SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lodeinfo (Back to overview)

LODEINFO


There is no description at this point.

References
2021-02-18JPCERT/CCKota Kino
@online{kino:20210218:further:c4352ca, author = {Kota Kino}, title = {{Further Updates in LODEINFO Malware}}, date = {2021-02-18}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html}, language = {English}, urldate = {2021-02-18} } Further Updates in LODEINFO Malware
LODEINFO
2021-01-19Twitter (@jpcert_ac)JPCERT/CC
@online{jpcertcc:20210119:lodeinfo:3f1354c, author = {JPCERT/CC}, title = {{Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan}}, date = {2021-01-19}, organization = {Twitter (@jpcert_ac)}, url = {https://twitter.com/jpcert_ac/status/1351355443730255872}, language = {Japanese}, urldate = {2021-01-21} } Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan
LODEINFO
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-06-20Cyber And Ramen blogmsec1203
@online{msec1203:20200620:analysis:3279dbd, author = {msec1203}, title = {{Analysis of LODEINFO Maldoc}}, date = {2020-06-20}, organization = {Cyber And Ramen blog}, url = {https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html}, language = {English}, urldate = {2020-06-21} } Analysis of LODEINFO Maldoc
LODEINFO
2020-06-11JPCERT/CCKota Kino
@online{kino:20200611:lodeinfo:104e43a, author = {Kota Kino}, title = {{マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)}}, date = {2020-06-11}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html}, language = {Japanese}, urldate = {2020-06-12} } マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)
LODEINFO
2020-05-01Macnica NetworksTeamT5, Macnica Networks
@techreport{teamt5:20200501:cyber:70c9cbc, author = {TeamT5 and Macnica Networks}, title = {{Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019}}, date = {2020-05-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf}, language = {English}, urldate = {2021-02-26} } Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019
TSCookie LODEINFO
2020-02-20JPCERT/CCKota Kino
@online{kino:20200220:lodeinfo:9842ab1, author = {Kota Kino}, title = {{日本国内の組織を狙ったマルウエアLODEINFO}}, date = {2020-02-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html}, language = {Japanese}, urldate = {2020-02-27} } 日本国内の組織を狙ったマルウエアLODEINFO
LODEINFO
Yara Rules
[TLP:WHITE] win_lodeinfo_auto (20210616 | Detects win.lodeinfo.)
rule win_lodeinfo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.lodeinfo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7d0c 8b45ec 807c300100 7416 b848000000 }
            // n = 5, score = 200
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   807c300100           | cmp                 byte ptr [eax + esi + 1], 0
            //   7416                 | je                  0x18
            //   b848000000           | mov                 eax, 0x48

        $sequence_1 = { 83c404 ba???????? 56 51 b9???????? e8???????? 83c404 }
            // n = 7, score = 200
            //   83c404               | add                 esp, 4
            //   ba????????           |                     
            //   56                   | push                esi
            //   51                   | push                ecx
            //   b9????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_2 = { 740a 83fa04 7405 83fa08 ebe4 33c0 c3 }
            // n = 7, score = 200
            //   740a                 | je                  0xc
            //   83fa04               | cmp                 edx, 4
            //   7405                 | je                  7
            //   83fa08               | cmp                 edx, 8
            //   ebe4                 | jmp                 0xffffffe6
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 

        $sequence_3 = { 0fb6444a01 41 8846fe 3bcf 75e4 5f 5e }
            // n = 7, score = 200
            //   0fb6444a01           | movzx               eax, byte ptr [edx + ecx*2 + 1]
            //   41                   | inc                 ecx
            //   8846fe               | mov                 byte ptr [esi - 2], al
            //   3bcf                 | cmp                 ecx, edi
            //   75e4                 | jne                 0xffffffe6
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_4 = { 8bc1 c1e903 83e007 0fafca 0fafc2 83c007 c1e803 }
            // n = 7, score = 200
            //   8bc1                 | mov                 eax, ecx
            //   c1e903               | shr                 ecx, 3
            //   83e007               | and                 eax, 7
            //   0fafca               | imul                ecx, edx
            //   0fafc2               | imul                eax, edx
            //   83c007               | add                 eax, 7
            //   c1e803               | shr                 eax, 3

        $sequence_5 = { 8d7053 e9???????? c6040600 85f6 7415 8b55f8 }
            // n = 6, score = 200
            //   8d7053               | lea                 esi, dword ptr [eax + 0x53]
            //   e9????????           |                     
            //   c6040600             | mov                 byte ptr [esi + eax], 0
            //   85f6                 | test                esi, esi
            //   7415                 | je                  0x17
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]

        $sequence_6 = { 2bc1 99 33c2 2bc2 0fb7c0 8945d4 8bc7 }
            // n = 7, score = 200
            //   2bc1                 | sub                 eax, ecx
            //   99                   | cdq                 
            //   33c2                 | xor                 eax, edx
            //   2bc2                 | sub                 eax, edx
            //   0fb7c0               | movzx               eax, ax
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   8bc7                 | mov                 eax, edi

        $sequence_7 = { 8b4ddc 8b5d08 c1ef09 897a10 8b520c 8d49f7 83c209 }
            // n = 7, score = 200
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   c1ef09               | shr                 edi, 9
            //   897a10               | mov                 dword ptr [edx + 0x10], edi
            //   8b520c               | mov                 edx, dword ptr [edx + 0xc]
            //   8d49f7               | lea                 ecx, dword ptr [ecx - 9]
            //   83c209               | add                 edx, 9

        $sequence_8 = { 85db 0f84d9000000 8b4f08 83c101 741f 8bfb 8bc6 }
            // n = 7, score = 200
            //   85db                 | test                ebx, ebx
            //   0f84d9000000         | je                  0xdf
            //   8b4f08               | mov                 ecx, dword ptr [edi + 8]
            //   83c101               | add                 ecx, 1
            //   741f                 | je                  0x21
            //   8bfb                 | mov                 edi, ebx
            //   8bc6                 | mov                 eax, esi

        $sequence_9 = { 8b4908 2bf1 90 8a01 3a040e 750e 42 }
            // n = 7, score = 200
            //   8b4908               | mov                 ecx, dword ptr [ecx + 8]
            //   2bf1                 | sub                 esi, ecx
            //   90                   | nop                 
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   3a040e               | cmp                 al, byte ptr [esi + ecx]
            //   750e                 | jne                 0x10
            //   42                   | inc                 edx

    condition:
        7 of them and filesize < 712704
}
Download all Yara Rules