SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lodeinfo (Back to overview)

LODEINFO


There is no description at this point.

References
2022-12-14ESET ResearchDominik Breitenbacher
@online{breitenbacher:20221214:unmasking:a20b445, author = {Dominik Breitenbacher}, title = {{Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities}}, date = {2022-12-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/}, language = {English}, urldate = {2022-12-20} } Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
LODEINFO
2022-10-31Kaspersky LabsSuguru Ishimaru
@online{ishimaru:20221031:apt10:c9040fd, author = {Suguru Ishimaru}, title = {{APT10: Tracking down LODEINFO 2022, part II}}, date = {2022-10-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/}, language = {English}, urldate = {2022-12-29} } APT10: Tracking down LODEINFO 2022, part II
LODEINFO
2022-10-31Kaspersky LabsSuguru Ishimaru
@online{ishimaru:20221031:apt10:d6c1888, author = {Suguru Ishimaru}, title = {{APT10: Tracking down LODEINFO 2022, part I}}, date = {2022-10-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/}, language = {English}, urldate = {2022-12-29} } APT10: Tracking down LODEINFO 2022, part I
LODEINFO
2021-02-18JPCERT/CCKota Kino
@online{kino:20210218:further:c4352ca, author = {Kota Kino}, title = {{Further Updates in LODEINFO Malware}}, date = {2021-02-18}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html}, language = {English}, urldate = {2021-02-18} } Further Updates in LODEINFO Malware
LODEINFO
2021-01-19Twitter (@jpcert_ac)JPCERT/CC
@online{jpcertcc:20210119:lodeinfo:3f1354c, author = {JPCERT/CC}, title = {{Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan}}, date = {2021-01-19}, organization = {Twitter (@jpcert_ac)}, url = {https://twitter.com/jpcert_ac/status/1351355443730255872}, language = {Japanese}, urldate = {2021-01-21} } Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan
LODEINFO
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-06-20Cyber And Ramen blogmsec1203
@online{msec1203:20200620:analysis:3279dbd, author = {msec1203}, title = {{Analysis of LODEINFO Maldoc}}, date = {2020-06-20}, organization = {Cyber And Ramen blog}, url = {https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html}, language = {English}, urldate = {2020-06-21} } Analysis of LODEINFO Maldoc
LODEINFO
2020-06-11JPCERT/CCKota Kino
@online{kino:20200611:lodeinfo:104e43a, author = {Kota Kino}, title = {{マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)}}, date = {2020-06-11}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html}, language = {Japanese}, urldate = {2020-06-12} } マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)
LODEINFO
2020-05-01Macnica NetworksTeamT5, Macnica Networks
@techreport{teamt5:20200501:cyber:70c9cbc, author = {TeamT5 and Macnica Networks}, title = {{Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019}}, date = {2020-05-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf}, language = {English}, urldate = {2021-02-26} } Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019
TSCookie LODEINFO
2020-02-27JPCERT/CCKota Kino
@online{kino:20200227:malware:a3da71c, author = {Kota Kino}, title = {{Malware “LODEINFO” Targeting Japan}}, date = {2020-02-27}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html}, language = {English}, urldate = {2022-12-20} } Malware “LODEINFO” Targeting Japan
LODEINFO
2020-02-20JPCERT/CCKota Kino
@online{kino:20200220:lodeinfo:9842ab1, author = {Kota Kino}, title = {{日本国内の組織を狙ったマルウエアLODEINFO}}, date = {2020-02-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html}, language = {Japanese}, urldate = {2020-02-27} } 日本国内の組織を狙ったマルウエアLODEINFO
LODEINFO
Yara Rules
[TLP:WHITE] win_lodeinfo_auto (20230715 | Detects win.lodeinfo.)
rule win_lodeinfo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.lodeinfo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b01 8b4024 ffd0 3b45cc 7557 85d2 7553 }
            // n = 7, score = 200
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   8b4024               | mov                 eax, dword ptr [eax + 0x24]
            //   ffd0                 | call                eax
            //   3b45cc               | cmp                 eax, dword ptr [ebp - 0x34]
            //   7557                 | jne                 0x59
            //   85d2                 | test                edx, edx
            //   7553                 | jne                 0x55

        $sequence_1 = { c745d000000000 03c7 3bc1 0f825a040000 3b4608 0f8751040000 }
            // n = 6, score = 200
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   03c7                 | add                 eax, edi
            //   3bc1                 | cmp                 eax, ecx
            //   0f825a040000         | jb                  0x460
            //   3b4608               | cmp                 eax, dword ptr [esi + 8]
            //   0f8751040000         | ja                  0x457

        $sequence_2 = { 03c1 0faf8544ffffff 03f0 8d4703 c1e802 8d8b98000000 898544ffffff }
            // n = 7, score = 200
            //   03c1                 | add                 eax, ecx
            //   0faf8544ffffff       | imul                eax, dword ptr [ebp - 0xbc]
            //   03f0                 | add                 esi, eax
            //   8d4703               | lea                 eax, [edi + 3]
            //   c1e802               | shr                 eax, 2
            //   8d8b98000000         | lea                 ecx, [ebx + 0x98]
            //   898544ffffff         | mov                 dword ptr [ebp - 0xbc], eax

        $sequence_3 = { 50 0fb64702 b9???????? 50 0fb64701 50 0fb607 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   0fb64702             | movzx               eax, byte ptr [edi + 2]
            //   b9????????           |                     
            //   50                   | push                eax
            //   0fb64701             | movzx               eax, byte ptr [edi + 1]
            //   50                   | push                eax
            //   0fb607               | movzx               eax, byte ptr [edi]

        $sequence_4 = { 8bc1 c1e903 83e007 0fafca 0fafc2 83c007 c1e803 }
            // n = 7, score = 200
            //   8bc1                 | mov                 eax, ecx
            //   c1e903               | shr                 ecx, 3
            //   83e007               | and                 eax, 7
            //   0fafca               | imul                ecx, edx
            //   0fafc2               | imul                eax, edx
            //   83c007               | add                 eax, 7
            //   c1e803               | shr                 eax, 3

        $sequence_5 = { 8955e4 81faff000000 7756 8b55f8 8b4308 8b3a 47 }
            // n = 7, score = 200
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   81faff000000         | cmp                 edx, 0xff
            //   7756                 | ja                  0x58
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   8b3a                 | mov                 edi, dword ptr [edx]
            //   47                   | inc                 edi

        $sequence_6 = { 8b4d08 8b45ec 3b4514 0f8404010000 8d3c18 894dd8 2955d8 }
            // n = 7, score = 200
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   3b4514               | cmp                 eax, dword ptr [ebp + 0x14]
            //   0f8404010000         | je                  0x10a
            //   8d3c18               | lea                 edi, [eax + ebx]
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   2955d8               | sub                 dword ptr [ebp - 0x28], edx

        $sequence_7 = { 8b55ec 52 e8???????? 83c404 c745f800000000 c745f400000000 ff75f0 }
            // n = 7, score = 200
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   ff75f0               | push                dword ptr [ebp - 0x10]

        $sequence_8 = { 0fb65204 c1e218 d3e2 0bd3 8b5de4 eb68 c7461000000000 }
            // n = 7, score = 200
            //   0fb65204             | movzx               edx, byte ptr [edx + 4]
            //   c1e218               | shl                 edx, 0x18
            //   d3e2                 | shl                 edx, cl
            //   0bd3                 | or                  edx, ebx
            //   8b5de4               | mov                 ebx, dword ptr [ebp - 0x1c]
            //   eb68                 | jmp                 0x6a
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0

        $sequence_9 = { c745c000000000 c745cc00000000 8d0479 c745d000000000 03c7 3bc1 0f825a040000 }
            // n = 7, score = 200
            //   c745c000000000       | mov                 dword ptr [ebp - 0x40], 0
            //   c745cc00000000       | mov                 dword ptr [ebp - 0x34], 0
            //   8d0479               | lea                 eax, [ecx + edi*2]
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   03c7                 | add                 eax, edi
            //   3bc1                 | cmp                 eax, ecx
            //   0f825a040000         | jb                  0x460

    condition:
        7 of them and filesize < 712704
}
Download all Yara Rules