SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brambul (Back to overview)

Brambul

aka: SORRYBRUTE

Actor(s): Lazarus Group

Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

References
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2022-03-02} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2022-03-02} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_brambul_auto (20230125 | Detects win.brambul.)
rule win_brambul_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.brambul."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 23d6 3b10 740b ff4df8 83e804 }
            // n = 5, score = 100
            //   23d6                 | and                 edx, esi
            //   3b10                 | cmp                 edx, dword ptr [eax]
            //   740b                 | je                  0xd
            //   ff4df8               | dec                 dword ptr [ebp - 8]
            //   83e804               | sub                 eax, 4

        $sequence_1 = { 8bef c1ed15 c1e70b 0bef 8bfe 03ee 33fd }
            // n = 7, score = 100
            //   8bef                 | mov                 ebp, edi
            //   c1ed15               | shr                 ebp, 0x15
            //   c1e70b               | shl                 edi, 0xb
            //   0bef                 | or                  ebp, edi
            //   8bfe                 | mov                 edi, esi
            //   03ee                 | add                 ebp, esi
            //   33fd                 | xor                 edi, ebp

        $sequence_2 = { 8d8424c4000000 52 50 ffd6 8b8c2450090000 6a64 }
            // n = 6, score = 100
            //   8d8424c4000000       | lea                 eax, [esp + 0xc4]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8b8c2450090000       | mov                 ecx, dword ptr [esp + 0x950]
            //   6a64                 | push                0x64

        $sequence_3 = { 84d2 75f2 8ad1 2ad0 88142f }
            // n = 5, score = 100
            //   84d2                 | test                dl, dl
            //   75f2                 | jne                 0xfffffff4
            //   8ad1                 | mov                 dl, cl
            //   2ad0                 | sub                 dl, al
            //   88142f               | mov                 byte ptr [edi + ebp], dl

        $sequence_4 = { 57 8d4c2420 53 51 56 e8???????? }
            // n = 6, score = 100
            //   57                   | push                edi
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_5 = { 23cd 8b6850 0bd9 03dd 8db41e9979825a 8b5c2414 8bce }
            // n = 7, score = 100
            //   23cd                 | and                 ecx, ebp
            //   8b6850               | mov                 ebp, dword ptr [eax + 0x50]
            //   0bd9                 | or                  ebx, ecx
            //   03dd                 | add                 ebx, ebp
            //   8db41e9979825a       | lea                 esi, [esi + ebx + 0x5a827999]
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8bce                 | mov                 ecx, esi

        $sequence_6 = { c70002000000 eb0c e8???????? 8b6c2424 }
            // n = 4, score = 100
            //   c70002000000         | mov                 dword ptr [eax], 2
            //   eb0c                 | jmp                 0xe
            //   e8????????           |                     
            //   8b6c2424             | mov                 ebp, dword ptr [esp + 0x24]

        $sequence_7 = { 8bd6 c1ea19 c1e607 8beb 0bd6 8b7050 33e9 }
            // n = 7, score = 100
            //   8bd6                 | mov                 edx, esi
            //   c1ea19               | shr                 edx, 0x19
            //   c1e607               | shl                 esi, 7
            //   8beb                 | mov                 ebp, ebx
            //   0bd6                 | or                  edx, esi
            //   8b7050               | mov                 esi, dword ptr [eax + 0x50]
            //   33e9                 | xor                 ebp, ecx

        $sequence_8 = { 8b9435e0ecffff 25ffff0000 03d6 8bc8 8dbdd0fcffff 8db415d0ecffff 8bd1 }
            // n = 7, score = 100
            //   8b9435e0ecffff       | mov                 edx, dword ptr [ebp + esi - 0x1320]
            //   25ffff0000           | and                 eax, 0xffff
            //   03d6                 | add                 edx, esi
            //   8bc8                 | mov                 ecx, eax
            //   8dbdd0fcffff         | lea                 edi, [ebp - 0x330]
            //   8db415d0ecffff       | lea                 esi, [ebp + edx - 0x1330]
            //   8bd1                 | mov                 edx, ecx

        $sequence_9 = { 803d????????35 0f85ff000000 803d????????34 0f85f2000000 a1???????? 85c0 0f85e5000000 }
            // n = 7, score = 100
            //   803d????????35       |                     
            //   0f85ff000000         | jne                 0x105
            //   803d????????34       |                     
            //   0f85f2000000         | jne                 0xf8
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   0f85e5000000         | jne                 0xeb

        $sequence_10 = { 8b742420 3bc7 897c2424 0f868c010000 }
            // n = 4, score = 100
            //   8b742420             | mov                 esi, dword ptr [esp + 0x20]
            //   3bc7                 | cmp                 eax, edi
            //   897c2424             | mov                 dword ptr [esp + 0x24], edi
            //   0f868c010000         | jbe                 0x192

        $sequence_11 = { 50 ffd7 85f6 8bc6 75f0 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   85f6                 | test                esi, esi
            //   8bc6                 | mov                 eax, esi
            //   75f0                 | jne                 0xfffffff2

        $sequence_12 = { 0bde 33d9 03dd 8b684c 8d9c1f144301a3 8bfb c1ef11 }
            // n = 7, score = 100
            //   0bde                 | or                  ebx, esi
            //   33d9                 | xor                 ebx, ecx
            //   03dd                 | add                 ebx, ebp
            //   8b684c               | mov                 ebp, dword ptr [eax + 0x4c]
            //   8d9c1f144301a3       | lea                 ebx, [edi + ebx - 0x5cfebcec]
            //   8bfb                 | mov                 edi, ebx
            //   c1ef11               | shr                 edi, 0x11

        $sequence_13 = { 894d08 56 33c0 33db 8d8d887fffff 57 8985a849ffff }
            // n = 7, score = 100
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   56                   | push                esi
            //   33c0                 | xor                 eax, eax
            //   33db                 | xor                 ebx, ebx
            //   8d8d887fffff         | lea                 ecx, [ebp - 0x8078]
            //   57                   | push                edi
            //   8985a849ffff         | mov                 dword ptr [ebp - 0xb658], eax

        $sequence_14 = { 0bd3 33d7 03d5 8b6848 8d8c1139a093fc }
            // n = 5, score = 100
            //   0bd3                 | or                  edx, ebx
            //   33d7                 | xor                 edx, edi
            //   03d5                 | add                 edx, ebp
            //   8b6848               | mov                 ebp, dword ptr [eax + 0x48]
            //   8d8c1139a093fc       | lea                 ecx, [ecx + edx - 0x36c5fc7]

        $sequence_15 = { 5b c9 c3 8b5d20 6a01 59 8d458c }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 
            //   8b5d20               | mov                 ebx, dword ptr [ebp + 0x20]
            //   6a01                 | push                1
            //   59                   | pop                 ecx
            //   8d458c               | lea                 eax, [ebp - 0x74]

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules