SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lodeinfo (Back to overview)

LODEINFO

Actor(s): MirrorFace

VTCollection    

There is no description at this point.

References
2024-11-19Trend MicroTrend Micro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
Cobalt Strike LODEINFO NOOPDOOR MirrorFace
2024-07-16JPCERT/CCShusei Tomonaga
MirrorFace Attack against Japanese Organisations
LODEINFO NOOPDOOR
2024-05-01MacnicaMacnica Networks
The Reality of Targeted Attacks and Countermeasures: Trends in Cyber Espionage (Targeted Attacks) Targeting Japan FY2023
LODEINFO NOOPDOOR
2024-02-29YouTube (Kaspersky Tech)Suguru Ishimaru
Unleashing the Secrets:A Full Analysis for the Complex LODEINFO v0.7.1
LODEINFO
2024-01-26TrendmicroHara Hiroaki, Masaoki Shoji, Nick Dai, Vickie Su, Yuka Higashi
Spot the Difference: An Analysis of the New LODEINFO Campaign by Earth Kasha
Anel Cobalt Strike LODEINFO NOOPDOOR
2024-01-24ITOCHUITOCHU Cyber & Intelligence Inc.
The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis
LODEINFO
2023-10-26ESET ResearchESET Research
ESET APT Activity Report Q2–Q3 2023
SimpleTea LODEINFO
2023-01-25N.F.Laboratories Inc.Daisuke Saika, Hiroki Kubokawa, Ryo Minakawa
Fighting to LODEINFO Investigation for Continuous Cyberespionage Based on Open Source
LODEINFO
2022-12-14ESET ResearchDominik Breitenbacher
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
LODEINFO MirrorFace
2022-10-31Kaspersky LabsSuguru Ishimaru
APT10: Tracking down LODEINFO 2022, part I
LODEINFO
2022-10-31Kaspersky LabsSuguru Ishimaru
APT10: Tracking down LODEINFO 2022, part II
LODEINFO
2021-02-18JPCERT/CCKota Kino
Further Updates in LODEINFO Malware
LODEINFO
2021-01-19Twitter (@jpcert_ac)JPCERT/CC
Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan
LODEINFO
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX POISONPLUG Rover ShadowPad SoreFang Winnti
2020-06-20Cyber And Ramen blogmsec1203
Analysis of LODEINFO Maldoc
LODEINFO
2020-06-11JPCERT/CCKota Kino
マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)
LODEINFO
2020-05-01Macnica NetworksMacnica Networks, TeamT5
Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019
TSCookie LODEINFO
2020-02-27JPCERT/CCKota Kino
Malware “LODEINFO” Targeting Japan
LODEINFO
2020-02-20JPCERT/CCKota Kino
日本国内の組織を狙ったマルウエアLODEINFO
LODEINFO
Yara Rules
[TLP:WHITE] win_lodeinfo_auto (20260504 | Detects win.lodeinfo.)
rule win_lodeinfo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lodeinfo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 23c7 03d8 895de4 8b7d0c 8bcf 8b5604 }
            // n = 6, score = 200
            //   23c7                 | and                 eax, edi
            //   03d8                 | add                 ebx, eax
            //   895de4               | mov                 dword ptr [ebp - 0x1c], ebx
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8bcf                 | mov                 ecx, edi
            //   8b5604               | mov                 edx, dword ptr [esi + 4]

        $sequence_1 = { 2bc2 8945bc b801000000 2bc2 894dc0 }
            // n = 5, score = 200
            //   2bc2                 | sub                 eax, edx
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   b801000000           | mov                 eax, 1
            //   2bc2                 | sub                 eax, edx
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx

        $sequence_2 = { 56 e8???????? 5e 5f 5b 8be5 5d }
            // n = 7, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_3 = { eb43 bf34000000 eb3c b91f000000 3bc8 1bff 83e7fe }
            // n = 7, score = 200
            //   eb43                 | jmp                 0x45
            //   bf34000000           | mov                 edi, 0x34
            //   eb3c                 | jmp                 0x3e
            //   b91f000000           | mov                 ecx, 0x1f
            //   3bc8                 | cmp                 ecx, eax
            //   1bff                 | sbb                 edi, edi
            //   83e7fe               | and                 edi, 0xfffffffe

        $sequence_4 = { 7533 837d0802 740a 5f 5e b81e000000 5b }
            // n = 7, score = 200
            //   7533                 | jne                 0x35
            //   837d0802             | cmp                 dword ptr [ebp + 8], 2
            //   740a                 | je                  0xc
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   b81e000000           | mov                 eax, 0x1e
            //   5b                   | pop                 ebx

        $sequence_5 = { 8955e4 81faff000000 7756 8b55f8 8b4308 8b3a 47 }
            // n = 7, score = 200
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   81faff000000         | cmp                 edx, 0xff
            //   7756                 | ja                  0x58
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   8b3a                 | mov                 edi, dword ptr [edx]
            //   47                   | inc                 edi

        $sequence_6 = { 897dec eb08 8d047f d1e8 8945ec 50 ff75f0 }
            // n = 7, score = 200
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   eb08                 | jmp                 0xa
            //   8d047f               | lea                 eax, [edi + edi*2]
            //   d1e8                 | shr                 eax, 1
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   50                   | push                eax
            //   ff75f0               | push                dword ptr [ebp - 0x10]

        $sequence_7 = { 7509 8b55a0 47 3b7d94 75bb 8b45a4 833803 }
            // n = 7, score = 200
            //   7509                 | jne                 0xb
            //   8b55a0               | mov                 edx, dword ptr [ebp - 0x60]
            //   47                   | inc                 edi
            //   3b7d94               | cmp                 edi, dword ptr [ebp - 0x6c]
            //   75bb                 | jne                 0xffffffbd
            //   8b45a4               | mov                 eax, dword ptr [ebp - 0x5c]
            //   833803               | cmp                 dword ptr [eax], 3

        $sequence_8 = { 7528 0fb64d0f 0fb642ff c1e108 03c8 3b4b18 7516 }
            // n = 7, score = 200
            //   7528                 | jne                 0x2a
            //   0fb64d0f             | movzx               ecx, byte ptr [ebp + 0xf]
            //   0fb642ff             | movzx               eax, byte ptr [edx - 1]
            //   c1e108               | shl                 ecx, 8
            //   03c8                 | add                 ecx, eax
            //   3b4b18               | cmp                 ecx, dword ptr [ebx + 0x18]
            //   7516                 | jne                 0x18

        $sequence_9 = { 8d5dbc 837dd010 0f435dbc 8a03 3c7f 0f8495000000 0f1f4000 }
            // n = 7, score = 200
            //   8d5dbc               | lea                 ebx, [ebp - 0x44]
            //   837dd010             | cmp                 dword ptr [ebp - 0x30], 0x10
            //   0f435dbc             | cmovae              ebx, dword ptr [ebp - 0x44]
            //   8a03                 | mov                 al, byte ptr [ebx]
            //   3c7f                 | cmp                 al, 0x7f
            //   0f8495000000         | je                  0x9b
            //   0f1f4000             | nop                 dword ptr [eax]

    condition:
        7 of them and filesize < 712704
}
Download all Yara Rules