Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 11:06
Static task
static1
Behavioral task
behavioral1
Sample
TNoodle-WCA-1.2.2.jar
Resource
win10v2004-20240226-en
General
-
Target
TNoodle-WCA-1.2.2.jar
-
Size
29.8MB
-
MD5
9f7103370956308807e2c6529f459133
-
SHA1
e9c1227a7557ce7d62c59e4183f39b750ddf13e0
-
SHA256
151fb27eae66cd0cd335f1717668d26e8530bb5d0266a0c5f871395dcd6237c1
-
SHA512
30f44daca0b86f28a571db43e0958f465fe56c9a54b51c1487a927d8da2a356e613dea8f2f8a72142ca6e3babeaf257b1315edff14c8eb3d76755e5c66d5f2df
-
SSDEEP
786432:/mznhtI2TkLLD44F4k/6Qe+jRBBJdCQgbg:+bOLo4F4Ke+lBBJgQg0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4964 TNoodle-WCA-1.2.2.exe -
Loads dropped DLL 1 IoCs
pid Process 4964 TNoodle-WCA-1.2.2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1668 icacls.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Java\jre-1.8\temp-launcher\TNoodle-WCA-1.2.2.exe java.exe File opened for modification C:\Program Files\Java\jre-1.8\temp-launcher\TNoodle-WCA-1.2.2.exe java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4884 powershell.exe 4884 powershell.exe 4884 powershell.exe 4296 powershell.exe 4296 powershell.exe 4296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4884 powershell.exe Token: SeDebugPrivilege 4296 powershell.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4964 TNoodle-WCA-1.2.2.exe 4964 TNoodle-WCA-1.2.2.exe 4964 TNoodle-WCA-1.2.2.exe 4964 TNoodle-WCA-1.2.2.exe 4964 TNoodle-WCA-1.2.2.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 4964 TNoodle-WCA-1.2.2.exe 4964 TNoodle-WCA-1.2.2.exe 4964 TNoodle-WCA-1.2.2.exe 4964 TNoodle-WCA-1.2.2.exe 4964 TNoodle-WCA-1.2.2.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4964 TNoodle-WCA-1.2.2.exe 4964 TNoodle-WCA-1.2.2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 824 wrote to memory of 1668 824 java.exe 91 PID 824 wrote to memory of 1668 824 java.exe 91 PID 824 wrote to memory of 4964 824 java.exe 93 PID 824 wrote to memory of 4964 824 java.exe 93 PID 4964 wrote to memory of 3300 4964 TNoodle-WCA-1.2.2.exe 102 PID 4964 wrote to memory of 3300 4964 TNoodle-WCA-1.2.2.exe 102 PID 4884 wrote to memory of 3952 4884 powershell.exe 117 PID 4884 wrote to memory of 3952 4884 powershell.exe 117
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\TNoodle-WCA-1.2.2.jar1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:1668
-
-
C:\Program Files\Java\jre-1.8\temp-launcher\TNoodle-WCA-1.2.2.exe"C:\Program Files\Java\jre-1.8\temp-launcher\TNoodle-WCA-1.2.2.exe" -Xmx1820m -classpath C:\Users\Admin\AppData\Local\Temp\TNoodle-WCA-1.2.2.jar org.worldcubeassociation.tnoodle.deployable.jar.WebscramblesServer --noReexec2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:2014/3⤵PID:3300
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3748 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵PID:4340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3668 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵PID:1080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5624 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:2352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5516 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵PID:2284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5872 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:644
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\system32\more.com"C:\Windows\system32\more.com"2⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4936 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:3856
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296 -
C:\Windows\system32\wininit.exe"C:\Windows\system32\wininit.exe"2⤵PID:2268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
285KB
MD5dafb5fbb0614c19eccdab9bef8f89c22
SHA191ab91eb4a90f02c4950c3e5da80f3eb24bddb52
SHA256af62c3850cd7a84db64bbaf68533e2769da619a8a4bccf0ac4836d2ec86e4b5e
SHA51281cf8e04b595052e67db73454a67e2098e1df9353e2c3cc842b8ab2a9fa837b90a2101d5a097a6b0af0030869e788de1aa73ebb958f1428a3952ce0464db3e93
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
3KB
MD51232f9a334c83346c92f8c0e6316826d
SHA17c49a87463a44d69189d5f1a3cb57a85f233b8ab
SHA256d1b926739d7b0c3476a536c1472b50f9d2234b0c27e8bb271bb37134f8311bf0
SHA51295ea0f2f2af3f53a29dd04fca7dac5cbdd0a13df74b42b82435781a95446bd94a4ba98676f0aeefc329f883a2965bb58026a37a82f0b14ad4f9b1261e05c9af9
-
Filesize
198B
MD537cab7554d56739071aa7e693d252d8f
SHA15f78b9001fc9af8719a777de464c3f4cc183bea1
SHA2569c25cc2e102d76914f883dd89a7b2698db8c3d6ede5074bf4029011ee1fac7a1
SHA512c2a98db47826a9d5a97a4bf9db7a192eb8fd33436d1d251b64ca3ebf4df9cd7bfb8519fdfebdf23136db878e454a8561a7ba9925275c5fb79f37df5f1ba182f7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
248KB
MD534d12b1e2af72d9bb267bbc8c0d53e4a
SHA1d9ed8776645f6b4f52df16132450863c47ea92d7
SHA25613b2cac3f50368ab97fa2e3b0d0d2cb612f68449d5bbd6de187fc85ee4469d03
SHA512c0a063477cf63a8b647ea721842968b506d70ea22c586a412707d7293b46c218b6a510f34b7dbedd3ed29a9d4b5dc5c6a1995403d65884b17348a9545e580a10
-
Filesize
756B
MD5eb0d14c3b345a40e3ff0f4a2a9c3c2d4
SHA142ed6ff1ec2df05131db396d5bd1d0af1d5c5657
SHA256543ea1b045cc3776d6a4861bdddbd02da9a8fafb3ac9dd661edf964d8ba889c3
SHA512bbf9124b12d48cd65d5edf1357f6054b570de43f5c03cbd80ba268b730f2ee490dccf8c38debfb83af4a51e3b48809d2791df95ce0ced016385e360ce293cdcc
-
Filesize
6B
MD52378e46cc86f8ea4e157da9f7354d670
SHA167c01d92a9dc447dbb3986c20f6bb20aceab1f81
SHA256aee5b85055f156c30a6dd3cc9e6c43693bfed7aa40ed4f77212b5e424d191308
SHA512b81ef404fc90e8852d6a0ecb3f2b1578c020dc57dfa81f5b3f82354f682a946f2997ae5cd12335615f198ab4dde726477f4f9dacb06fd3bcf878e4d4ec907d73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize5KB
MD55bf69fe3e850368231593a822974c577
SHA19dd778d6fb3f38650925f5999da4f403a5c54a5f
SHA256499cc8727fbe09a49a3261b1be4f31959787e92117553f91663ee1baca7ff8cf
SHA51209dde90cfac0531c98dc69f1f9c224f730904faa27f848712219e7f202fe15f1703311e135e3a9ada2053191efd55d45483ee45f2d7abadcf73fc643ccab0837
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize5KB
MD57b099949520163bb1463313820708982
SHA18e4233310d0c5f49e4fced8bb0264f79f8cfa433
SHA2563314c30aaa2760ffb6c0e6d3e1463e6aaf95a09906cbb29fdc0c69719cc4ffdc
SHA512ef44092631cbb932158d9fe84acf9c40fec8984031d696ed5cee01def2743c347f8d5ad1b533562562648dbc7f9d0802ac164694d93167ba559a7e45b85298ae