cdn.exe

Setup

LLC

The application cdn.exe by LLC has been detected as adware by 16 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from cdn-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
Setup

Version:
1.2

MD5:
9fb990fbacadd642871ae7702914445d

SHA-1:
52790032a1eddeb0ef30adb4edecf978ad050a66

SHA-256:
c8187252ca6801136807bd5019630db209affc60b76c5ac5f78c66db7284b862

Scanner detections:
16 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/24/2024 10:51:51 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
TR/BitCoinMiner.4628256
8.3.2.4

avast!
Multi:BitCoinMiner-B [PUP]
2014.9-151121

AVG
CoinMiner
2016.0.2918

Clam AntiVirus
Win.Trojan.Bitcoinminer-100
0.98/21511

Dr.Web
Trojan.BtcMine.711
9.0.1.0325

ESET NOD32
Win64/BitCoinMiner.AP potentially unsafe
9.12601

Fortinet FortiGate
Riskware/BitCoinMiner
11/21/2015

G Data
Archive.Application.Agent.62RD33
15.11.25

IKARUS anti.virus
not-a-virus:RiskTool.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.212.17925

Kaspersky
not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner
14.0.0.1086

Qihoo 360 Security
QVM42.0.Malware.Gen
1.0.0.1077

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.11.21.17

Sophos
CpuMiner (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
45334

File size:
4.1 MB (4,299,920 bytes)

Product version:
1.2

Copyright:
2015 - Open Source

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\cdn.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
5/29/2015 8:00:00 AM

Valid to:
5/29/2016 7:59:59 AM

Subject:
CN="LLC ""Invest -Proekt""", O="LLC ""Invest -Proekt""", STREET="Geroev Stalingrada str., 156", L=Dnipropetrovsk, S=Dnipropetrovska obl., PostalCode=49000, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
587B444820E01109AE86078C4B64D02A

File PE Metadata
Compilation timestamp:
10/7/2014 12:40:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:ChOzBfGA+U7ZcDR/mhvO+jC572pIDmDzx5jFuyZgPi6B7yBzaeQKYqcYOKmowaFC:EifGAVs/kh1D3ZEWJSYFtF3fa1QRMhYO

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 37, 42, 00, E8, C0, 2D, 00, 00, A3, 04, 37, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 2F, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 58, 2A...
 
[+]

Entropy:
7.9985

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file cdn.exe has been seen being distributed by the following URL.

Remove cdn.exe - Powered by Reason Core Security