home

cupblueupdate.exe

Cupblue

Shan Feng

The application cupblueupdate.exe by Shan Feng has been detected as a potentially unwanted program by 3 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Update Service(CupblueU)”. It runs as a scheduled task under the Windows Task Scheduler named CupblueUpdateTaskMachineCore triggered by a time event. While running, it connects to the Internet address c8.3e.559e.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Shan Feng  (signed and verified)

Product:
Cupblue

Version:
1.0.0.1

MD5:
c5e70bb6675105c0839e4bc16bee80f7

SHA-1:
c219b8d19f38ed7a0a521e65e277f03015b3f660

SHA-256:
ea2f754223f4b329cc373ea105893f992434c0c1ca8cbcc52a80770a6afb8e88

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/16/2024 3:35:38 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Win32.Trojan.WisdomEyes.151026.9950
4.0.3.1667

Qihoo 360 Security
QVM19.1.Malware.Gen
1.0.0.1120

Reason Heuristics
PUP.Elex.ShanFeng (M)
16.7.8.1

File size:
560.9 KB (574,336 bytes)

Product version:
51.5.2704.63

Copyright:
Copyright (C) 2016 Cupblue Authors

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\cupblue\update\cupblueupdate.exe

Digital Signature
Signed by:
Shan Feng

Authority:
thawte, Inc.

Valid from:
6/1/2016 2:00:00 AM

Valid to:
2/4/2017 12:59:59 AM

Subject:
CN=Shan Feng, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
1BE68A2F1793C12BE67FDE60C6531903

File PE Metadata
Compilation timestamp:
6/7/2016 6:54:42 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:F6IbTMqgR3nyxbsrEG6TD5ZAsBE8owK3jZKDqsZd0nPV1o+SNH:9R43SsrMFisy/3lgn+DSNH

Entry address:
0x4AE3B

Entry point:
8A, 2C, 65, 00, 00, AB, E2, AA, 9F, AA, C2, 67, 82, B7, 26, 00, B6, 0F, 96, 30, E9, 58, 00, 00, 00, 00, 39, 0A, 62, 1C, 39, DF, 85, 08, 6C, B0, A1, 04, 04, AA, 08, 00, 00, 00, 00, D8, 79, 66, 6E, 7F, 04, 71, 31, 11, 34, 03, E9, 7D, B6, AA, C3, E8, 11, 1D, 00, 71, A7, 04, 9F, 20, C1, 85, 27, A8, 9F, AA, C2, BD, EF, 11, 94, 31, 9E, 00, 00, 00, 00, A7, FE, 12, 06, AB, 55, 00, 00, 00, 00, D9, 24, 71, 31, 69, 06, 70, 6C, 06, 6B, 15, EB, 7C, EB, BD, 9C, FE, 13, 1C, 00, 66, F8, 12, EB, 31, 90, AA, 48, BE, A5, 11...
 
[+]

Code size:
433 KB (443,392 bytes)

Scheduled Task
Task name:
CupblueUpdateTaskMachineCore

Trigger:
Time


Service
Display name:
Update Service(CupblueU)

Service name:
CupblueU

Description:
Keeps your Cupblue software up to date. If this service is disabled or stopped, your Cupblue software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and f

Type:
Win32OwnProcess

Depends on:
RpcSs


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to c8.3e.559e.ip4.static.sl-reverse.com  (158.85.62.200:80)

Remove cupblueupdate.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.