SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lodeinfo (Back to overview)

LODEINFO


There is no description at this point.

References
2021-01-19Twitter (@jpcert_ac)JPCERT/CC
@online{jpcertcc:20210119:lodeinfo:3f1354c, author = {JPCERT/CC}, title = {{Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan}}, date = {2021-01-19}, organization = {Twitter (@jpcert_ac)}, url = {https://twitter.com/jpcert_ac/status/1351355443730255872}, language = {Japanese}, urldate = {2021-01-21} } Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan
LODEINFO
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-06-20Cyber And Ramen blogmsec1203
@online{msec1203:20200620:analysis:3279dbd, author = {msec1203}, title = {{Analysis of LODEINFO Maldoc}}, date = {2020-06-20}, organization = {Cyber And Ramen blog}, url = {https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html}, language = {English}, urldate = {2020-06-21} } Analysis of LODEINFO Maldoc
LODEINFO
2020-06-11JPCERT/CCKota Kino
@online{kino:20200611:lodeinfo:104e43a, author = {Kota Kino}, title = {{マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)}}, date = {2020-06-11}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html}, language = {Japanese}, urldate = {2020-06-12} } マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)
LODEINFO
2020-05-01Macnica NetworksTeamT5, Macnica Networks
@techreport{teamt5:20200501:cyber:70c9cbc, author = {TeamT5 and Macnica Networks}, title = {{Cyber Espionage Tradecra in the Real World Adversaries targeting Japan in the second half of 2019}}, date = {2020-05-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf}, language = {English}, urldate = {2021-01-01} } Cyber Espionage Tradecra in the Real World Adversaries targeting Japan in the second half of 2019
TSCookie LODEINFO
2020-02-20JPCERT/CCKota Kino
@online{kino:20200220:lodeinfo:9842ab1, author = {Kota Kino}, title = {{日本国内の組織を狙ったマルウエアLODEINFO}}, date = {2020-02-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html}, language = {Japanese}, urldate = {2020-02-27} } 日本国内の組織を狙ったマルウエアLODEINFO
LODEINFO
Yara Rules
[TLP:WHITE] win_lodeinfo_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_lodeinfo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? c6041600 85f6 741c 8bfb 8bca }
            // n = 6, score = 200
            //   e9????????           |                     
            //   c6041600             | mov                 byte ptr [esi + edx], 0
            //   85f6                 | test                esi, esi
            //   741c                 | je                  0x1e
            //   8bfb                 | mov                 edi, ebx
            //   8bca                 | mov                 ecx, edx

        $sequence_1 = { 837b1c00 750a c783700100001e000000 83bb9800000003 7513 83bba000000000 }
            // n = 6, score = 200
            //   837b1c00             | cmp                 dword ptr [ebx + 0x1c], 0
            //   750a                 | jne                 0xc
            //   c783700100001e000000     | mov    dword ptr [ebx + 0x170], 0x1e
            //   83bb9800000003       | cmp                 dword ptr [ebx + 0x98], 3
            //   7513                 | jne                 0x15
            //   83bba000000000       | cmp                 dword ptr [ebx + 0xa0], 0

        $sequence_2 = { 3bf2 743f 50 ffb548ffffff 51 8b8d5cffffff 8bd1 }
            // n = 7, score = 200
            //   3bf2                 | cmp                 esi, edx
            //   743f                 | je                  0x41
            //   50                   | push                eax
            //   ffb548ffffff         | push                dword ptr [ebp - 0xb8]
            //   51                   | push                ecx
            //   8b8d5cffffff         | mov                 ecx, dword ptr [ebp - 0xa4]
            //   8bd1                 | mov                 edx, ecx

        $sequence_3 = { 0f1f4000 8a4c0704 884c0444 40 83f804 75f2 8d4c2444 }
            // n = 7, score = 200
            //   0f1f4000             | nop                 dword ptr [eax]
            //   8a4c0704             | mov                 cl, byte ptr [edi + eax + 4]
            //   884c0444             | mov                 byte ptr [esp + eax + 0x44], cl
            //   40                   | inc                 eax
            //   83f804               | cmp                 eax, 4
            //   75f2                 | jne                 0xfffffff4
            //   8d4c2444             | lea                 ecx, [esp + 0x44]

        $sequence_4 = { 56 8b7518 8bda 8b5508 57 8bf9 895df8 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8b7518               | mov                 esi, dword ptr [ebp + 0x18]
            //   8bda                 | mov                 ebx, edx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   895df8               | mov                 dword ptr [ebp - 8], ebx

        $sequence_5 = { 52 50 e8???????? 83c408 8b4d08 8b450c 03c1 }
            // n = 7, score = 200
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   03c1                 | add                 eax, ecx

        $sequence_6 = { 85ff 7430 8b4d08 83c602 83c104 0fb641fc }
            // n = 6, score = 200
            //   85ff                 | test                edi, edi
            //   7430                 | je                  0x32
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   83c602               | add                 esi, 2
            //   83c104               | add                 ecx, 4
            //   0fb641fc             | movzx               eax, byte ptr [ecx - 4]

        $sequence_7 = { 8d8424cc010000 51 50 8d4c242c e8???????? 8b542438 8d442424 }
            // n = 7, score = 200
            //   8d8424cc010000       | lea                 eax, [esp + 0x1cc]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8d4c242c             | lea                 ecx, [esp + 0x2c]
            //   e8????????           |                     
            //   8b542438             | mov                 edx, dword ptr [esp + 0x38]
            //   8d442424             | lea                 eax, [esp + 0x24]

        $sequence_8 = { eb05 8d3c76 d1ef 57 ff75f0 e8???????? 83c408 }
            // n = 7, score = 200
            //   eb05                 | jmp                 7
            //   8d3c76               | lea                 edi, [esi + esi*2]
            //   d1ef                 | shr                 edi, 1
            //   57                   | push                edi
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_9 = { 024df5 83c603 8b45c8 8975ec }
            // n = 4, score = 200
            //   024df5               | add                 cl, byte ptr [ebp - 0xb]
            //   83c603               | add                 esi, 3
            //   8b45c8               | mov                 eax, dword ptr [ebp - 0x38]
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi

    condition:
        7 of them and filesize < 712704
}
Download all Yara Rules