SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brambul (Back to overview)

Brambul

aka: SORRYBRUTE

Actor(s): Lazarus Group


Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

References
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_brambul_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_brambul_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03d1 8bf2 33f1 23f7 33f1 }
            // n = 5, score = 100
            //   03d1                 | add                 edx, ecx
            //   8bf2                 | mov                 esi, edx
            //   33f1                 | xor                 esi, ecx
            //   23f7                 | and                 esi, edi
            //   33f1                 | xor                 esi, ecx

        $sequence_1 = { 33d2 33f3 8bd9 c1eb02 83e33f }
            // n = 5, score = 100
            //   33d2                 | xor                 edx, edx
            //   33f3                 | xor                 esi, ebx
            //   8bd9                 | mov                 ebx, ecx
            //   c1eb02               | shr                 ebx, 2
            //   83e33f               | and                 ebx, 0x3f

        $sequence_2 = { 7478 8b1d???????? 55 8b2d???????? 8d7704 }
            // n = 5, score = 100
            //   7478                 | je                  0x7a
            //   8b1d????????         |                     
            //   55                   | push                ebp
            //   8b2d????????         |                     
            //   8d7704               | lea                 esi, [edi + 4]

        $sequence_3 = { 8bac2400020000 8d442478 6a01 50 8d4c2458 }
            // n = 5, score = 100
            //   8bac2400020000       | mov                 ebp, dword ptr [esp + 0x200]
            //   8d442478             | lea                 eax, [esp + 0x78]
            //   6a01                 | push                1
            //   50                   | push                eax
            //   8d4c2458             | lea                 ecx, [esp + 0x58]

        $sequence_4 = { 85c0 0f84f3000000 83f8ff 0f84ea000000 68???????? }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   0f84f3000000         | je                  0xf9
            //   83f8ff               | cmp                 eax, -1
            //   0f84ea000000         | je                  0xf0
            //   68????????           |                     

        $sequence_5 = { 6a00 6800040000 52 57 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   6800040000           | push                0x400
            //   52                   | push                edx
            //   57                   | push                edi

        $sequence_6 = { 7229 f3a5 ff2495685f4000 8bc7 ba03000000 }
            // n = 5, score = 100
            //   7229                 | jb                  0x2b
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495685f4000       | jmp                 dword ptr [edx*4 + 0x405f68]
            //   8bc7                 | mov                 eax, edi
            //   ba03000000           | mov                 edx, 3

        $sequence_7 = { 81e1ff3f0000 83ef0e c1eb0e 33f6 58 }
            // n = 5, score = 100
            //   81e1ff3f0000         | and                 ecx, 0x3fff
            //   83ef0e               | sub                 edi, 0xe
            //   c1eb0e               | shr                 ebx, 0xe
            //   33f6                 | xor                 esi, esi
            //   58                   | pop                 eax

        $sequence_8 = { f37040 00834e04ff89 06 eb08 6a10 }
            // n = 5, score = 100
            //   f37040               | jo                  0x43
            //   00834e04ff89         | add                 byte ptr [ebx - 0x7600fbb2], al
            //   06                   | push                es
            //   eb08                 | jmp                 0xa
            //   6a10                 | push                0x10

        $sequence_9 = { eb2b 83fefe 7511 8d8dc4fdffff 6804010000 51 6aff }
            // n = 7, score = 100
            //   eb2b                 | jmp                 0x2d
            //   83fefe               | cmp                 esi, -2
            //   7511                 | jne                 0x13
            //   8d8dc4fdffff         | lea                 ecx, [ebp - 0x23c]
            //   6804010000           | push                0x104
            //   51                   | push                ecx
            //   6aff                 | push                -1

        $sequence_10 = { 57 66a1???????? 8a0d???????? 8b15???????? 668944240c }
            // n = 5, score = 100
            //   57                   | push                edi
            //   66a1????????         |                     
            //   8a0d????????         |                     
            //   8b15????????         |                     
            //   668944240c           | mov                 word ptr [esp + 0xc], ax

        $sequence_11 = { 0fb685bd49ffff 8975f4 8985b849ffff eb06 }
            // n = 4, score = 100
            //   0fb685bd49ffff       | movzx               eax, byte ptr [ebp - 0xb643]
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   8985b849ffff         | mov                 dword ptr [ebp - 0xb648], eax
            //   eb06                 | jmp                 8

        $sequence_12 = { ff15???????? 83c418 85f6 7403 56 ffd7 6aff }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   83c418               | add                 esp, 0x18
            //   85f6                 | test                esi, esi
            //   7403                 | je                  5
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   6aff                 | push                -1

        $sequence_13 = { b0ff 83c410 3ac8 7522 80bdd1ecffff53 7519 }
            // n = 6, score = 100
            //   b0ff                 | mov                 al, 0xff
            //   83c410               | add                 esp, 0x10
            //   3ac8                 | cmp                 cl, al
            //   7522                 | jne                 0x24
            //   80bdd1ecffff53       | cmp                 byte ptr [ebp - 0x132f], 0x53
            //   7519                 | jne                 0x1b

        $sequence_14 = { 8dac2f9979825a 8bfd c1ef17 c1e509 0bfd 897c2414 0bdf }
            // n = 7, score = 100
            //   8dac2f9979825a       | lea                 ebp, [edi + ebp + 0x5a827999]
            //   8bfd                 | mov                 edi, ebp
            //   c1ef17               | shr                 edi, 0x17
            //   c1e509               | shl                 ebp, 9
            //   0bfd                 | or                  edi, ebp
            //   897c2414             | mov                 dword ptr [esp + 0x14], edi
            //   0bdf                 | or                  ebx, edi

        $sequence_15 = { e8???????? 017d0c 8b86e0b50000 017dfc 83c40c }
            // n = 5, score = 100
            //   e8????????           |                     
            //   017d0c               | add                 dword ptr [ebp + 0xc], edi
            //   8b86e0b50000         | mov                 eax, dword ptr [esi + 0xb5e0]
            //   017dfc               | add                 dword ptr [ebp - 4], edi
            //   83c40c               | add                 esp, 0xc

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules