LoJax(UEFI rootkit)

Forum for analysis and discussion about malware.
Post Reply
r0ny
Posts: 52
Joined: Mon Apr 30, 2018 6:07 am

LoJax(UEFI rootkit)

Post by r0ny » Sun Sep 30, 2018 12:25 pm

LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

ref:https://www.welivesecurity.com/2018/09/ ... nit-group/

IOCs:

4b9e71615b37aea1eaeb5b1cfa0eee048118ff72
1771e435ba25f9cdfa77168899490d87681f2029
ddaa06a4021baf980a08caea899f2904609410b9
10d571d66d3ab7b9ddf6a850cb9b8e38b07623c0
2529f6eda28d54490119d2123d22da56783c704f
e923ac79046ffa06f67d3f4c567e84a82dd7ff1b
8e138eecea8e9937a83bffe100d842d6381b6bb1
ef860dca7d7c928b68c4218007fb9069c6e654e9
e8f07caafb23eff83020406c21645d8ed0005ca6
09d2e2c26247a4a908952fee36b56b360561984f
f90ccf57e75923812c2c1da9f56166b36d1482be
3b1a55f6ca1a5c0444b5bb2e3768c2a49f6c0810
a07afbe1f35c8c6595ac41eb76c81a1dcf0b1ff8
a868a5f2171988304e3464c0ba957a0124d437f5
0a81414802add526af6077433853037b57653b38

User avatar
xors
Posts: 160
Joined: Mon May 23, 2016 2:01 am

Re: LoJax(UEFI rootkit)

Post by xors » Sun Sep 30, 2018 3:23 pm

Attached
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

stevegs1821
Posts: 9
Joined: Mon Jan 27, 2014 6:28 pm

Re: LoJax(UEFI rootkit)

Post by stevegs1821 » Mon Oct 01, 2018 4:14 pm

Anyone have a copy of the missing binaries?

cc217342373967d1916cb20eca5ccb29caaf7c1b  ReWriter_binary.exe
ea728abe26bac161e110970051e1561fd51db93b  ReWriter_read.exe
f2be778971ad9df2082a266bd04ab657bd287413  SecDXE
700d7e763f59e706b4f05c69911319690f85432e  autoche.exe

ty,

st

stevegs1821
Posts: 9
Joined: Mon Jan 27, 2014 6:28 pm

Re: LoJax(UEFI rootkit)

Post by stevegs1821 » Mon Oct 01, 2018 4:15 pm

^^^^^^ The above hashes are SHA1 btw

st

reverser
Posts: 23
Joined: Wed Jul 27, 2011 12:22 am

Re: LoJax(UEFI rootkit)

Post by reverser » Mon Nov 12, 2018 6:20 pm

SecDxe binary (from VT). dropped files (autoche.exe, rpcnetp.exe) are embedded in the binary.

pw: infected
You do not have the required permissions to view the files attached to this post.

Post Reply