[r0ny]

LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

ref:https://www.welivesecurity.com/2018/09/ ... nit-group/

IOCs:

4b9e71615b37aea1eaeb5b1cfa0eee048118ff72
1771e435ba25f9cdfa77168899490d87681f2029
ddaa06a4021baf980a08caea899f2904609410b9
10d571d66d3ab7b9ddf6a850cb9b8e38b07623c0
2529f6eda28d54490119d2123d22da56783c704f
e923ac79046ffa06f67d3f4c567e84a82dd7ff1b
8e138eecea8e9937a83bffe100d842d6381b6bb1
ef860dca7d7c928b68c4218007fb9069c6e654e9
e8f07caafb23eff83020406c21645d8ed0005ca6
09d2e2c26247a4a908952fee36b56b360561984f
f90ccf57e75923812c2c1da9f56166b36d1482be
3b1a55f6ca1a5c0444b5bb2e3768c2a49f6c0810
a07afbe1f35c8c6595ac41eb76c81a1dcf0b1ff8
a868a5f2171988304e3464c0ba957a0124d437f5
0a81414802add526af6077433853037b57653b38

[xors]

Attached

[stevegs1821]

Anyone have a copy of the missing binaries?

cc217342373967d1916cb20eca5ccb29caaf7c1b  ReWriter_binary.exe
ea728abe26bac161e110970051e1561fd51db93b  ReWriter_read.exe
f2be778971ad9df2082a266bd04ab657bd287413  SecDXE
700d7e763f59e706b4f05c69911319690f85432e  autoche.exe

ty,

st

[stevegs1821]

^^^^^^ The above hashes are SHA1 btw

st

[reverser]

SecDxe binary (from VT). dropped files (autoche.exe, rpcnetp.exe) are embedded in the binary.

pw: infected

[php677]

Anyone have the copy of missing binaries?

ReWriter_binary.exe
ReWriter_read.exe

ps：what is password of attachments of "eset_marketing_trick.zip" by xors?

[EP_X0FF]

Password is standard. If you need these two missing binaries you can:

contact eset for them threatintel@eset.com

do as authors did - copy paste everything