SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lodeinfo (Back to overview)

LODEINFO

There is no description at this point.

References
2021-02-18JPCERT/CCKota Kino
@online{kino:20210218:further:c4352ca, author = {Kota Kino}, title = {{Further Updates in LODEINFO Malware}}, date = {2021-02-18}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html}, language = {English}, urldate = {2021-02-18} } Further Updates in LODEINFO Malware
LODEINFO
2021-01-19Twitter (@jpcert_ac)JPCERT/CC
@online{jpcertcc:20210119:lodeinfo:3f1354c, author = {JPCERT/CC}, title = {{Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan}}, date = {2021-01-19}, organization = {Twitter (@jpcert_ac)}, url = {https://twitter.com/jpcert_ac/status/1351355443730255872}, language = {Japanese}, urldate = {2021-01-21} } Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan
LODEINFO
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-06-20Cyber And Ramen blogmsec1203
@online{msec1203:20200620:analysis:3279dbd, author = {msec1203}, title = {{Analysis of LODEINFO Maldoc}}, date = {2020-06-20}, organization = {Cyber And Ramen blog}, url = {https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html}, language = {English}, urldate = {2020-06-21} } Analysis of LODEINFO Maldoc
LODEINFO
2020-06-11JPCERT/CCKota Kino
@online{kino:20200611:lodeinfo:104e43a, author = {Kota Kino}, title = {{マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)}}, date = {2020-06-11}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html}, language = {Japanese}, urldate = {2020-06-12} } マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)
LODEINFO
2020-05-01Macnica NetworksTeamT5, Macnica Networks
@techreport{teamt5:20200501:cyber:70c9cbc, author = {TeamT5 and Macnica Networks}, title = {{Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019}}, date = {2020-05-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf}, language = {English}, urldate = {2021-02-26} } Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019
TSCookie LODEINFO
2020-02-20JPCERT/CCKota Kino
@online{kino:20200220:lodeinfo:9842ab1, author = {Kota Kino}, title = {{日本国内の組織を狙ったマルウエアLODEINFO}}, date = {2020-02-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html}, language = {Japanese}, urldate = {2020-02-27} } 日本国内の組織を狙ったマルウエアLODEINFO
LODEINFO
Yara Rules
[TLP:WHITE] win_lodeinfo_auto (20220411 | Detects win.lodeinfo.)
rule win_lodeinfo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.lodeinfo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3bcf 72d9 e9???????? bf0f000000 897df8 e9???????? bf36000000 }
            // n = 7, score = 200
            //   3bcf                 | cmp                 ecx, edi
            //   72d9                 | jb                  0xffffffdb
            //   e9????????           |                     
            //   bf0f000000           | mov                 edi, 0xf
            //   897df8               | mov                 dword ptr [ebp - 8], edi
            //   e9????????           |                     
            //   bf36000000           | mov                 edi, 0x36

        $sequence_1 = { 0fb64703 c1e108 0bc8 03d1 894c2418 }
            // n = 5, score = 200
            //   0fb64703             | movzx               eax, byte ptr [edi + 3]
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   03d1                 | add                 edx, ecx
            //   894c2418             | mov                 dword ptr [esp + 0x18], ecx

        $sequence_2 = { 50 e8???????? 83c404 ba???????? ff7608 51 b9???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   ba????????           |                     
            //   ff7608               | push                dword ptr [esi + 8]
            //   51                   | push                ecx
            //   b9????????           |                     

        $sequence_3 = { 8ac3 b107 2407 03ff 2ac8 8bc3 c1e803 }
            // n = 7, score = 200
            //   8ac3                 | mov                 al, bl
            //   b107                 | mov                 cl, 7
            //   2407                 | and                 al, 7
            //   03ff                 | add                 edi, edi
            //   2ac8                 | sub                 cl, al
            //   8bc3                 | mov                 eax, ebx
            //   c1e803               | shr                 eax, 3

        $sequence_4 = { 0fb60f 0fb64701 c1e108 03c1 5f 89461c 894618 }
            // n = 7, score = 200
            //   0fb60f               | movzx               ecx, byte ptr [edi]
            //   0fb64701             | movzx               eax, byte ptr [edi + 1]
            //   c1e108               | shl                 ecx, 8
            //   03c1                 | add                 eax, ecx
            //   5f                   | pop                 edi
            //   89461c               | mov                 dword ptr [esi + 0x1c], eax
            //   894618               | mov                 dword ptr [esi + 0x18], eax

        $sequence_5 = { c7818800000000000000 c7819000000000000000 c781b400000000000000 c781bc00000000000000 c781c000000000000000 c781c400000000000000 660fd681cc000000 }
            // n = 7, score = 200
            //   c7818800000000000000     | mov    dword ptr [ecx + 0x88], 0
            //   c7819000000000000000     | mov    dword ptr [ecx + 0x90], 0
            //   c781b400000000000000     | mov    dword ptr [ecx + 0xb4], 0
            //   c781bc00000000000000     | mov    dword ptr [ecx + 0xbc], 0
            //   c781c000000000000000     | mov    dword ptr [ecx + 0xc0], 0
            //   c781c400000000000000     | mov    dword ptr [ecx + 0xc4], 0
            //   660fd681cc000000     | movq                qword ptr [ecx + 0xcc], xmm0

        $sequence_6 = { 895de8 8955e4 56 8b750c 57 83f804 }
            // n = 6, score = 200
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   56                   | push                esi
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   57                   | push                edi
            //   83f804               | cmp                 eax, 4

        $sequence_7 = { 8bcf 017e0c 8bc2 d3e8 894610 b801000000 }
            // n = 6, score = 200
            //   8bcf                 | mov                 ecx, edi
            //   017e0c               | add                 dword ptr [esi + 0xc], edi
            //   8bc2                 | mov                 eax, edx
            //   d3e8                 | shr                 eax, cl
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   b801000000           | mov                 eax, 1

        $sequence_8 = { 880456 884c5601 e9???????? 83f802 752b 8b4db4 8bc1 }
            // n = 7, score = 200
            //   880456               | mov                 byte ptr [esi + edx*2], al
            //   884c5601             | mov                 byte ptr [esi + edx*2 + 1], cl
            //   e9????????           |                     
            //   83f802               | cmp                 eax, 2
            //   752b                 | jne                 0x2d
            //   8b4db4               | mov                 ecx, dword ptr [ebp - 0x4c]
            //   8bc1                 | mov                 eax, ecx

        $sequence_9 = { f7f7 884101 8801 8841ff 83c103 8b45f4 83ee01 }
            // n = 7, score = 200
            //   f7f7                 | div                 edi
            //   884101               | mov                 byte ptr [ecx + 1], al
            //   8801                 | mov                 byte ptr [ecx], al
            //   8841ff               | mov                 byte ptr [ecx - 1], al
            //   83c103               | add                 ecx, 3
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   83ee01               | sub                 esi, 1

    condition:
        7 of them and filesize < 712704
}
Download all Yara Rules