SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brambul (Back to overview)

Brambul

aka: SORRYBRUTE

Actor(s): Lazarus Group


Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

References
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_brambul_auto (20211008 | Detects win.brambul.)
rule win_brambul_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.brambul."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d840102010000 3985b049ffff 8945e4 0f8325010000 8b95b45dffff }
            // n = 5, score = 100
            //   8d840102010000       | lea                 eax, dword ptr [ecx + eax + 0x102]
            //   3985b049ffff         | cmp                 dword ptr [ebp - 0xb650], eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   0f8325010000         | jae                 0x12b
            //   8b95b45dffff         | mov                 edx, dword ptr [ebp - 0xa24c]

        $sequence_1 = { 2bfa 4b 235df0 d36df0 015de8 8b55e8 8bd8 }
            // n = 7, score = 100
            //   2bfa                 | sub                 edi, edx
            //   4b                   | dec                 ebx
            //   235df0               | and                 ebx, dword ptr [ebp - 0x10]
            //   d36df0               | shr                 dword ptr [ebp - 0x10], cl
            //   015de8               | add                 dword ptr [ebp - 0x18], ebx
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   8bd8                 | mov                 ebx, eax

        $sequence_2 = { 8b4de0 8b95be49ffff 23ce 8d0c49 }
            // n = 4, score = 100
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8b95be49ffff         | mov                 edx, dword ptr [ebp - 0xb642]
            //   23ce                 | and                 ecx, esi
            //   8d0c49               | lea                 ecx, dword ptr [ecx + ecx*2]

        $sequence_3 = { 48 752f 8d542410 bf???????? eb43 }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   752f                 | jne                 0x31
            //   8d542410             | lea                 edx, dword ptr [esp + 0x10]
            //   bf????????           |                     
            //   eb43                 | jmp                 0x45

        $sequence_4 = { bb???????? 3bc7 7449 8b3b 83c9ff 33c0 8d94240c010000 }
            // n = 7, score = 100
            //   bb????????           |                     
            //   3bc7                 | cmp                 eax, edi
            //   7449                 | je                  0x4b
            //   8b3b                 | mov                 edi, dword ptr [ebx]
            //   83c9ff               | or                  ecx, 0xffffffff
            //   33c0                 | xor                 eax, eax
            //   8d94240c010000       | lea                 edx, dword ptr [esp + 0x10c]

        $sequence_5 = { 8d4c2438 53 52 894c2434 c744242401000000 89442430 8944243c }
            // n = 7, score = 100
            //   8d4c2438             | lea                 ecx, dword ptr [esp + 0x38]
            //   53                   | push                ebx
            //   52                   | push                edx
            //   894c2434             | mov                 dword ptr [esp + 0x34], ecx
            //   c744242401000000     | mov                 dword ptr [esp + 0x24], 1
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax

        $sequence_6 = { 397590 8945fc 7531 8d95887fffff 3bca 7427 8d85887fffff }
            // n = 7, score = 100
            //   397590               | cmp                 dword ptr [ebp - 0x70], esi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   7531                 | jne                 0x33
            //   8d95887fffff         | lea                 edx, dword ptr [ebp - 0x8078]
            //   3bca                 | cmp                 ecx, edx
            //   7427                 | je                  0x29
            //   8d85887fffff         | lea                 eax, dword ptr [ebp - 0x8078]

        $sequence_7 = { e8???????? 83c40c 85c0 75a2 8b442418 8b4c2414 83c604 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   75a2                 | jne                 0xffffffa4
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   83c604               | add                 esi, 4

        $sequence_8 = { 68???????? 56 e8???????? 83c408 68e8030000 ffd7 }
            // n = 6, score = 100
            //   68????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   68e8030000           | push                0x3e8
            //   ffd7                 | call                edi

        $sequence_9 = { 83f908 7229 f3a5 ff2495a84d4000 8bc7 ba03000000 83e904 }
            // n = 7, score = 100
            //   83f908               | cmp                 ecx, 8
            //   7229                 | jb                  0x2b
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495a84d4000       | jmp                 dword ptr [edx*4 + 0x404da8]
            //   8bc7                 | mov                 eax, edi
            //   ba03000000           | mov                 edx, 3
            //   83e904               | sub                 ecx, 4

    condition:
        7 of them and filesize < 131072
}
Download all Yara Rules