A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32154  by r0ny
 Sun Sep 30, 2018 12:25 pm
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

ref:https://www.welivesecurity.com/2018/09/ ... nit-group/

IOCs:

4b9e71615b37aea1eaeb5b1cfa0eee048118ff72
1771e435ba25f9cdfa77168899490d87681f2029
ddaa06a4021baf980a08caea899f2904609410b9
10d571d66d3ab7b9ddf6a850cb9b8e38b07623c0
2529f6eda28d54490119d2123d22da56783c704f
e923ac79046ffa06f67d3f4c567e84a82dd7ff1b
8e138eecea8e9937a83bffe100d842d6381b6bb1
ef860dca7d7c928b68c4218007fb9069c6e654e9
e8f07caafb23eff83020406c21645d8ed0005ca6
09d2e2c26247a4a908952fee36b56b360561984f
f90ccf57e75923812c2c1da9f56166b36d1482be
3b1a55f6ca1a5c0444b5bb2e3768c2a49f6c0810
a07afbe1f35c8c6595ac41eb76c81a1dcf0b1ff8
a868a5f2171988304e3464c0ba957a0124d437f5
0a81414802add526af6077433853037b57653b38
 #32156  by xors
 Sun Sep 30, 2018 3:23 pm
Attached
You do not have the required permissions to view the files attached to this post.
 #32162  by stevegs1821
 Mon Oct 01, 2018 4:14 pm
Anyone have a copy of the missing binaries?

cc217342373967d1916cb20eca5ccb29caaf7c1b  ReWriter_binary.exe
ea728abe26bac161e110970051e1561fd51db93b  ReWriter_read.exe
f2be778971ad9df2082a266bd04ab657bd287413  SecDXE
700d7e763f59e706b4f05c69911319690f85432e  autoche.exe

ty,

st
 #32249  by reverser
 Mon Nov 12, 2018 6:20 pm
SecDxe binary (from VT). dropped files (autoche.exe, rpcnetp.exe) are embedded in the binary.

pw: infected
You do not have the required permissions to view the files attached to this post.
 #32390  by php677
 Tue Jan 08, 2019 1:30 am
Anyone have the copy of missing binaries?

ReWriter_binary.exe
ReWriter_read.exe

ps:what is password of attachments of "eset_marketing_trick.zip" by xors?
 #32391  by EP_X0FF
 Tue Jan 08, 2019 5:01 am
Password is standard. If you need these two missing binaries you can:

contact eset for them threatintel@eset.com

do as authors did - copy paste everything