Category Archives: Compromise Detection

Lolbins for connoisseurs… Part 2

Posted on by

It may sound a bit counterintuitive, but some very known lolbins often make it to places that no one ever thought would be possible…

Continuing the topic I started a few days earlier, today I will explore a few more ‘popular’ lolbinish executables that you may find ‘legitimately’ present in the environments:

InstallUtil

  • %Program Files%\Celceo SystemAI\InstallUtil.exe
  • %Program Files%\TSS\Auto Mail Sender Birthday Edition\InstallUtil.exe
  • %Program Files%\TSS\Auto Mail Sender Standard Edition\InstallUtil.exe
  • %Program Files%\TSS\WinExt\InstallUtil.exe

RegAsm

  • %Program Files%\ApexSQL\ApexSQLDiff2012\RegAsm.exe
  • %Program Files%\AUDIOzilla\RegAsm.exe
  • %Program Files%\Common Files\Multilizer\NET\1.1\RegAsm.exe
  • %Program Files%\Common Files\Multilizer\NET\2.0\RegAsm.exe
  • %Program Files%\Common Files\Multilizer\NET\4.0\RegAsm.exe
  • %Program Files%\ExeShield\regasm.exe
  • %Program Files%\iOpus\iMacros\RegAsm.exe

ping

  • %Program Files%\Stellar Migrator for MS Exchange\Ping.exe
  • %Program Files%\Stellar Phoenix Mailbox – Exchange Desktop\Ping.exe
  • %Program Files%\Stellar Phoenix Repair for SQLite\Ping.exe
  • %Program Files%\Stellar Phoenix Windows Backup Recovery\Ping.exe

Update_Execute

  • %Program Files%\Diashow XL\Update_Execute.exe
  • %Program Files%\E-Mail-Converter\Update_Execute.exe
  • %Program Files%\FotoArchiv XL\Update_Execute.exe
  • %Program Files%\FotoWorksXL2013\Update_Execute.exe
  • %Program Files%\FreeFotoWorks2013\Update_Execute.exe
  • %Program Files%\HomepageFIX2013\Update_Execute.exe
  • %Program Files%\MailFinder\Update_Execute.exe
  • %Program Files%\MailOut\Update_Execute.exe
  • %Program Files%\MEDIA Revolution\Update_Execute.exe
  • %Program Files%\NewsletterDesigner\Update_Execute.exe
  • %Program Files%\OnlineGalerie\Update_Execute.exe
  • %Program Files%\profiSUBMIT\Update_Execute.exe
  • %Program Files%\Slideshow XL\Update_Execute.exe

the latter allows you to execute any program of your choice via proxy f.ex.:

Update_Execute.exe c:\windows\notepad.exe

runxx.exe (same as above, plus, more persistent)

  • c:\drivers\keyb\dritek2007\runxx.exe
  • c:\drivers\keyboard\dritek2000\InstPack\runxx.exe
  • c:\drivers\keyboard\drtk2001\runxx.exe
  • c:\drivers\keyboard\dtk30005\runxx.exe
  • c:\drivers\keyboard\lm2003\InstPack\runxx.exe
  • c:\drivers\keyboard\lm3002\runxx.exe
  • c:\drivers\keyboard\lm3003\runxx.exe
  • c:\drivers\keyboard\lm3004\InstPack\runxx.exe
  • c:\drivers\keyboard\lm3004\runxx.exe
  • c:\drivers\keyboard\lm3005\runxx.exe
  • c:\Drivers\Launch_Manager\runxx.exe
  • c:\drivers\launchmanager\dritek2001\InstPack\runxx.exe
  • c:\drivers\launchmanager\dt2000\InstPack\runxx.exe
  • c:\drivers\launchmanager\dt2002\runxx.exe
  • c:\drivers\LM\2002\InstPack\runxx.exe
  • c:\drivers\hotkeys\runxx.exe

instmsia.exe

  • %Program Files%\Firmware Update\All_Package\instmsia.exe
  • C:\Drivers\7. Alcor CardReader Driver\instmsia.exe
  • c:\drivers\Alcor Card Reader Driver\instmsia.exe
  • c:\drivers\bluetooth\bc621500\Win32\instmsia.exe
  • c:\drivers\bluetooth\bc621500\Win64\instmsia.exe
  • c:\drivers\bluetooth\w6104600\Win32\instmsia.exe
  • c:\drivers\bluetooth\w6104600\Win64\instmsia.exe
  • c:\Drivers\Bluetooth\Win32\instmsia.exe
  • c:\Drivers\Bluetooth\Win64\instmsia.exe
  • c:\drivers\bt\6015600\Win32\instmsia.exe
  • c:\drivers\bt\6015600\Win64\instmsia.exe
  • c:\drivers\bt\6208500\Win32\instmsia.exe
  • c:\drivers\bt\6208500\Win64\instmsia.exe
  • c:\drivers\bt\bc5104500\Win32\instmsia.exe
  • c:\drivers\bt\bc5104500\Win64\instmsia.exe
  • c:\drivers\bt\bc6202600\Win32\instmsia.exe
  • c:\drivers\bt\bc6202600\Win64\instmsia.exe
  • c:\drivers\bt\bc6208800\Win32\instmsia.exe
  • c:\drivers\bt\bc6208800\Win64\instmsia.exe
  • c:\drivers\bt\bc6209600\Win32\instmsia.exe
  • c:\drivers\bt\bc6209600\Win64\instmsia.exe
  • c:\drivers\bt\bc6209700\Win32\instmsia.exe
  • c:\drivers\bt\bc6209700\Win64\instmsia.exe
  • c:\drivers\bt\bt520500\Win32\instmsia.exe
  • c:\drivers\bt\bt520500\Win64\instmsia.exe
  • c:\drivers\bt\Win32\instmsia.exe
  • c:\drivers\bt\Win64\instmsia.exe
  • c:\drivers\Card Reader Driver\instmsia.exe
  • c:\drivers\cardreader\instmsia.exe
  • c:\Drivers\Others\Bluetooth\Win32\instmsia.exe
  • c:\Drivers\Others\Bluetooth\Win64\instmsia.exe
  • C:\DRIVERS\WIN\MULTICARD\instmsia.exe
  • c:\pnp\bluetooth\instmsia.exe
  • c:\pnp\GOB\instmsia.exe
  • c:\pnp\mobo\Chipset\INSTMSIA.EXE
  • c:\pnp\mobo\INSTMSIA.EXE
  • c:\pnp\raid\INSTMSIA.EXE
  • c:\pnp\video\instmsia.exe
  • C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win32\instmsia.exe
  • C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win64\instmsia.exe
  • C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win32\instmsia.exe
  • C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win64\instmsia.exe
  • C:\SWTOOLS\DRIVERS\LMBC\6jwa11ww\ATTplgin\instmsia.exe
  • C:\SWTOOLS\DRIVERS\LMBC\7twa71ww\ATTplgin\instmsia.exe

instmsiw.exe

  • %Program Files%\Droppix\Droppix Recorder 2.x\Droppix Recorder\InstMsiW.Exe
  • %Program Files%\Firmware Update\All_Package\instmsiw.exe
  • c:\drivers\11. TV Tuner (Geniatech,Yuan,AverMedia) for 32-bit Windows\Yuan\MC163\Win832\instmsiw.exe
  • c:\drivers\11. TV Tuner (Geniatech,Yuan,AverMedia) for 32-bit Windows\Yuan\MC907\Win832\instmsiw.exe
  • c:\drivers\15. TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\1.0.6.8051\Win832\instmsiw.exe
  • c:\drivers\15. TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\1.0.6.8051\Win864\instmsiw.exe
  • C:\Drivers\7. Alcor CardReader Driver\instmsiw.exe
  • c:\drivers\Alcor Card Reader Driver\instmsiw.exe
  • c:\drivers\bluetooth\bc621500\Win32\instmsiw.exe
  • c:\drivers\bluetooth\bc621500\Win64\instmsiw.exe
  • c:\drivers\bluetooth\w6104600\Win32\instmsiw.exe
  • c:\drivers\bluetooth\w6104600\Win64\instmsiw.exe
  • c:\Drivers\Bluetooth\Win32\instmsiw.exe
  • c:\Drivers\Bluetooth\Win64\instmsiw.exe
  • c:\drivers\bt\6015600\Win32\instmsiw.exe
  • c:\drivers\bt\6015600\Win64\instmsiw.exe
  • c:\drivers\bt\6208500\Win32\instmsiw.exe
  • c:\drivers\bt\6208500\Win64\instmsiw.exe
  • c:\drivers\bt\bc5104500\Win32\instmsiw.exe
  • c:\drivers\bt\bc5104500\Win64\instmsiw.exe
  • c:\drivers\bt\bc6202600\Win32\instmsiw.exe
  • c:\drivers\bt\bc6202600\Win64\instmsiw.exe
  • c:\drivers\bt\bc6208800\Win32\instmsiw.exe
  • c:\drivers\bt\bc6208800\Win64\instmsiw.exe
  • c:\drivers\bt\bc6209600\Win32\instmsiw.exe
  • c:\drivers\bt\bc6209600\Win64\instmsiw.exe
  • c:\drivers\bt\bc6209700\Win32\instmsiw.exe
  • c:\drivers\bt\bc6209700\Win64\instmsiw.exe
  • c:\drivers\bt\bt520500\Win32\instmsiw.exe
  • c:\drivers\bt\bt520500\Win64\instmsiw.exe
  • c:\drivers\bt\Win32\instmsiw.exe
  • c:\drivers\bt\Win64\instmsiw.exe
  • c:\drivers\Card Reader Driver\instmsiw.exe
  • c:\drivers\cardreader\instmsiw.exe
  • c:\Drivers\Others\Bluetooth\Win32\instmsiw.exe
  • c:\Drivers\Others\Bluetooth\Win64\instmsiw.exe
  • c:\drivers\TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\MC163\Win832\instmsiw.exe
  • c:\drivers\TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\MC907\Win832\instmsiw.exe
  • C:\DRIVERS\WIN\LANASIX\instmsiw.exe
  • C:\DRIVERS\WIN\MULTICARD\instmsiw.exe
  • c:\pnp\bluetooth\instmsiw.exe
  • c:\pnp\Cardreader\instmsiw.exe
  • c:\pnp\GOB\instmsiw.exe
  • c:\pnp\mobo\Chipset\INSTMSIW.EXE
  • c:\pnp\mobo\INSTMSIW.EXE
  • c:\pnp\raid\INSTMSIW.EXE
  • c:\pnp\video\instmsiw.exe
  • C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win32\instmsiw.exe
  • C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win64\instmsiw.exe
  • C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win32\instmsiw.exe
  • C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win64\instmsiw.exe
  • C:\SWTOOLS\DRIVERS\FPR\LZ4GO2A2_64\instmsiw.exe
  • C:\SWTOOLS\DRIVERS\LMBC\6jwa11ww\ATTplgin\instmsiw.exe
  • C:\SWTOOLS\DRIVERS\LMBC\7twa71ww\ATTplgin\instmsiw.exe

regsvr32

  • %Program Files%\3D Active Button Magic\REGSVR32.EXE
  • %Program Files%\3D Button API\REGSVR32.EXE
  • %Program Files%\Active DJ Studio\REGSVR32.EXE
  • %Program Files%\Active MIDI DJ Console\REGSVR32.EXE
  • %Program Files%\Active Sound Editor\REGSVR32.EXE
  • %Program Files%\Active Sound Recorder\REGSVR32.EXE
  • %Program Files%\Active Sound Studio\Active Sound Editor\REGSVR32.EXE
  • %Program Files%\Active Sound Studio\Active Sound Recorder\REGSVR32.EXE
  • %Program Files%\Active Waveform Analyzer\REGSVR32.EXE
  • %Program Files%\Blue Squirrel\Spam Sleuth Lite\regsvr32.exe
  • %Program Files%\Firmware Update\All_Package\program files\HP\Button Manager\Hestia\regsvr32.exe
  • %Program Files%\Firmware Update\All_Package\program files\HP\Button Manager\regsvr32.exe
  • %Program Files%\VoIP SIP Client SDK\files_for_redistribution\ActiveX\regsvr32.exe

ffmpeg

Not a hacking utility, but may come handy:

  • %Program Files%\AnvSoft\Any Video Converter Professional\gnu\ffmpeg.exe
  • %Program Files%\AnvSoft\Any Video Converter\ffmpeg.exe
  • %Program Files%\AnvSoft\Any Video Converter\gnu\ffmpeg.exe
  • %Program Files%\Any Video Recorder\ffmpeg.exe
  • %Program Files%\Aura4You\Aura Video Converter Professional\gnu\ffmpeg.exe
  • %Program Files%\BlazeVideo\BlazeDVD 6.1\ffmpeg.exe
  • %Program Files%\ClipGrab\ffmpeg.exe
  • %Program Files%\CodedColor\ffmpeg.exe
  • %Program Files%\Convertilla\ffmpeg.exe
  • %Program Files%\Diashow XL\LibAV\ffmpeg.exe
  • %Program Files%\DVD Photo Slideshow Professional\gnu\ffmpeg.exe
  • %Program Files%\DVD Shrink\ffmpeg.exe
  • %Program Files%\DVD to iPad Converter\ffmpeg.exe
  • %Program Files%\DVDVideoSoft\Free Audio Editor\ffmpeg.exe
  • %Program Files%\DVDVideoSoft\Free YouTube Download\ffmpeg.exe
  • %Program Files%\DVDVideoSoft\Free YouTube To MP3 Converter\ffmpeg.exe
  • %Program Files%\FotoArchiv XL\LibAV\ffmpeg.exe
  • %Program Files%\Freemake\COM\1.1\ffmpeg.exe
  • %Program Files%\Icecream Slideshow Maker\ffmpeg.exe
  • %Program Files%\Kastor Free Video Converter\ffmpeg.exe
  • %Program Files%\KooRaRoo Media Free\ffmpeg.exe
  • %Program Files%\MediaHuman\Audio Converter\ffmpeg.exe
  • %Program Files%\Nuclear Coffee\ConvertVid\ffmpeg.exe
  • %Program Files%\Nuclear Coffee\VideoGet\ffmpeg.exe
  • %Program Files%\pazera-software\FLV_to_AVI_Converter\tools\FFmpeg\ffmpeg.exe
  • %Program Files%\pazera-software\MKV_to_AVI_Converter_32\tools\FFmpeg\ffmpeg.exe
  • %Program Files%\pazera-software\MOV_to_AVI_Converter\tools\FFmpeg\ffmpeg.exe
  • %Program Files%\pazera-software\MP4_to_AVI_Converter\tools\FFmpeg\ffmpeg.exe
  • %Program Files%\pazera-software\MP4_to_MP3_32bit\tools\FFmpeg\ffmpeg.exe
  • %Program Files%\RadioBOSS\Plugins\ffmpeg.exe
  • %Program Files%\Slideshow XL\LibAV\ffmpeg.exe
  • %Program Files%\SmartDVDCreatorPro\ffmpeg.exe
  • %Program Files%\SmartDVDCreator\ffmpeg.exe
  • %Program Files%\Socusoft\Socusoft 3GP Photo Slideshow\gnu\ffmpeg.exe
  • %Program Files%\Socusoft\Socusoft iPod Photo Slideshow\gnu\ffmpeg.exe
  • %Program Files%\Sothink HD Movie Maker\Encoder\ffmpeg.exe
  • %Program Files%\Sothink Movie DVD Maker\Encoder\ffmpeg.exe
  • %Program Files%\Sothink Video Converter\Encoder\ffmpeg.exe
  • %Program Files%\Sothink Video Encoder for Adobe Flash\Encoder\ffmpeg.exe
  • %Program Files%\SourceTec\Sothink Movie DVD Maker\Encoder\ffmpeg.exe
  • %Program Files%\Stellar Phoenix Video Repair\ffmpeg.exe
  • %Program Files%\YouTube Song Downloader\ffmpeg.exe

and there is more VNC as well:

vncviewer

  • %Program Files%\CrossLoop\vncviewer.exe
  • %Program Files%\Hammer Software\MetaLAN Administrator 2\VNC\TightVNC3\vncviewer.exe
  • %Program Files%\RealVNC\VNC4\vncviewer.exe
  • %localappdata%\CrossLoop\vncviewer.exe

winscp

  • %Program Files%\Lauyan\TOWeb V6\tools\winscp\WinSCP.exe

downloader (note, all of these may require additional analysis):

  • %Program Files%\Auslogics\Driver Updater\Downloader.exe
  • %Program Files%\BSC Designer\update\Downloader.exe
  • %Program Files%\Defender Pro Driver Control\Downloader.exe
  • %Program Files%\Download Master\downloader.exe
  • %Program Files%\Fake Voice 7.0\7.0.0.0\downloader.exe
  • %Program Files%\Fake Webcam 7.4\7.4.0.0\downloader.exe
  • %Program Files%\IDA\downloader.exe
  • %Program Files%\MurGeeMon\Downloader.exe
  • %Program Files%\Virtual Webcam 8.0\8.0.0.0\downloader.exe
  • %Program Files%\Webcam Screen Recorder 7.0\7.0.0.0\downloader.exe
  • %localappdata%\downloader.exe
  • %localappdata%\Temp\hstemp\downloader.exe

javaw

  • %Program Files%\CamShot\jre\bin\javaw.exe
  • %Program Files%\ChequePrinting.net\jre\bin\javaw.exe
  • %Program Files%\ChequeSystem\jre\bin\javaw.exe
  • %Program Files%\EasyBilling\jre\bin\javaw.exe
  • %Program Files%\EditRocket\jre\bin\javaw.exe
  • %Program Files%\Formatic\jre\bin\javaw.exe
  • %Program Files%\OMS\OPhone Desktop Suite\jre\bin\javaw.exe
  • %Program Files%\Ovis\jre7\bin\javaw.exe
  • %Program Files%\PhotoPDF\jre\bin\javaw.exe
  • %Program Files%\PhotoX\jre\bin\javaw.exe
  • %Program Files%\RoboMail\jre\bin\javaw.exe
  • %Program Files%\SmartCalendar\jre\bin\javaw.exe
  • %Program Files%\Sweet Home 3D\jre6\bin\javaw.exe

java

  • %Program Files%\CamShot\jre\bin\java.exe
  • %Program Files%\ChequePrinting.net\jre\bin\java.exe
  • %Program Files%\ChequeSystem\jre\bin\java.exe
  • %Program Files%\EasyBilling\jre\bin\java.exe
  • %Program Files%\EditRocket\jre\bin\java.exe
  • %Program Files%\Formatic\jre\bin\java.exe
  • %Program Files%\OMS\OPhone Desktop Suite\jre\bin\java.exe
  • %Program Files%\Ovis\jre7\bin\java.exe
  • %Program Files%\PhotoPDF\jre\bin\java.exe
  • %Program Files%\PhotoX\jre\bin\java.exe
  • %Program Files%\RoboMail\jre\bin\java.exe
  • %Program Files%\SmartCalendar\jre\bin\java.exe

tar

  • %commonappdata%\CleanMail\tar.exe
  • %Program Files%\Git\usr\bin\tar.exe
  • %Program Files%\Kingo ROOT\tools\tar.exe
  • c:\Program Files (x86)\Common Files\DVDVideoSoft\bin\tar.exe

undelete

  • %Program Files%\Advanced System Optimizer 3\Undelete.exe
  • %Program Files%\CleanGenius 3\UnDelete.exe
  • %Program Files%\Glary Undelete\undelete.exe
  • %Program Files%\Glary Utilities\undelete.exe
  • %Program Files%\LSoft Technologies\Active\@ UNDELETE\Undelete.exe

Lolbins for connoisseurs…

Posted on by

We are all quite fixated on a purity of lolbins. Best if it is a hidden/undocumented/unexpected behavior of a native OS binary that can be abused for some nefarious purposes. I, obviously, love these the most, too.

However…

Living Off The land’s scope should be wide.

Take a compression utility as an example: zip, bzip2, 7z and their variations. It’s a lame example, but it serves the purpose of demonstration well. There are many software packages out there today. There is a subset of them that are being quite popular. And there is a subset of software packages that are quite popular that install a compression utility…

Let’s have a look at a sample of ‘interesting’ paths:

  • %program files%\2printer\7z.exe
  • %program files%\advanced system optimizer 3\updater\extract\7z.exe
  • %program files%\aiseesoft studio\aiseesoft ipad transfer\7z.exe
  • %program files%\aunsoft\aunsoft dvd ripper\zip.exe
  • %program files%\aunsoft\aunsoft transmxf\zip.exe
  • %program files%\aunsoft\aunsoft video converter\zip.exe
  • %program files%\auntec\ifonebox\7z.exe
  • %program files%\docufreezer\7z.exe
  • %program files%\driver tuneup\dp\7z.exe
  • %program files%\driver updater\dp\7z.exe
  • %program files%\dvdfab media player 3\7za.exe
  • %program files%\dvdfab passkey\7za.exe
  • %program files%\epson\sl-d700\common\7za.exe
  • %program files%\fastneuron inc\backupchain\7za.exe
  • %program files%\fengtao software inc.\ifonerestore\7z.exe
  • %program files%\filetiger\zip.exe
  • %program files%\getnzb\7z.exe
  • %program files%\gimp*\bin\bzip2.exe
  • %program files%\gimp*\bin\minigzip.exe
  • %program files%\git\usr\bin\bzip2.exe
  • %program files%\git\usr\bin\gzip.exe
  • %program files%\git\mingw64\bin\bzip2.exe
  • %program files%\globalshareware\ifonemate\7z.exe
  • %program files%\greatis\regrunsuite\7za.exe
  • %program files%\imyfone\imyfone tunesfix\7z.exe
  • %program files%\intelligent converters\demos\zip.exe
  • %program files%\intel\phone flash tool\7z.exe
  • %program files%\kingo root\tools\7z.exe
  • %program files%\moyea\dvd4web converter\7z.exe
  • %program files%\my-bp\zip.exe
  • %program files%\my-pf\zip.exe
  • %program files%\ospeedy batch photo processor\7za.exe
  • %program files%\pa file sight\7za.exe
  • %program files%\pa storage monitor\7za.exe
  • %program files%\radarsync\updater\extract\7z.exe
  • %program files%\radioboss\7za.exe
  • %program files%\raxco\perfectupdater\updater\extract\7z.exe
  • %program files%\systweak\netbook optimizer\updater\extract\7z.exe
  • %program files%\tenorshare ibackupunlocker\7z\7z.exe
  • %program files%\unhackme\7za.exe
  • %program files%\winzip driver updater\updater\extract\7z.exe
  • %program files%\wise\wise driver care\7z.exe
  • %program files%\wondershare\dr.fone\addins\recovery\extractor\7z.exe

While most of these are not necessarily the most popular ever, there are people downloading and installing these…

And compression utilities are not the only tools we may find, f.ex. some software install curl.exe and wget.exe – how cool is that?

  • %program files%\git\mingw64\bin\curl.exe
  • %program files%\hp\pfp_guide\wget.exe
  • %program files%\pa file sight\wget.exe
  • %program files%\pa storage monitor\wget.exe
  • %program files%\printfil\wget.exe
  • %program files%\wondershare\dr.fone\addins\recovery\wget.exe

Need a mysql dump? here it is:

  • %program files%\memberties\server\bin\mysqldump.exe

VNC?

There you go:

  • %localappdata%\crossloop\winvnc.exe
  • %program files%\crossloop\winvnc.exe
  • %program files%\hammer software\metalan administrator 2\vnc\tightvnc3\winvnc.exe
  • %userappdata%\design master software\remote support\vnc.exe
  • c:\tcafe\tcvnc.exe

And if you need any more examples, remember my NVIDIA Uninstallers post from 2017.