cdn.exe

CPU Miner - Setup

LLC

The application cdn.exe by LLC has been detected as adware by 24 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from cdn-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
CPU Miner - Setup

Version:
1.1

MD5:
d1049beb67e6c18d3851b563a047890b

SHA-1:
b395349bdb1c90b5eced3e2b1c50ad950113027d

SHA-256:
3328a10e4900bde0c9f6eb9bef5180bacbf5900fc4bc43970a643de955ac85f8

Scanner detections:
24 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/14/2024 5:52:42 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Strictor.87902
546

Avira AntiVirus
TR/BitCoinMiner.2529600
8.3.1.6

Arcabit
Trojan.Strictor.D1575E
1.0.0.425

avast!
Win32:PUP-gen [PUP]
2014.9-150808

AVG
BitCoin.E
2016.0.3024

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.1588

Bitdefender
Gen:Variant.Strictor.87902
1.0.20.1100

Clam AntiVirus
Win.Trojan.Strictor-407
0.98/21511

Dr.Web
Trojan.BtcMine.726
9.0.1.0220

Emsisoft Anti-Malware
Gen:Variant.Strictor.87902
8.15.08.08.06

ESET NOD32
Win64/BitCoinMiner.AT potentially unsafe (variant)
9.11956

F-Secure
Gen:Variant.Strictor.87902
11.2015-08-08_7

G Data
Gen:Variant.Strictor.87902
15.8.25

IKARUS anti.virus
Trojan.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.207.16601

Kaspersky
not-a-virus:RiskTool.Win32.BitCoinMiner
14.0.0.1614

McAfee
Artemis!770DF32FF354
5600.6680

MicroWorld eScan
Gen:Variant.Strictor.87902
16.0.0.660

NANO AntiVirus
Trojan.Win32.Ransom.dtleij
0.30.24.2487

Panda Antivirus
Trj/CI.A
15.08.08.06

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.8.8.6

Trend Micro
TROJ_GE.41C94834
10.465.08

VIPRE Antivirus
RiskTool.Win32.BitCoinMiner (not malicious)
42086

File size:
4.5 MB (4,709,688 bytes)

Product version:
1.1

Copyright:
2015 - Open Source

Original file name:
cpuminer.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\cdn.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
6/29/2015 8:00:00 AM

Valid to:
6/29/2016 7:59:59 AM

Subject:
CN="LLC ""SOFT-STANDART""", O="LLC ""SOFT-STANDART""", STREET=Bud. 5 vul.Artema, L=Dnipropetrovsk, S=Dnipropetrovska, PostalCode=49000, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A554F191FD67BB6012F1ABCA785158D0

File PE Metadata
Compilation timestamp:
10/7/2014 12:40:03 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:mOel3w6ZHxtXJ6/x1UOaWlwQtZOdJEFGnF5FIoZbHQ1OS:relw6ZR1Q/vHjGuZI3hIoZbHQUS

Entry address:
0x321A

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, F8, 1F, 7A, 00, E8, C0, 2D, 00, 00, A3, 44, 1F, 7A, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, F8, D4, 79, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 40, 17, 7A, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 80, 7A, 00, 50, 55, E8, 58, 2A...
 
[+]

Entropy:
7.9981

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file cdn.exe has been seen being distributed by the following URL.

Remove cdn.exe - Powered by Reason Core Security