SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lodeinfo (Back to overview)

LODEINFO

There is no description at this point.

References
2022-12-14ESET ResearchDominik Breitenbacher
@online{breitenbacher:20221214:unmasking:a20b445, author = {Dominik Breitenbacher}, title = {{Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities}}, date = {2022-12-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/}, language = {English}, urldate = {2022-12-20} } Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
LODEINFO
2022-10-31Kaspersky LabsSuguru Ishimaru
@online{ishimaru:20221031:apt10:c9040fd, author = {Suguru Ishimaru}, title = {{APT10: Tracking down LODEINFO 2022, part II}}, date = {2022-10-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/}, language = {English}, urldate = {2022-12-29} } APT10: Tracking down LODEINFO 2022, part II
LODEINFO
2022-10-31Kaspersky LabsSuguru Ishimaru
@online{ishimaru:20221031:apt10:d6c1888, author = {Suguru Ishimaru}, title = {{APT10: Tracking down LODEINFO 2022, part I}}, date = {2022-10-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/}, language = {English}, urldate = {2022-12-29} } APT10: Tracking down LODEINFO 2022, part I
LODEINFO
2021-02-18JPCERT/CCKota Kino
@online{kino:20210218:further:c4352ca, author = {Kota Kino}, title = {{Further Updates in LODEINFO Malware}}, date = {2021-02-18}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html}, language = {English}, urldate = {2021-02-18} } Further Updates in LODEINFO Malware
LODEINFO
2021-01-19Twitter (@jpcert_ac)JPCERT/CC
@online{jpcertcc:20210119:lodeinfo:3f1354c, author = {JPCERT/CC}, title = {{Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan}}, date = {2021-01-19}, organization = {Twitter (@jpcert_ac)}, url = {https://twitter.com/jpcert_ac/status/1351355443730255872}, language = {Japanese}, urldate = {2021-01-21} } Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan
LODEINFO
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-06-20Cyber And Ramen blogmsec1203
@online{msec1203:20200620:analysis:3279dbd, author = {msec1203}, title = {{Analysis of LODEINFO Maldoc}}, date = {2020-06-20}, organization = {Cyber And Ramen blog}, url = {https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html}, language = {English}, urldate = {2020-06-21} } Analysis of LODEINFO Maldoc
LODEINFO
2020-06-11JPCERT/CCKota Kino
@online{kino:20200611:lodeinfo:104e43a, author = {Kota Kino}, title = {{マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)}}, date = {2020-06-11}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html}, language = {Japanese}, urldate = {2020-06-12} } マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)
LODEINFO
2020-05-01Macnica NetworksTeamT5, Macnica Networks
@techreport{teamt5:20200501:cyber:70c9cbc, author = {TeamT5 and Macnica Networks}, title = {{Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019}}, date = {2020-05-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf}, language = {English}, urldate = {2021-02-26} } Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019
TSCookie LODEINFO
2020-02-27JPCERT/CCKota Kino
@online{kino:20200227:malware:a3da71c, author = {Kota Kino}, title = {{Malware “LODEINFO” Targeting Japan}}, date = {2020-02-27}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html}, language = {English}, urldate = {2022-12-20} } Malware “LODEINFO” Targeting Japan
LODEINFO
2020-02-20JPCERT/CCKota Kino
@online{kino:20200220:lodeinfo:9842ab1, author = {Kota Kino}, title = {{日本国内の組織を狙ったマルウエアLODEINFO}}, date = {2020-02-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html}, language = {Japanese}, urldate = {2020-02-27} } 日本国内の組織を狙ったマルウエアLODEINFO
LODEINFO
Yara Rules
[TLP:WHITE] win_lodeinfo_auto (20230407 | Detects win.lodeinfo.)
rule win_lodeinfo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.lodeinfo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d7210 83e0c0 8bd3 8b5de4 8945dc 8b4508 2bd8 }
            // n = 7, score = 200
            //   8d7210               | lea                 esi, [edx + 0x10]
            //   83e0c0               | and                 eax, 0xffffffc0
            //   8bd3                 | mov                 edx, ebx
            //   8b5de4               | mov                 ebx, dword ptr [ebp - 0x1c]
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   2bd8                 | sub                 ebx, eax

        $sequence_1 = { e8???????? 50 e8???????? 83c404 ba???????? ff7664 51 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   ba????????           |                     
            //   ff7664               | push                dword ptr [esi + 0x64]
            //   51                   | push                ecx

        $sequence_2 = { ff75bc e8???????? ff75c0 e8???????? ff75cc e8???????? }
            // n = 6, score = 200
            //   ff75bc               | push                dword ptr [ebp - 0x44]
            //   e8????????           |                     
            //   ff75c0               | push                dword ptr [ebp - 0x40]
            //   e8????????           |                     
            //   ff75cc               | push                dword ptr [ebp - 0x34]
            //   e8????????           |                     

        $sequence_3 = { 8b4e50 8b5648 894491fc 8b4d0c e8???????? 8b4e54 8b5648 }
            // n = 7, score = 200
            //   8b4e50               | mov                 ecx, dword ptr [esi + 0x50]
            //   8b5648               | mov                 edx, dword ptr [esi + 0x48]
            //   894491fc             | mov                 dword ptr [ecx + edx*4 - 4], eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   8b4e54               | mov                 ecx, dword ptr [esi + 0x54]
            //   8b5648               | mov                 edx, dword ptr [esi + 0x48]

        $sequence_4 = { ba01000000 d3e2 89559c 8b55b4 894da8 85d2 7554 }
            // n = 7, score = 200
            //   ba01000000           | mov                 edx, 1
            //   d3e2                 | shl                 edx, cl
            //   89559c               | mov                 dword ptr [ebp - 0x64], edx
            //   8b55b4               | mov                 edx, dword ptr [ebp - 0x4c]
            //   894da8               | mov                 dword ptr [ebp - 0x58], ecx
            //   85d2                 | test                edx, edx
            //   7554                 | jne                 0x56

        $sequence_5 = { 8b06 0fb67c0801 c1e708 0b7de4 897e10 8d4102 3bc2 }
            // n = 7, score = 200
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   0fb67c0801           | movzx               edi, byte ptr [eax + ecx + 1]
            //   c1e708               | shl                 edi, 8
            //   0b7de4               | or                  edi, dword ptr [ebp - 0x1c]
            //   897e10               | mov                 dword ptr [esi + 0x10], edi
            //   8d4102               | lea                 eax, [ecx + 2]
            //   3bc2                 | cmp                 eax, edx

        $sequence_6 = { 7528 0fb64d0f 0fb642ff c1e108 03c8 3b4b18 7516 }
            // n = 7, score = 200
            //   7528                 | jne                 0x2a
            //   0fb64d0f             | movzx               ecx, byte ptr [ebp + 0xf]
            //   0fb642ff             | movzx               eax, byte ptr [edx - 1]
            //   c1e108               | shl                 ecx, 8
            //   03c8                 | add                 ecx, eax
            //   3b4b18               | cmp                 ecx, dword ptr [ebx + 0x18]
            //   7516                 | jne                 0x18

        $sequence_7 = { 8806 33c0 5e 5b 8be5 5d }
            // n = 6, score = 200
            //   8806                 | mov                 byte ptr [esi], al
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_8 = { 5f 5e 5b 894491fc 33c0 8be5 5d }
            // n = 7, score = 200
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   894491fc             | mov                 dword ptr [ecx + edx*4 - 4], eax
            //   33c0                 | xor                 eax, eax
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_9 = { 85c0 0f85ea000000 8b5604 83fa08 7527 837e1000 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   0f85ea000000         | jne                 0xf0
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   83fa08               | cmp                 edx, 8
            //   7527                 | jne                 0x29
            //   837e1000             | cmp                 dword ptr [esi + 0x10], 0

    condition:
        7 of them and filesize < 712704
}
Download all Yara Rules