5f0b50ba71

SHA1
2fbfde75ce9fe8423d8e7720bf7408cedcb57a70

SHA256
611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5

SHA512
ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\vIntegratedOffice.ico

Filesize
4KB

MD5
3ea9bcbc01e1a652de5a6fc291a66d1a

SHA1
aee490d53ee201879dff37503a0796c77642a792

SHA256
a058bfd185fe714927e15642004866449bce425d34292a08af56d66cf03ebe6c

SHA512
7c740132f026341770b6a20575786da581d8a31850d0d680978a00cc4dfca1e848ef9cdc32e51bae680ea13f6cc0d7324c38765cb4e26dcb2e423aced7da0501

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.ico

Filesize
4KB

MD5
fc27f73816c9f640d800cdc1c9294751

SHA1
e6c3d8835d1de4e9606e5588e741cd1be27398f6

SHA256
3cc5043caa157e5f9b1870527b8c323850bdae1e58d6760e4e895d2ab8a35a05

SHA512
9e36b96acc97bc7cd45e67a47f1ae7ab7d3818cc2fdaad147524ce9e4baedfaac9cd012923ec65db763bfd850c65b497376bb0694508bee59747f97bf1591fd4

Download Submit
C:\Users\Admin\AppData\Roaming\Paint.exe

Filesize
816KB

MD5
8bbcaa08f92a14c34530dcccf8a0e495

SHA1
a81533447e350db90507b54490c821531f9fbc69

SHA256
2812cb2490f12a37dc179559ed92d77db00ac0ea67e44d0c17185627bcb006e3

SHA512
c6e6556264921e9eae4b2cabe3d4a7f57748e3e5625fcf0e48af714840c436f6e38be94caf32104538f7329b2fcdafa288d04373c66fdeaa0590e956531fea6d

Download Submit
C:\autorun.inf

Filesize
102B

MD5
5513829683bff23161ca7d8595c25c72

SHA1
9961b65bbd3bac109dddd3a161fc30650e8a7096

SHA256
94e323bd9071db7369ade16f45454e7a0dbfb6a39efddc1234c4719d1f7ee4c2

SHA512
308c84446106cda0a71e37b0de46aaf4b7361f9ddcc3c4c29f8e87da8acb606525dce8a42caf9d74e708c56b31c524f9535a2f5f4757c6c357401da1c495ddb6

Download Submit
memory/448-10-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/448-377-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5848-0-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/5848-378-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/5848-379-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads