{"id":3430,"date":"2015-12-18T16:57:40","date_gmt":"2015-12-18T16:57:40","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3430"},"modified":"2015-12-18T16:59:49","modified_gmt":"2015-12-18T16:59:49","slug":"the-typographical-and-homomorphic-abuse-of-svchost-exe-and-other-popular-file-names","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/12\/18\/the-typographical-and-homomorphic-abuse-of-svchost-exe-and-other-popular-file-names\/","title":{"rendered":"The typographical and homomorphic abuse of svchost.exe, and other popular file names"},"content":{"rendered":"

In my old post<\/a> I described a list of file names used by malware to impersonate svchost.exe. I thought I will re-visit this post today and provide some more file names that malware is using for impersonation of common file names.<\/p>\n

Copyright Notice<\/strong><\/p>\n

Feel free to use it for any individual or academic projects that are non-commercial f.ex. internal automatic malware\/ forensic analysis systems that are not available commercially (f.ex. if you want to use it to write an Enscript, or perl\/python script, or Yara\/Cuckoo\/Volatility code highlighting suspicious file names based on the below blacklist you are welcome to do so; if you share the script publicly it’s even better \ud83d\ude42 ). I do not allow you to use this list in any commercial product or service including, but not limited to sandboxes & automatic malware\/forensic processing systems. If you want to use it for anything that has a commercial\/reselling purposes or may give a hint of such purpose please contact me first. Please note that this list may be watermarked.<\/p>\n

How this list was generated?<\/strong><\/p>\n

This is based on strings extracted from 500K sandbox reports that have been analyzed using various ‘similarity’ functions including Levenshtein distance, prefix\/infix\/suffix similarities, and visual similarity (the final list has been reviewed manually). In other words, it costed a lot of cycles, hence the licensing note. Thanks for understanding.<\/p>\n

Here they are:<\/p>\n

chrome.exe<\/strong><\/p>\n

5hrome
\na_chrome
\ncchrome
\nchorom
\nchr0me
\nchro2me
\nchrom
\n-chrome
\nchrome1
\nchrome10
\nchrome3
\nchrome32
\nchrome9
\nchromede
\nchromee
\nchromeez
\nchromei
\nchromes
\nchromix
\nchromme
\nchrommm
\nchromre
\nchromse
\nchromyy
\nchroom
\nchroome
\nchroum
\ncrhome
\nnichrome<\/p>\n

csrss.exe<\/strong><\/p>\n

_cerss
\n_csrss
\ncarss
\nccrs
\ncress
\ncrrss
\ncrss
\ncrsss
\ncsrcs
\ncsres
\ncsriss
\ncsrlt
\ncsrms
\ncsrmss
\ncsrrss
\ncsrs
\ncsrsc
\ncsrse
\ncsrsess
\ncsrsk
\ncsrsl
\ncsrsrv
\ncsrss_1
\ncsrss_2
\ncsrss_8
\ncsrss_9
\ncsrss32
\ncsrssa
\ncsrssc
\ncsrsses
\ncsrssr
\ncsrsss
\ncsrssw
\ncsrssys
\ncsrst
\ncsrsvc
\ncsrsvr
\ncsrsx
\ncsrtss
\ncsrus
\ncsrvs
\ncssrs
\ncssrsa
\ncssrsr
\ncssrss
\ncvrss
\nscrss<\/p>\n

explorer.exe\/iexplore.exe<\/strong><\/p>\n

0iexplorer
\n12iexplore
\n2ciexplore
\n2fexplorer
\n5explore
\n5xplorer
\n_iexplors
\ndexplorer
\ndxplore
\ne1xplorer
\neexplorer
\neexxplorer
\neksplorer
\nep1orer
\nesplorer
\nexeplorer
\nexlorer
\nexoplorer
\nexp10rer
\nexp1or
\nexp1ore
\nexp1orer
\nexp1ror
\nexp20re
\nexpiorer
\nexpioror
\nexpl0rer
\nexplarar
\nexplarer
\nexpleror
\nexploe
\nexploer
\nexploere
\nexploerer
\nexploiter
\nexploner
\nexplope
\nexplor
\nexplora
\nexplore
\nexplored
\nexploree
\nexploreee
\nexploreff
\nexplorei
\nexplorep
\nexplorer1
\nexplorer32
\nexplorer64
\nexplorer66
\nexplorer_
\nexplorere
\nexplorerf
\nexplorerr
\nexplorerrr
\nexplorers
\nexplorerv
\nexplorerxx
\nexplorerz
\nexplores
\nexploret
\nexplorew
\nexploror
\nexplorr
\nexplorre
\nexplorrer
\nexplorxp
\nexplre3r
\nexplrer
\nexplroer
\nexpoler
\nexpolorer
\nexporer
\nexprer
\nexprlore
\nexproler
\nexqlorer
\nexsplorer
\nexxplorer
\nieioplore
\nieplore
\nieplorer
\niexeplore
\niexlorer
\niexlplore
\niexp1ore
\niexp1orer
\niexpiore
\niexpl0ra
\niexpl0re
\niexplare
\niexplarer
\niexplere
\niexpllzore
\niexplo
\niexploer
\niexploore
\niexplope
\niexplor
\niexplore32
\niexplorea
\niexplorei
\niexplorer
\niexplorer0
\niexplorer2
\niexplorer7
\niexplorers
\niexplores
\niexploresx
\niexploror
\niexplorrer
\niexplors
\niexplory
\niexplorz
\niexpore
\niiexplore
\niiexplorer
\ninexplore
\ninexplorer
\nintexplore
\nixplorer
\nlexpiore
\nlexpl1re
\nlexpl2re
\nlexpl3re
\nlexpl4re
\nlexpl5re
\nlexpl6re
\nlexpl7re
\nlexpl8re
\nlexpl9re
\nlexplare
\nlexplbre
\nlexplcre
\nlexpldre
\nlexplere
\nlexplfre
\nlexplgre
\nlexplhre
\nlexplire
\nlexpljre
\nlexplkre
\nlexpllre
\nlexplmre
\nlexplnre
\nlexplore
\nlexplore_
\nlexplorer
\nlexplors
\nlexplpre
\nlexplqre
\nlexplrre
\nlexplsre
\nlexpltre
\nlexplure
\nlexplvre
\nlexplwre
\nlexplxre
\nlexplyre
\nlexplzre
\nmsexplorer
\nnetplore
\nplorer
\nvbexplorer
\nwexplorer
\nwinexplore
\nxeplorer
\nxplore
\nxplorer
\nyyexplorer<\/p>\n

firefox.exe<\/strong><\/p>\n

5cfirefox
\n5irefox
\nf1ref0x
\nfire10fox
\nfiref0x
\nfirefly
\nfirefo
\nfirefox_
\nfirefox2
\nfirefox32
\nfirefoxe
\nfirefoxx
\nfirfox
\nirefox
\nrefox
\nwireox<\/p>\n

java.exe<\/strong><\/p>\n

jav3
\njava32
\njavaa
\njavaaa
\njavaap
\njavac
\njavacp
\njavag
\njavaii
\njavapw
\njavar
\njavare
\njavas
\njavas5
\njavasc
\njavase
\njavaup
\njavavm
\njavaw
\njavaws
\njavawz
\njavax
\njavo
\njavz<\/p>\n

lsass.exe<\/strong><\/p>\n

1sass
\niass
\nisaas
\nisas
\nisass
\nissass
\nlaass
\nlamss
\nlarss
\nlass
\nlassa
\nlasse
\nlasss
\nlcass
\nleass
\nlhssass
\nlrass
\nlrsss
\nlsa32
\nlsac
\nlsacs
\nlsaess
\nlsaoss
\nlsas
\nlsasa
\nlsasas
\nlsascs
\nlsase
\nlsasi
\nlsasm
\nlsaso
\nlsasrv
\nlsass3
\nlsass32
\nlsass47
\nlsassi
\nlsassn
\nlsasss
\nlsassv
\nlsassx
\nlsassys
\nlsats
\nlsmass
\nlsrss
\nlssas
\nlssass
\nmsass
\nnsrss
\nsalss<\/p>\n

svchost.exe<\/strong><\/p>\n

_sachost
\n_svch0st
\n_svchost
\n00svchost
\n0svchost
\nachost
\nchost
\ncvhost
\ncvshost
\nisvchosty
\nlsvchost
\nmscchost
\nmsvchost
\nntsvchost
\nrdchost
\ns_host
\nsach0st
\nsachost
\nsachostc
\nsachostp
\nsachostp
\nsachosts
\nsachosts
\nsachostw
\nsachostw
\nsachostx
\nsathost
\nsbhost
\nscanost
\nscchost
\nscchost
\nscchost2
\nscchostc
\nscchostc
\nscghost
\nschost
\nschost
\nschostc
\nschosts
\nschovst
\nschvost
\nscvchost
\nscvchusts
\nscvh0st
\nscvh0st
\nscvhost
\nscvhost
\nscvhosv
\nscvost
\nscvvhost
\nsdchost
\nsdhost
\nserhost
\nservehost
\nsethost
\nsevchos
\nsevhost
\nshchost
\nshhost
\nshost
\nshvchost
\nshvhost
\nsichost
\nslchost
\nslihost
\nsmsvchost
\nsnahost
\nsnhost
\nsnphost
\nsnvhost
\nsochost
\nsochvst
\nsoohost
\nspchost
\nsqlhost
\nsrchost
\nsrshost
\nsrvchost
\nsrvchost
\nsrvhost
\nsschost
\nsshost
\nssvch0st
\nssvchost
\nssvchost
\nssvichosst
\nst#host
\nstdhost
\nsuchost
\nsuchost
\nsuchostp
\nsuchostp
\nsuchosts
\nsuchosts
\nsv_host
\nsv\u00b1hest
\nsv0hoat
\nsv1host
\nsvahost
\nsvahost
\nsvcbost
\nsvcchost
\nsvcchost
\nsvcehost
\nsvcehost
\nsvcgest
\nsvcgh0st
\nsvcgoost
\nsvch0sat
\nsvch0sbt
\nsvch0set
\nsvch0sft
\nsvch0slt
\nsvch0smt
\nsvch0st
\nsvch0st
\nsvch0st_
\nsvch0sts
\nsvch7t
\nsvchaot
\nsvchast
\nsvchast
\nsvchcst
\nsvchcst
\nsvchest
\nsvchest
\nsvchhost
\nsvch\u00eest
\nsvchkost
\nsvcho
\nsvchobst
\nsvchoct
\nsvcholts
\nsvchon32
\nsvchoost
\nsvchoot
\nsvchort
\nsvchos
\nsvchos12
\nsvchosd
\nsvchosf
\nsvchosf
\nsvchosi
\nsvchosl
\nsvchoso
\nsvchosr
\nsvchoss
\nsvchosst
\nsvchost
\nsvchost
\nsvch\u00f6st
\nsvchost_
\nsvchost_cz
\nsvchost\u201d
\nsvchost0
\nsvchost1
\nsvchost10
\nsvchost16
\nsvchost2
\nsvchost2
\nsvchost3
\nsvchost3
\nsvchost31
\nsvchost32
\nsvchost32
\nsvchost4
\nsvchost5
\nsvchost6
\nsvchost64
\nsvchost64
\nsvchosta
\nsvchostbb
\nsvchostbd
\nsvchostbn
\nsvchostc
\nsvchostc32
\nsvchostcx
\nsvchostd
\nsvchostdll
\nsvchoste
\nsvchosted
\nsvchosti
\nsvchosting
\nsvchostit
\nsvchostl
\nsvchostms
\nsvchosto
\nsvchostr
\nsvchostre
\nsvchosts
\nsvchosts
\nsvchosts32
\nsvchostsr
\nsvchostss
\nsvchostt
\nsvchostt
\nsvchost\u00fe
\nsvchostun
\nsvchostv
\nsvchostv
\nsvchostxi
\nsvchostxi
\nsvchostxxx
\nsvchostz
\nsvchosv
\nsvchosy
\nsvchot
\nsvchoto
\nsvchots
\nsvchots
\nsvchott
\nsvchowb
\nsvchowt
\nsvchoxt
\nsvchoxt
\nsvchpst
\nsvchpst
\nsvchqs
\nsvchqst
\nsvchs0t
\nsvchsot
\nsvchsot
\nsvchsst
\nsvchssts
\nsvchst
\nsvchste
\nsvchsts
\nsvchtst
\nsvchust
\nsvchusts
\nsvcinit
\nsvcjhost
\nsvclost
\nsvcmost
\nsvcnost
\nsvcnost
\nsvcohst
\nsvcomst
\nsvcoost
\nsvcost
\nsvcpos
\nsvcroot
\nsvcroot
\nsvcshtost
\nsvcsoft
\nsvcsost
\nsvcst
\nsvctos
\nsvcxhost
\nsvdhost
\nsvdhost
\nsvdnost
\nsvehost
\nsvehost
\nsvgchost
\nsvggost
\nsvghost
\nsvghost
\nsvghosts
\nsvh0st
\nsvhcost
\nsvhest
\nsvhoct
\nsvhosit
\nsvhosr
\nsvhosst
\nsvhost
\nsvhost
\nsvhost1
\nsvhost2
\nsvhostc
\nsvhoste
\nsvhostr
\nsvhosts
\nsvhostt
\nsvhostu
\nsvhot
\nsvhst
\nsvhust
\nsvichosst
\nsvichost
\nsvlhost
\nsvnchost
\nsvnhost
\nsvohcst
\nsvohcst
\nsvohost
\nsvohost
\nsvohst
\nsvost
\nsvphost
\nsvphost
\nsvphostu
\nsvphostu
\nsvrhost
\nsvrhost
\nsvschost
\nsvschost
\nsvschosta
\nsvsh0st
\nsvsh0st
\nsvshoct
\nsvshost
\nsvshost
\nsvshosti
\nsvshosts
\nsvshot
\nsvuhost
\nsvvchcst
\nsvvchost
\nsvvghost
\nsvvhost
\nsvvhost
\nsvvhosti
\nsvwhost
\nsvxhos
\nsvxhost
\nswchost
\nswchost
\nswdhost
\nswhost
\nswhost
\nsxhost
\nsxhost
\nsychost
\nsynchost
\nsynchost
\nsynhost
\nsyschost
\nsyschost
\nsyshost
\nsyshost
\nszchostc
\nszchostc
\ntsvchost
\nusvchost
\nuvchost
\nvcchost
\nvchost
\nvhchost
\nvhost
\nvschost
\nvshost
\nvsschost
\nvxhost
\nwsvchost
\nwvchosd
\nxvshost
\nzvchost<\/p>\n

win.exe (and similar\/related names)<\/strong><\/p>\n

mswin
\nwin_
\nwin_5
\nwin00
\nwin01
\nwin07
\nwin08
\nwin09
\nwin1
\nwin10
\nwin11
\nwin16
\nwin2
\nwin22
\nwin23
\nwin3
\nwin30
\nwin32
\nwin39
\nwin4
\nwin42
\nwin44
\nwin45
\nwin5
\nwin54
\nwin55
\nwin62
\nwin64
\nwin7
\nwin76
\nwin77
\nwin8
\nwin91
\nwin96
\nwin98
\nwin9x
\nwina
\nwinad
\nwinar
\nwinav
\nwinb
\nwinc
\nwince
\nwind
\nwind3
\nwindf
\nwindm
\nwinds
\nwine
\nwinet
\nwinex
\nwinfc
\nwingb
\nwings
\nwingt
\nwinhd
\nwinhv
\nwini
\nwinit
\nwink
\nwinkl
\nwinl
\nwinlc
\nwinma
\nwinmm
\nwinmn
\nwinmx
\nwinn
\nwinn1
\nwinns
\nwinnt
\nwinny
\nwinog
\nwinok
\nwinos
\nwinow
\nwinp9
\nwinpc
\nwinr
\nwinra
\nwinrm
\nwinrr
\nwins
\nwins7
\nwinsh
\nwinsp
\nwinss
\nwinst
\nwint
\nwinu
\nwinud
\nwinup
\nwinvc
\nwinvr
\nwinw
\nwinwl
\nwinwn
\nwinws
\nwinx
\nwinxp
\nwinxv
\nwinz<\/p>\n

winlogon.exe<\/strong><\/p>\n

_winlogon
\ninlogon
\nnlogon
\nwgalogon
\nwimlogom
\nwin_logn
\nwin1ogo
\nwin1ogon
\nwin1ogons
\nwindlogon
\nwiniogon
\nwinl0g0n
\nwinl0gin
\nwinl0gon
\nwinlgon
\nwinligon
\nwinlngon
\nwinlog
\nwinlog056
\nwinlog0n
\nwinlog1
\nwinlogan
\nwinloge
\nwinlogen
\nwinloger
\nwinlogin
\nwinlogins
\nwinlogn
\nwinlogo
\nwinlogom
\nwinlogoms
\nwinlogon1
\nwinlogon3
\nwinlogon32
\nwinlogon6
\nwinlogon86
\nwinlogone
\nwinlogonl
\nwinlogonn
\nwinlogonpc
\nwinlogonr
\nwinlogons
\nwinlogor
\nwinlogr
\nwinlogs
\nwinlogun
\nwinlongon
\nwinlugan
\nwinslogin
\nwnilogon
\nwnlgon
\nwnlogin<\/p>\n","protected":false},"excerpt":{"rendered":"

In my old post I described a list of file names used by malware to impersonate svchost.exe. I thought I will re-visit this post today and provide some more file names that malware is using for impersonation of common file … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,39,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3430"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3430"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3430\/revisions"}],"predecessor-version":[{"id":3432,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3430\/revisions\/3432"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}