home

cdn.exe

CPU Miner - Setup

LLC

The application cdn.exe by LLC has been detected as adware by 19 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
CPU Miner - Setup

Version:
1.1

MD5:
27ab8e8e8ec2ab947ff5c8e1f08ced7a

SHA-1:
eea78c33dfc20f4c2311a7504cfc2cf953a45188

SHA-256:
977ea6664cdfb15bae6bb7660ff54046b83e1c3fcf1756d2af3450e5f2dfd0c5

Scanner detections:
19 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/24/2024 11:58:33 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Strictor.87902
576

Avira AntiVirus
TR/BitCoinMiner.2747712
8.3.1.6

Arcabit
Trojan.Strictor.D1575E
1.0.0.425

avast!
Win32:Malware-gen
2014.9-150708

AVG
Generic_s
2016.0.3054

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.1578

Bitdefender
Gen:Variant.Strictor.87902
1.0.20.945

Dr.Web
Trojan.BtcMine.711
9.0.1.0189

Emsisoft Anti-Malware
Gen:Variant.Strictor.87902
8.15.07.08.02

ESET NOD32
Win64/BitCoinMiner.AT potentially unsafe (variant)
9.11908

F-Secure
Gen:Variant.Strictor.87902
11.2015-08-07_4

G Data
Gen:Variant.Strictor.87902
15.7.25

IKARUS anti.virus
Trojan.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.205.16497

MicroWorld eScan
Gen:Variant.Strictor.87902
16.0.0.567

NANO AntiVirus
Riskware.Nsis.BitCoinMiner.dqgttf
0.30.24.2487

Panda Antivirus
Trj/CI.A
15.07.08.02

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.7.8.14

VIPRE Antivirus
Trojan.Win32.Generic
41820

File size:
4.5 MB (4,714,544 bytes)

Product version:
1.1

Copyright:
2015 - Open Source

Original file name:
cpuminer.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\cdn.exe

Digital Signature
Signed by:
LLC

Authority:
COMODO CA Limited

Valid from:
6/28/2015 5:00:00 PM

Valid to:
6/28/2016 4:59:59 PM

Subject:
CN="LLC ""SOFT-INDASTRI GROUP""", O="LLC ""SOFT-INDASTRI GROUP""", STREET="street Pidvysotsky, house 10/10, office 60", L=Kiev, S=Kiev, PostalCode=01103, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00CBF0B4B2E7F3FE05A1CCD9AFD74EB1AB

File PE Metadata
Compilation timestamp:
10/6/2014 9:40:03 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:uITSGsBV2bY88eNsxrVvYbaCX4XlITLH9jtQlSzoFhggU9ltv/z:uIuG+0ccsfvYbaKMeLdjtQN7UzV/z

Entry address:
0x321A

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, F8, 1F, 7A, 00, E8, C0, 2D, 00, 00, A3, 44, 1F, 7A, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, F8, D4, 79, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 40, 17, 7A, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 80, 7A, 00, 50, 55, E8, 58, 2A...
 
[+]

Entropy:
7.9980

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file cdn.exe has been seen being distributed by the following URL.

http://cdn-14b7.kxcdn.com/cdn.exe

Remove cdn.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.