SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lcpdot (Back to overview)

LCPDot

Actor(s): Lazarus Group


There is no description at this point.

References
2022-05-05NCC GroupMichael Matthews, Nikolaos Pantazopoulos
@online{matthews:20220505:north:22bd1ef, author = {Michael Matthews and Nikolaos Pantazopoulos}, title = {{North Korea’s Lazarus: their initial access trade-craft using social media and social engineering}}, date = {2022-05-05}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/}, language = {English}, urldate = {2022-05-05} } North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
LCPDot
2022-03-31KasperskyGReAT
@online{great:20220331:lazarus:540b96e, author = {GReAT}, title = {{Lazarus Trojanized DeFi app for delivering malware}}, date = {2022-03-31}, organization = {Kaspersky}, url = {https://securelist.com/lazarus-trojanized-defi-app/106195/}, language = {English}, urldate = {2022-04-04} } Lazarus Trojanized DeFi app for delivering malware
LCPDot
2021-04-15AhnLabAhnLab ASEC Analysis Team
@techreport{team:20210415:operation:98f465e, author = {AhnLab ASEC Analysis Team}, title = {{Operation Dream Job Targeting Job Seekers in South Korea}}, date = {2021-04-15}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf}, language = {English}, urldate = {2021-05-25} } Operation Dream Job Targeting Job Seekers in South Korea
LCPDot Torisma
2021-01-26JPCERT/CCShusei Tomonaga
@online{tomonaga:20210126:operation:bc16746, author = {Shusei Tomonaga}, title = {{Operation Dream Job by Lazarus}}, date = {2021-01-26}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html}, language = {English}, urldate = {2021-01-27} } Operation Dream Job by Lazarus
LCPDot Torisma Lazarus Group
Yara Rules
[TLP:WHITE] win_lcpdot_auto (20230125 | Detects win.lcpdot.)
rule win_lcpdot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.lcpdot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 418943c4 498943c8 488b19 488b7108 }
            // n = 4, score = 100
            //   418943c4             | xor                 edx, edx
            //   498943c8             | inc                 ecx
            //   488b19               | mov                 eax, 0x7fe
            //   488b7108             | xor                 edi, edi

        $sequence_1 = { 4863d1 488d0d36150100 488bc2 83e21f 48c1f805 486bd258 488b04c1 }
            // n = 7, score = 100
            //   4863d1               | mov                 edx, dword ptr [edi + 8]
            //   488d0d36150100       | dec                 eax
            //   488bc2               | mov                 ecx, edi
            //   83e21f               | dec                 eax
            //   48c1f805             | mov                 edx, 0x4bc6a7ee
            //   486bd258             | aaa                 
            //   488b04c1             | mov                 dword ptr [ecx], eax

        $sequence_2 = { 4885c0 7461 4c8938 bae8030000 b940000000 48897008 ff15???????? }
            // n = 7, score = 100
            //   4885c0               | lea                 edx, [0xa7dc]
            //   7461                 | dec                 eax
            //   4c8938               | mov                 ecx, esi
            //   bae8030000           | dec                 eax
            //   b940000000           | mov                 eax, esi
            //   48897008             | dec                 eax
            //   ff15????????         |                     

        $sequence_3 = { 488bd7 41b8e8030000 e8???????? 488b7540 4c8d442420 488b5608 }
            // n = 6, score = 100
            //   488bd7               | jne                 0x27a
            //   41b8e8030000         | inc                 ebx
            //   e8????????           |                     
            //   488b7540             | cmp                 ebx, 3
            //   4c8d442420           | jb                  0x216
            //   488b5608             | dec                 eax

        $sequence_4 = { 488b5720 48895018 448b4728 488d572c }
            // n = 4, score = 100
            //   488b5720             | dec                 eax
            //   48895018             | lea                 edi, [esp + 0x40]
            //   448b4728             | dec                 eax
            //   488d572c             | or                  ecx, 0xffffffff

        $sequence_5 = { 488d0d4fde0000 e8???????? 85c0 755a }
            // n = 4, score = 100
            //   488d0d4fde0000       | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [esp + 0x7a], eax
            //   755a                 | mov                 dword ptr [ebp - 0x7e], eax

        $sequence_6 = { 41837b1014 731c bb78000000 0f1f8000000000 b960ea0000 ff15???????? }
            // n = 6, score = 100
            //   41837b1014           | lea                 eax, [0x12edf]
            //   731c                 | jmp                 0xab9
            //   bb78000000           | dec                 eax
            //   0f1f8000000000       | add                 eax, 0x10
            //   b960ea0000           | dec                 eax
            //   ff15????????         |                     

        $sequence_7 = { 4881c4c0100000 415c 5f 5e }
            // n = 4, score = 100
            //   4881c4c0100000       | inc                 esp
            //   415c                 | lea                 eax, [edx + 0x10]
            //   5f                   | je                  0x101
            //   5e                   | mov                 ecx, 0x1f4

        $sequence_8 = { 498bce 4903d5 e8???????? 85c0 }
            // n = 4, score = 100
            //   498bce               | mov                 eax, dword ptr [ebx + 0x40]
            //   4903d5               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [eax + 8], eax

        $sequence_9 = { 4883c9ff 33c0 488d7b3c 66f2af 48f7d1 39832c040000 7517 }
            // n = 7, score = 100
            //   4883c9ff             | dec                 eax
            //   33c0                 | mov                 ecx, dword ptr [esp + 0x30]
            //   488d7b3c             | dec                 eax
            //   66f2af               | test                ecx, ecx
            //   48f7d1               | dec                 eax
            //   39832c040000         | mov                 ebx, dword ptr [esp + 0x470]
            //   7517                 | dec                 eax

    condition:
        7 of them and filesize < 257024
}
Download all Yara Rules