analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CubixHackWrapper.jar

Full analysis: https://app.any.run/tasks/c9f376cd-e52e-4d3e-9ca7-6f4e3ce98c6b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 18, 2019, 17:32:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
evasion
loader
miner
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

59C71B1C48299ACC77D84F3AD611B13E

SHA1:

BC438168BCB989EAF59095AA38DE56FC851A2522

SHA256:

F47CF55573302910F51DD217780883D6159A84B671C0B326F8B4C194F2762E6F

SSDEEP:

49152:ZvnjMltT30e8JzYJhQEjBFBGhtAnBUVUMW88eGv5fZtosQaoElpN3BEMHCSprPRO:Zglt0BQQEjo8GVfm5D3QaPxHpIl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • stub.exe (PID: 2612)
      • Helper.exe (PID: 3064)
      • Helper.exe (PID: 2596)
      • CL_Debug_Log.txt (PID: 2640)
      • Helper.exe (PID: 3816)
      • tor.exe (PID: 2232)
      • Helper.exe (PID: 2340)
      • Helper.exe (PID: 2328)
      • Helper.exe (PID: 4032)
      • Helper.exe (PID: 4040)
      • Helper.exe (PID: 3212)
      • tor.exe (PID: 2392)
      • Helper.exe (PID: 2748)
      • Helper.exe (PID: 3280)
      • Helper.exe (PID: 2904)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 1628)
    • Downloads executable files from the Internet

      • javaw.exe (PID: 3036)
    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3748)
    • Loads dropped or rewritten executable

      • tor.exe (PID: 2232)
      • tor.exe (PID: 2392)
    • MINER was detected

      • attrib.exe (PID: 916)
    • Looks like application has launched a miner

      • Helper.exe (PID: 4032)
    • Connects to CnC server

      • attrib.exe (PID: 916)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 3036)
      • stub.exe (PID: 2612)
      • CL_Debug_Log.txt (PID: 2640)
      • cmd.exe (PID: 3748)
      • Helper.exe (PID: 3064)
      • Helper.exe (PID: 3816)
      • Helper.exe (PID: 4032)
      • Helper.exe (PID: 3212)
    • Starts application with an unusual extension

      • stub.exe (PID: 2612)
    • Starts CMD.EXE for commands execution

      • stub.exe (PID: 2612)
    • Creates files in the user directory

      • javaw.exe (PID: 3036)
      • cmd.exe (PID: 3748)
      • Helper.exe (PID: 3816)
      • Helper.exe (PID: 3064)
      • tor.exe (PID: 2232)
      • Helper.exe (PID: 4032)
      • Helper.exe (PID: 2748)
      • Helper.exe (PID: 3212)
      • tor.exe (PID: 2392)
    • Executed via Task Scheduler

      • Helper.exe (PID: 3064)
      • Helper.exe (PID: 2596)
      • Helper.exe (PID: 4032)
      • Helper.exe (PID: 4040)
      • Helper.exe (PID: 2340)
      • Helper.exe (PID: 2328)
      • Helper.exe (PID: 3280)
      • Helper.exe (PID: 2904)
    • Application launched itself

      • Helper.exe (PID: 3064)
      • Helper.exe (PID: 4032)
    • Connects to unusual port

      • tor.exe (PID: 2232)
      • tor.exe (PID: 2392)
      • attrib.exe (PID: 916)
    • Uses ATTRIB.EXE to modify file attributes

      • Helper.exe (PID: 4032)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 564)
    • Reads settings of System Certificates

      • Helper.exe (PID: 4032)
    • Dropped object may contain Bitcoin addresses

      • tor.exe (PID: 2392)
      • tor.exe (PID: 2232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (56.8)
.zip | ZIP compressed archive (15.6)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:09:14 12:07:03
ZipCRC: 0xae08a7ac
ZipCompressedSize: 75
ZipUncompressedSize: 77
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
20
Malicious processes
6
Suspicious processes
9

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start javaw.exe explorer.exe no specs stub.exe cl_debug_log.txt cmd.exe schtasks.exe no specs helper.exe helper.exe no specs helper.exe tor.exe helper.exe no specs helper.exe no specs helper.exe helper.exe no specs helper.exe tor.exe helper.exe no specs #MINER attrib.exe helper.exe no specs helper.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3036"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\CubixHackWrapper.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
564"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2612C:\Users\admin\AppData\Local\Temp\stub.exeC:\Users\admin\AppData\Local\Temp\stub.exe
javaw.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2640C:\Users\admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\admin\AppData\Local\Temp\"C:\Users\admin\AppData\Local\Temp\CL_Debug_Log.txt
stub.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
19.00
3748cmd /c C:\Users\admin\AppData\Local\Temp\start.batC:\Windows\system32\cmd.exe
stub.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1628schtasks.exe /Create /XML "SystemCheck.xml" /TN "System\SystemCheck"C:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3064C:\Users\admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheckC:\Users\admin\AppData\Roaming\Microsoft\Windows\Helper.exe
taskeng.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2596C:\Users\admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheckC:\Users\admin\AppData\Roaming\Microsoft\Windows\Helper.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
38167z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Tor\"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Helper.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2232"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfigC:\Users\admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
Helper.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
987
Read events
958
Write events
29
Delete events
0

Modification events

(PID) Process:(3036) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
(PID) Process:(2612) stub.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3064) Helper.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3064) Helper.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(4032) Helper.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(4032) Helper.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(4032) Helper.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
30
Suspicious files
4
Text files
116
Unknown types
1

Dropped files

PID
Process
Filename
Type
2612stub.exeC:\Users\admin\AppData\Local\Temp\aut79C.tmp
MD5:
SHA256:
2612stub.exeC:\Users\admin\AppData\Local\Temp\asacpiex.dll
MD5:
SHA256:
2612stub.exeC:\Users\admin\AppData\Local\Temp\CR_Debug_Log.txt
MD5:
SHA256:
2612stub.exeC:\Users\admin\AppData\Local\Temp\aut1317.tmp
MD5:
SHA256:
2640CL_Debug_Log.txtC:\Users\admin\AppData\Local\Temp\SystemCheck.xmlxml
MD5:04A0A7F7F0136F5461B6589751A8E44F
SHA256:A6D64B2A57916FE29A63F8B515D62C576276BD090042023CCC36AD29FEE3DF0C
2640CL_Debug_Log.txtC:\Users\admin\AppData\Local\Temp\start.battext
MD5:17E775273E9FC08EB4DF35D875CD9DB3
SHA256:3BEC18BBB83921F2A0917C45E65F79D4E631B33C4EA78041148D61B8860FD441
3036javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:052C629494A7E39B38700625C183A51E
SHA256:8948FB15EA2EC0FDBA2DEF9753EB664EE248019237E8DE968293CAAB658EA94E
2640CL_Debug_Log.txtC:\Users\admin\AppData\Local\Temp\start2.battext
MD5:1E5EA39D6FD8BA6D7C15F71ABAF86C01
SHA256:4FE522F71153E8F1C0BCE3BABC158A6F640F2C1817359C79C9B31AE942DE10C2
3036javaw.exeC:\Users\admin\AppData\Local\Temp\CubixHack_lastest.jarjava
MD5:76C35D748316D1DDDF907E38167EBBD0
SHA256:2AF3DF12C33881B24700FFD6FA74CDE364637331A8B54522F2A048438C524F53
3036javaw.exeC:\Users\admin\AppData\Local\Temp\stub.exeexecutable
MD5:23848E70E0F86B8A5FD8F463C1E68E9A
SHA256:30D145BA606F4F1DB3E4796F26B7F5BB424934404A31E8AD6AC90C23077F213E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3036
javaw.exe
GET
200
104.27.143.113:80
http://assasans.ml/cubixhack/builds/cubixhack/xmr_miner/1.0/stub.logger.exe
US
executable
14.0 Mb
malicious
3036
javaw.exe
GET
200
104.27.143.113:80
http://assasans.ml/cubixhack/builds/cubixhack/launcher/2.3/CubixHack.jar
US
java
3.93 Mb
malicious
4032
Helper.exe
GET
301
88.99.66.31:80
http://ezstat.ru/1Z3fp7
DE
html
178 b
shared
2612
stub.exe
GET
301
88.99.66.31:80
http://ezstat.ru/1Zwfp7
DE
html
178 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2612
stub.exe
88.99.66.31:443
ezstat.ru
Hetzner Online GmbH
DE
malicious
3036
javaw.exe
104.27.143.113:80
assasans.ml
Cloudflare Inc
US
shared
2232
tor.exe
54.36.120.156:443
OVH SAS
FR
suspicious
2232
tor.exe
46.38.237.221:9001
netcup GmbH
DE
suspicious
2232
tor.exe
104.192.5.248:443
1&1 Internet SE
US
suspicious
2612
stub.exe
88.99.66.31:80
ezstat.ru
Hetzner Online GmbH
DE
malicious
2232
tor.exe
66.206.0.82:9001
US
suspicious
2232
tor.exe
51.68.206.28:9001
GB
suspicious
2392
tor.exe
193.234.15.57:443
SE
suspicious
2392
tor.exe
136.243.214.137:443
Hetzner Online GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
assasans.ml
  • 104.27.143.113
  • 104.27.142.113
malicious
ezstat.ru
  • 88.99.66.31
shared
iplogger.org
  • 88.99.66.31
shared
dns.msftncsi.com
  • 131.107.255.255
shared
xmr.hashcity.org
  • 138.201.198.155
suspicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
3036
javaw.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2232
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 487
2232
tor.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR TLS v.3 Connection (JA3)
2232
tor.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
2232
tor.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2232
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 533
2232
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 518
2232
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 554
2232
tor.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR TLS v.3 Connection (JA3)
5 ETPRO signatures available at the full report
No debug info