{
	"id": "9562e81b-2df9-42d3-94f2-ef53d4bc3bcc",
	"created_at": "2026-04-06T00:13:02.582601Z",
	"updated_at": "2026-04-10T03:31:00.952657Z",
	"deleted_at": null,
	"sha1_hash": "a28728fe30174937fa5d48b980219ef3fd812e92",
	"title": "Malware WinDealer used by LuoYu Attack Group - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2547276,
	"plain_text": "Malware WinDealer used by LuoYu Attack Group - JPCERT/CC\r\nEyes\r\nBy 増渕 維摩(Yuma Masubuchi)\r\nPublished: 2021-10-25 · Archived: 2026-04-05 14:47:06 UTC\r\nDuring JSAC2021 on 28 January 2021, there was a presentation about an attack group LuoYu, which targets\r\nKorean and Japanese organisations since 2014 [1][2]. Recently, JPCERT/CC came across malware WinDealer\r\nused by this group. This article introduces some findings of our analysis.\r\nMalware WinDealer overview\r\nWinDealer steals information of an infected PC and sends it to a C2 server as described in Figure 1.\r\nFigure 1： Malware WinDealer behaviour overview\r\nOnce launched, the malware reads configuration from a file under C:\\ProgramData and loads a DLL module on its\r\nmemory. It steals information about the victim PC, network configuration and SNS applications etc. and saves\r\nthem in a file with an “.a” extension under %TEMP%, which is then sent to a C2 server.\r\nThe following points will be described in the next sections.\r\nRead configuration\r\nCommunicate with C2 servers\r\nProcess and send stolen data\r\nFunctions of modules loaded on memory\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 1 of 19\n\nRead configuration\r\nThe malware stores its configuration in several folders under C:\\ProgramData and reads it when executed. The\r\ncontents are encoded based on XOR with its key value “b6a7%7486”. Please refer to Appendix A for the\r\nconfiguration file path and its contents. Figure 2 shows a function to decode configuration.\r\nFigure 2：Function to decode a file storing configuration\r\nCommunicate with C2 servers\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 2 of 19\n\nIf the following configuration files exist in the designated folder, WinDealer loads the C2 server information from\r\nthem and starts communicating.\r\nC:\\ProgramData\\ad5f82e8\r\nC:\\ProgramData\\1c76cbfe\r\nC:\\ProgramData\\9c3b6294\r\nIf no such file exists, WinDealer communicates to a random IP address in one of the following ranges (port\r\n6999/UDP or 55556/TCP). It switches to an IP address in the other range at a certain interval.\r\n113.62.0.0 - 113.63.255.255\r\n111.120.0.0 - 111.123.255.255\r\nFigure 3 shows the malware’s communication flow with its C2 server. First, it encrypts an AES key with RSA\r\nalgorithm and sends to a C2 server. Information stolen from a victim PC is encrypted with this AES key and sent\r\nto a C2 server at a certain interval. After that, C2 server sends a command to the victim PC. The malware executes\r\nit and sends the result to the C2 server after encryption. Besides the data exchange, the malware also\r\ncommunicates with domains such as www[.]microsoftcom (non-existent at the moment) and icanhazip[.]com.\r\nWinDealer C2Server\r\nDeliver AES key Length:144\r\nSend stolen data Length:208\r\nSend stolen data Length:816\r\nSend stolen data Length:816\r\nSend command\r\nUDP RSA\r\nAES\r\nAES\r\nAES\r\nAES\r\nUDP\r\nUDP\r\nUDP\r\nUDP\r\nSend at a\r\ncertain interval\r\nUDP AES Send command execution result\r\nFigure 3: Communication flow with a C2 server\r\nFigure 4 describes the communication contents when delivering an AES key. AES key and its CRC32 checksum\r\nvalue are encrypted with RSA1024bit public key. The public key is hardcoded in the sample, which is also used\r\nfor other samples as well.\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 3 of 19\n\nUDP header\r\nFixed value\r\nVictim PC identifier Value generated from configuration file + fixed value\r\nAES key + RSA-encrypted data of AES key’s CRC32 value\r\nFigure 4： Example of contents sent with AES key\r\nFrom the second round of communication and onwards, data is encrypted in AES128bit ECB mode based on the\r\nAES key which was dynamically generated during the initial communication. Please refer to Appendix B for the\r\ndetails of data format.\r\nProcess and send stolen data\r\nWinDealer processes a series of stolen data as “.a” file in a folder under %TEMP%, encrypts it with AES and send\r\nit to a C2 server. The flow of event is illustrated in Figure 5. The modules steal and process the data, while\r\nWinDealer itself monitors the files under %TEMP%, encrypts the file and sends it to a C2 server.\r\nMemory\r\nWinDealer\r\nDLL Module\r\nProcess\r\nSteal\r\nLoad\r\n.a\r\nData\r\nMonitor\r\nAES\r\nSend\r\nEncrypt\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 4 of 19\n\nFigure 5：Flow of events by WinDealer and modules\r\nA part of the code for generating “.a” file by a module is as follows (Figure 6):\r\nFigure 6： DLL module’s code to generate “.a” file\r\nThe stolen data is first stored in a file with an “.t” extension, which is then renamed to “.a”. The series of data is\r\nstored in different directories based on the data category, and they are taken out when “.a” file is created. Please\r\nrefer to Appendix E for the details of each directory.\r\nBefore writing and reading the files, the data is encoded/decoded by XOR-based function with its key value\r\n“YYYY” as in Figure 7.\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 5 of 19\n\nFigure 7：A function for XOR-based encoding when accessing “.a” file\r\nFunctions of modules loaded on memory\r\nOnce launched, WinDealer loads a DLL module in a PE format (encoded in the sample) on the memory and\r\nexecutes it (Figure 8).\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 6 of 19\n\nEncoded PE data\r\nByte string to search Used for XOR-based decode function\r\nFigure 8： Encoded module data\r\nThe malware obtains its file path, searches for a byte string “0xFF3456FF00” and extracts data from its offset\r\n0xE. Using its offset 0x4 value and a XOR-based decode routine (Figure 9), a DLL module is loaded on the\r\nmemory and then executed.\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 7 of 19\n\nFigure 9： Decoding module\r\nThe loaded DLL module is named as “MozillaDll.dll”. There are 3 Export functions as follows:\r\nAutoGetSystemInfo: Steal data\r\nGetConfigInfo: Set configuration\r\npartInitOpt: Set commands\r\nThe loaded DLL module monitors the below items, saves related items in a separate file and obtains them to send\r\nout to a C2 server.\r\nFiles stored in a USB memory\r\nFiles under Documents, desktop and recycle bin\r\nFiles under folders related to SNS applications\r\nPlease see Appendix D for the details of commands that C2 server sends and its contents.\r\nIn closing\r\nBesides WinDealer, it has been confirmed that LuoYu uses other kinds of malware that operate in various\r\nplatforms. We will report if we observe a new type of malware.\r\nFor your reference, SHA256 hash values of similar samples are listed in Appendix F.\r\n- Yuma Masubuchi\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] “LuoYu” The eavesdropper sneaking in multiple platforms\r\nhttps://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf\r\n[2] Japan Security Analyst Conference 2021 -3rd Track-https://blogs.jpcert.or.jp/en/2021/02/jsac2021report1.html\r\nAppendix A WinDealer configuration\r\nTable A：List of configuration\r\nFile path String in malware Contents\r\nC:\\ProgramData\\923b5fd7 remark -\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 8 of 19\n\nC:\\ProgramData\\ad5f82e8 remotedomain Domain name\r\nC:\\ProgramData\\8fe4c114 password -\r\nC:\\ProgramData\\1c76cbfe remoteip C2 server IP\r\nC:\\ProgramData\\9c3b6294 reverseip C2 server IP (reconfigured)\r\nC:\\ProgramData\\789406d0 - Result of connection to a dummy host\r\nC:\\ProgramData\\c25549fe otherinfo -\r\nC:\\ProgramData\\f46d373b - Created when launched\r\nC:\\ProgramData\\windows.inf - -\r\nC:\\ProgramData\\Destro - Name information to register in run key\r\nAppendix B WinDealer Contents of data exchanged\r\nTable B-1： Format of data sent for first communication\r\nOffset Length (byte) Contents\r\n0x00 4 0x91DA8106\r\n0x04 4 0x439FC7CE\r\n0x08 4 Victim PC identifier\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 9 of 19\n\n0x0C 1 Generated based on the contents of a configuration file \"789406d0\"\r\n0x0D 3 0x001400\r\n0x10 128 AES key + RSA-encrypted data of AES key’s CRC32 value\r\nTable B-2：Format of data sent for second communication onwards\r\nOffset Length (byte) Contents\r\n0x00 4 0x91DA8106\r\n0x04 4 0x439FC7CE\r\n0x08 4 Victim PC identifier\r\n0x0C 1 Generated based on the contents of a configuration file \"789406d0\"\r\n0x0D 1 Type\r\n0x0E 2 0x1400\r\n0x10 1 Length\r\n0x11 1 0x6\r\n0x12 1 remark length\r\n0x13 remark\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 10 of 19\n\n- 1 0x3\r\n- 1 password length\r\n- - password\r\n- 1 0x5\r\n- 1 otherinfo length\r\n- - otherinfo\r\n- - System information\r\nTable B-3：Format of data received\r\nOffset Length (byte) Contents\r\n0x00 4 0x91DA8106\r\n0x04 4 0x439FC7CE\r\n0x0D 1 Commands\r\n0x10 2 command data length\r\n0x12 2 Unused\r\n0x14 2 Unused\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 11 of 19\n\n0x16 2 Unused\r\n0x18 Command data length Command data\r\nAppendix C WinDealer List of commands\r\nTable C：List of commands\r\nValue Parameter string* Contents\r\n0x06 content-length: 2 uninstall\r\n0x09 content-length, filename, time Delete files under %TEMP%\r\n0xC filename, flg CreateProcess\r\n0x1F speed Configure Sleep time\r\n0x2D filepath Obtain contents of selected file\r\n0x50 filename, md5 Delete selected file\r\n0x51 filepos,filename, filelen, block, md5 Write on selected file\r\n0x5A datastate Write on \"C:\\ProgramData\\windows.inf\"\r\n0x5B - Perpetuation settings for registries\r\n0x5C list Perpetuation after process check\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 12 of 19\n\n0x5D yes\r\nSet a value to SType of\r\n{HKCU}\\\\Softwaware\\Microsoft\r\n0x5E otherinfo Write on \"c25549fe\"\r\n0x60 headsign, 1, 2 Write on \"789406d0\"\r\n0x61 reverseip Write on \"9c3b6294\"\r\n0x63 - Obtain configuration\r\n0x64 - Read time\r\n0x66 remoteip, remark, password Write on configuration files\r\n0x67 sessionid: -\r\n0x8F\r\nHkey, subkey, valuename, classesroot, currentuser,\r\nlocalmachine, users, currentconfig\r\nExecute RegQueryValue\r\n0xAA pname Screen capture\r\n0xAB - Configuration on screen capture\r\n0xAD - Configuration on screen capture\r\n*Parameter string: These strings are parsed from the received command and used as a command parameter\r\nAppendix D List of commands of loaded modules\r\nTable D：List of commands\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 13 of 19\n\nValue Parameter string* Contents\r\n0x02 - Related to screen capture\r\n0x03 bootdir, filetype Related to folder/files\r\n0x05 filename, monitortype, begpos, block Send files\r\n0x07 - Obtain drive information\r\n0x0A - Configure for lnk files\r\n0x0D -\r\nExecute commands 0xC0, 0xC5, 0xC3, 0xC1, 0xC2,\r\n0xC4, 0xC6\r\n0x12 freq, storetm, quality, type Configure parameter\r\n0x1E srhdir, srhcont, srhnum, sessid -\r\n0x28 filename Obtain file information\r\n0x29 filefilter, settype, usbfilter, checkdirfilter Configure parameter for monitoring\r\n0x2A monitortype, monitorvalue Obtain files of monitoring results\r\n0x2B - -\r\n0x30 -\r\nWrite contents such as \"c:\\windows\", \"c:\\program files\"\r\non \"~BF24\"\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 14 of 19\n\n0x32 freq, storetm Configure parameter\r\n0x3E file Create jpeg file under %TEMP%\r\n0x65 filename, fileoffset Obtain contents from selected files and offsets\r\n0x69 filename, delete, yes Delete selected files\r\n0x7A\r\ncmdtype, command: ,reset, downfile,\r\ngetmypath, dealmd5\r\nExecute cmd.exe\r\n0x7B\r\nsession, command, reset, downfile, exit,\r\ngetmypath\r\nExecute remote shell\r\n0xC0 - Write list of processes on \"28e4-20a6acec\"\r\n0xC1 - Write list of applications on \"28e4-20a6acec\"\r\n0xC2 - Write keyboard information on \"28e4-20a6acec\"\r\n0xC3 -\r\nWrite SNS-related registry contents on \"28e4-\r\n20a6acec\"\r\n0xC4 -\r\nWrite configuration of Skype, QQ, WeChat and\r\nwangwang on \"28e4-20a6acec\"\r\n0xC5 - Write MAC address etc. on \"28e4-20a6acec\"\r\n0xC6 - Write network configuration on \"28e4-20a6acec\"\r\n*Parameter string: These strings are parsed from the received command and used as a command parameter\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 15 of 19\n\nAppendix E List of generated directories\r\nTable E： List of directory\r\nID Path String in malware\r\n(none) %TEMP%\\\\~FEFEFE -\r\n0x01 %TEMP%\\\\070a-cf37dcf5 -\r\n0x02 %TEMP%\\\\d0c8-b9baa92f audio\r\n0x03 %TEMP%\\\\~B5D9 keylog\r\n0x04 %TEMP%\\\\632c-0ef22957 -\r\n0x05 %TEMP%\\\\8e98-fb8010fb filelist\r\n0x06 %TEMP%\\\\7a4a-90e18681 -\r\n0x07 %TEMP%\\\\d4a5-30d3fff6 -\r\n0x08 %TEMP%\\\\d4dc-3165f4cf -\r\n0x09 %TEMP%\\\\~CE14 monitortype\r\n0x0A %TEMP%\\\\~CE2E -\r\n0x0B %TEMP%\\\\~B5BE skypeaudio\r\n0x0C %TEMP%\\\\~B61A skypeshoot\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 16 of 19\n\n0x0E %TEMP%\\\\5a7e-42ccdb67 -\r\n0x0F %TEMP%\\\\~BF24 browser\r\n0x10 %TEMP%\\\\65ce-731bffbb md5filter\r\n0x11 %TEMP%\\\\~BF34 browsercookie\r\n0x12 %TEMP%\\\\28e4-20a6acec systeminfo\r\n0x61 %TEMP%\\\\~FFFE otherfile\r\n0x62 %TEMP%\\\\FFFF otherdata\r\n0x63 %TEMP%\\\\63ae-a20cf808 -\r\nAppendix F SHA256 hash values of similar samples\r\nEXE\r\n1e9fc7f32bd5522dd0222932eb9f1d8bd0a2e132c7b46cfcc622ad97831e6128\r\nb9f526eea625eec1ddab25a0fc9bd847f37c9189750499c446471b7a52204d5a\r\nDLL\r\n0c365d9730a10f1a3680d24214682f79f88aa2a2a602d3d80ef4c1712210ab07\r\n2eef273af0c768b514db6159d7772054d27a6fa8bc3d862df74de75741dbfb9c\r\n増渕 維摩(Yuma Masubuchi)\r\nYuma has been engaged in malware analysis in JPCERT/CC Cyber Security Coordination Group since 2020.\r\nRelated articles\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 17 of 19\n\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 18 of 19\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nhttps://blogs.jpcert.or.jp/en/2021/10/windealer.html\r\nPage 19 of 19\n\nOffset Table Length (byte) B-1： Format Contents of data sent for first communication\n0x00 4 0x91DA8106 \n0x04 4 0x439FC7CE \n0x08 4 Victim PC identifier \n   Page 9 of 19\n\n  https://blogs.jpcert.or.jp/en/2021/10/windealer.html \nUpdate on Attacks by Threat Group APT-C-60 \nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\n  Page 18 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2021/10/windealer.html"
	],
	"report_names": [
		"windealer.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b72c2616-cc7c-4c47-a83d-6b7866b94746",
			"created_at": "2023-01-06T13:46:39.425297Z",
			"updated_at": "2026-04-10T02:00:03.323082Z",
			"deleted_at": null,
			"main_name": "Red Nue",
			"aliases": [
				"LuoYu"
			],
			"source_name": "MISPGALAXY:Red Nue",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434382,
	"ts_updated_at": 1775791860,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a28728fe30174937fa5d48b980219ef3fd812e92.pdf",
		"text": "https://archive.orkl.eu/a28728fe30174937fa5d48b980219ef3fd812e92.txt",
		"img": "https://archive.orkl.eu/a28728fe30174937fa5d48b980219ef3fd812e92.jpg"
	}
}