SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brambul (Back to overview)

Brambul

aka: SORRYBRUTE

Actor(s): Lazarus Group


Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

References
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_brambul_auto (20210616 | Detects win.brambul.)
rule win_brambul_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.brambul."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2bc1 4b 23de 035a02 d3ee 83f80f }
            // n = 6, score = 100
            //   2bc1                 | sub                 eax, ecx
            //   4b                   | dec                 ebx
            //   23de                 | and                 ebx, esi
            //   035a02               | add                 ebx, dword ptr [edx + 2]
            //   d3ee                 | shr                 esi, cl
            //   83f80f               | cmp                 eax, 0xf

        $sequence_1 = { 833c854888400000 8d348548884000 753e 57 }
            // n = 4, score = 100
            //   833c854888400000     | cmp                 dword ptr [eax*4 + 0x408848], 0
            //   8d348548884000       | lea                 esi, dword ptr [eax*4 + 0x408848]
            //   753e                 | jne                 0x40
            //   57                   | push                edi

        $sequence_2 = { 83e01f 83e11f 8d840102010000 3985b049ffff }
            // n = 4, score = 100
            //   83e01f               | and                 eax, 0x1f
            //   83e11f               | and                 ecx, 0x1f
            //   8d840102010000       | lea                 eax, dword ptr [ecx + eax + 0x102]
            //   3985b049ffff         | cmp                 dword ptr [ebp - 0xb650], eax

        $sequence_3 = { 0f8540010000 e8???????? e8???????? e8???????? bf???????? }
            // n = 5, score = 100
            //   0f8540010000         | jne                 0x146
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   bf????????           |                     

        $sequence_4 = { f37040 00834e04ff89 06 eb08 }
            // n = 4, score = 100
            //   f37040               | jo                  0x43
            //   00834e04ff89         | add                 byte ptr [ebx - 0x7600fbb2], al
            //   06                   | push                es
            //   eb08                 | jmp                 0xa

        $sequence_5 = { 85c0 89442420 7405 83f8ff }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   7405                 | je                  7
            //   83f8ff               | cmp                 eax, -1

        $sequence_6 = { 897de0 0f88b0020000 03f7 8931 33c9 48 898d4cffffff }
            // n = 7, score = 100
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   0f88b0020000         | js                  0x2b6
            //   03f7                 | add                 esi, edi
            //   8931                 | mov                 dword ptr [ecx], esi
            //   33c9                 | xor                 ecx, ecx
            //   48                   | dec                 eax
            //   898d4cffffff         | mov                 dword ptr [ebp - 0xb4], ecx

        $sequence_7 = { 6a02 8d842484000000 6800000040 f3a4 50 ff15???????? 8bf0 }
            // n = 7, score = 100
            //   6a02                 | push                2
            //   8d842484000000       | lea                 eax, dword ptr [esp + 0x84]
            //   6800000040           | push                0x40000000
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_8 = { 53 ffd6 8b3d???????? 50 53 ffd7 8b2d???????? }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   8b3d????????         |                     
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   8b2d????????         |                     

        $sequence_9 = { 68???????? 52 ffd5 57 8d442420 53 50 }
            // n = 7, score = 100
            //   68????????           |                     
            //   52                   | push                edx
            //   ffd5                 | call                ebp
            //   57                   | push                edi
            //   8d442420             | lea                 eax, dword ptr [esp + 0x20]
            //   53                   | push                ebx
            //   50                   | push                eax

    condition:
        7 of them and filesize < 131072
}
Download all Yara Rules