{
	"id": "c6a93b08-a89f-4432-8c95-7593e569ec53",
	"created_at": "2026-04-10T03:20:29.021174Z",
	"updated_at": "2026-04-10T13:13:07.082055Z",
	"deleted_at": null,
	"sha1_hash": "aa5f8429221b0b40242a8a07ff9ad5cef460bd3d",
	"title": "Revisiting The Bunitu Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 508378,
	"plain_text": "Revisiting The Bunitu Trojan\r\nBy hasherezade\r\nPublished: 2015-07-12 · Archived: 2026-04-10 02:13:20 UTC\r\nThis post describes the infection process of the latest version of the Bunitu Proxy Trojan as seen delivered by the\r\nNeutrino Exploit Kit via a malvertising campaign.\r\nWe will start from a high-level overview of the issue and used elements. Then, we will dive deeper in the used\r\ntechniques of hiding and obfuscating the modules.\r\nWhat is Bunitu Proxy and why is it dangerous?\r\nAs its name suggests, Bunitu Proxy is a Trojan that exposes the infected computer to be used as a proxy for\r\nremote clients. It is done in a few steps:\r\n1. Installs itself on the machine\r\n2. Opens ports for the remote connections\r\n3. Registers itself in the remote server (clients database) informing about its address and open ports\r\n4. Accepts connections coming on the exposed ports and bypasses the traffic\r\nIt may have various consequences for the infected user. Basically, it uses his/her resources and slows down the\r\nnetwork traffic. But it may also frame him/her in some illegal activities carried by the attackers due to the fact that\r\nthe infected client’s IP is the one visible from the outside.\r\nRead more: Who’s Behind Your Proxy? Uncovering Bunitu’s Secrets\r\nHow is the infection carried?\r\nBunitu has been dropped from various exploit kits. On June 10th 2015, as Websense Security Labs described in\r\ntheir post, it was dropped by the Angler Exploit Kit. This time, a similar payload is distributed by Neutrino EK.\r\nRole of Neutrino EK\r\nA malvertising from Adcash (they have been notified and the problem is already fixed) redirected users to the\r\nNeutrino EK via a compromised site and rotator.\r\nThe below screenshot from Fiddler Web Debugger, shows the chain of URLs on the way of dropping the\r\nmalicious payload:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 1 of 12\n\nThe rotator (.eu domain) does its job of switching to a new sub-domain every few minutes. This technique is often\r\nused to bypass blacklists because the malicious URLs are ‘moving targets’:\r\nAnd the landing page carried the exploit:\r\nAt this stage, users of Malwarebytes Anti-Exploit were protected – the product detected and stopped the malicious\r\nactivity.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 2 of 12\n\nBut if deployed on a vulnerable, unprotected machine, infection followed further – the payload was dropped and\r\ndeployed.\r\nPayload: Bunitu Proxy\r\nInfection symptoms\r\nLooking at the payload from outside, we will see just a typical installer (with an NSIS installer icon).\r\nIt pretends to be a legitimate piece of software – scamming an existing product: ManyCam by Visicom Media.\r\nAfter dropping the malicious DLL (described in details further), the installer tries to run it. Then we witness the\r\nattempt of opening the ports for incoming connections.\r\nWindows Firewall alerts about this attempt (it seems that at this level it relies on social engineering – only under\r\nWindows XP it managed to suppress these messages to maintain stealth).\r\nAlso, after the successful setup, when the computer is restarted, the persistent module runs again – triggering a\r\nsimilar alert:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 3 of 12\n\nIf we see the details of the running process (rundll32) i.e. in Process Explorer, it will reveal the module that has\r\nbeen loaded:\r\nand the open ports (chosen randomly at the time of installation):\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 4 of 12\n\nIf we keep it running for some time, we may even see the clients, that connected via our unwanted proxy (in the\r\nbelow case, july1.exe was used as the name of the installer)\r\nTechnical details\r\nTo hide its real intentions, the installer uses several layers of protection. It takes several modules to run before the\r\nmalicious DLL (serving as proxy) is revealed. Let’s go deeper!\r\nFlow:\r\ninstaller.exe-\u003e unpacks and loads: lithiasis.dll, function: Avidness -\u003e decrypts and runs using R\r\ninstaller.exe\r\nUnpacks several files into %APPDATA%/Local/Temp/ It seems that not all of them play a role in unpacking the\r\npayload – some are dropped only to make “noise”\r\n[random].tmp , i.e.: nsn4CB0.tmp\r\npictures\r\nscript (javascript, YUI module): index(5).php\r\ndalookerzmeoajrhja144\r\nUncryptedStub._ini\r\n[random].tmp/lithiasis.dll (i.e. nse474E.tmp/lithiasis.dll)\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 5 of 12\n\nThen, it loads the dropped module: lithiasis.dll into memory and executes the function called – in the analyzed\r\ncase – Avidness (responsible for further unpacking).\r\nlithiasis.dll, Avidness (real name of the module: __Intelerino.dll) – is unpacked and loaded by the installer.exe – is\r\nobfuscated – uses files:\r\ndalookerzmeoajrhja144 – packed list of functions that are going to be loaded in order to do further\r\nunpacking\r\nUncryptedStub._ini – packed executable (I refer to it as: stub_unpacked.exe)\r\nKeys used to decrypt the files:\r\ndalookerzmeoajrhja144  – “dalookerzmeoajrhja144”\r\nUncryptedStub._ini – “9JKjPZSpEL8uHmkHNlXhwhDc9jRTGN”\r\nFiles are encrypted with obfuscated, custom XOR based algorithms. For each file the used algorithm is slightly\r\ndifferent. Below you can see sample python scripts for decoding the files: Bunitu Proxy – decoding scripts\r\n(github)\r\n#1 Decrypting functions\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 6 of 12\n\n[code language=”python”] def decode1(data, key, max_key): l = len(key) j = 0 #key index decoded = bytearray()\r\nfor i in range(0, len(data)): decoded.append(data[i] ^ key[j % l]) if (i \u003e 0): j += 1 if (j == max_key): j = 0 return\r\ndecoded [/code]\r\n#2 Decrypting PE file\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 7 of 12\n\nresult – a new PE file (stub_unpacked.exe):\r\n[code language=”python”] def decode2(data, key, max_key): j = 0 #key index prev_j = 0 decoded = bytearray()\r\nfor i in range(0, len(data)): val = data[i] + prev_j val = ((val ^ key[j]) ^ key[prev_j]) % 256 decoded.append(val)\r\nprev_j = j j = j + 1 if (j == max_key): j = 0 return decoded [/code]\r\nAfter decrypting the new executable: stub_unpacked.exe – it loads it into the memory using “RunPE” technique\r\n(unmaps the installer.exe and loads the new PE section by section on it’s place).\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 8 of 12\n\nstub_unpacked.exe Its main role is to unpack from inside the “heart” of the malware: module ynfucvu.dll. It also\r\nloads and deploys it. Makes following registry keys (Winlogon Notify):\r\nThe key ‘zinkraxx’ is used to uniquely identify the installation. It is made by following simple algorithm:\r\nIt uses RDTSC  (an instruction that reads time-stamp counter into EDX:EAX). Then part of the result (EAX) is\r\nprocessed and writen into a buffer. This buffer is then stored in the registry. After unpacking the DLL it drops it in\r\n%APPDATA%/Local folder:\r\nThen, it loads in the memory and enters in the function ynfucvu of ynfucvu.dll – using JMP EAX:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 9 of 12\n\nynfucvu.dll, ynfucvu\r\nThis is the Bunitu Proxy module – malicious part of the full package. It is independent from other modules. Once\r\ninstalled, it is loaded on system startup, using rundll32.exe. The entry point is in the function ynfucvu.\r\nIt carries all the network operations – registers the client on the server, opens ports and serves as a proxy.\r\nTechniques used by the Bunitu Proxy module haven’t changed much from June 10th, when it was described by\r\nWebsense Security Lab. Even the xor-ed value is exactly same!\r\ncompare with the WebSense analysis:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 10 of 12\n\nThis module is slightly obfuscated – i.e. domains used to resolve C\u0026Cs are given in a plain text. Only their\r\naddresses are calculated on the fly – to make difficult finding where they are referred. As we see below: the\r\naddress of the string is calculated on the stack (this DLL is always loaded on the same, predefined base – what\r\nmakes calculation on the addresses easy).\r\nIt is also responsible for creating registry keys used for persistence and tries to be invisible for the firewall – by\r\nadding itself to the list of Authorized Applications (but effectiveness of it varies depending on the version of\r\nWindows).\r\nAnalyzed sample\r\nOriginal sample (installer) md5=542f7b96990de6cd3b04b599c25ebe57 ; payload (ynfucvu.dll)\r\nmd5=1bf287bf6cbe4d405983d1431c468de7\r\nConclusion\r\nIt seems that this malware is being actively distributed through various exploit kits. However, the mutation of the\r\ncore is not so fast, as we see our sample is very similar to the one observed a month ago. Still, the used packing,\r\ncomposed of many layers gave it advantage of low detection rates in early days after the release.\r\nOn the other hand, the good news is that it’s not an entirely stealthy piece of malware (except on Windows XP), so\r\na cautious user can notice some of the alarming symptoms.\r\nPart II: Who’s Behind Your Proxy? Uncovering Bunitu’s Secrets\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 11 of 12\n\nAbout the author\r\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/"
	],
	"report_names": [
		"revisiting-the-bunitu-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775791229,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa5f8429221b0b40242a8a07ff9ad5cef460bd3d.pdf",
		"text": "https://archive.orkl.eu/aa5f8429221b0b40242a8a07ff9ad5cef460bd3d.txt",
		"img": "https://archive.orkl.eu/aa5f8429221b0b40242a8a07ff9ad5cef460bd3d.jpg"
	}
}