SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brambul (Back to overview)

Brambul

aka: SORRYBRUTE

Actor(s): Lazarus Group


Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

References
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2022-03-02} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2022-03-02} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_brambul_auto (20230715 | Detects win.brambul.)
rule win_brambul_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.brambul."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85f6 7509 8db42448030000 eb01 46 }
            // n = 5, score = 100
            //   85f6                 | test                esi, esi
            //   7509                 | jne                 0xb
            //   8db42448030000       | lea                 esi, [esp + 0x348]
            //   eb01                 | jmp                 3
            //   46                   | inc                 esi

        $sequence_1 = { 5d b810000000 5b 81c440050000 }
            // n = 4, score = 100
            //   5d                   | pop                 ebp
            //   b810000000           | mov                 eax, 0x10
            //   5b                   | pop                 ebx
            //   81c440050000         | add                 esp, 0x540

        $sequence_2 = { 80a0a099400000 40 41 41 3bc6 72bf eb49 }
            // n = 7, score = 100
            //   80a0a099400000       | and                 byte ptr [eax + 0x4099a0], 0
            //   40                   | inc                 eax
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   3bc6                 | cmp                 eax, esi
            //   72bf                 | jb                  0xffffffc1
            //   eb49                 | jmp                 0x4b

        $sequence_3 = { 0bef 8bfb 33fa 23fd }
            // n = 4, score = 100
            //   0bef                 | or                  ebp, edi
            //   8bfb                 | mov                 edi, ebx
            //   33fa                 | xor                 edi, edx
            //   23fd                 | and                 edi, ebp

        $sequence_4 = { ffd6 50 53 ffd7 50 ffd5 }
            // n = 6, score = 100
            //   ffd6                 | call                esi
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   50                   | push                eax
            //   ffd5                 | call                ebp

        $sequence_5 = { 8b7d90 8b458c 8b4d88 83c410 3bf8 7307 8bd0 }
            // n = 7, score = 100
            //   8b7d90               | mov                 edi, dword ptr [ebp - 0x70]
            //   8b458c               | mov                 eax, dword ptr [ebp - 0x74]
            //   8b4d88               | mov                 ecx, dword ptr [ebp - 0x78]
            //   83c410               | add                 esp, 0x10
            //   3bf8                 | cmp                 edi, eax
            //   7307                 | jae                 9
            //   8bd0                 | mov                 edx, eax

        $sequence_6 = { 56 b053 8d7324 57 88442410 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   b053                 | mov                 al, 0x53
            //   8d7324               | lea                 esi, [ebx + 0x24]
            //   57                   | push                edi
            //   88442410             | mov                 byte ptr [esp + 0x10], al

        $sequence_7 = { 6a00 6a00 ffd7 83c418 6a32 ffd6 4b }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ffd7                 | call                edi
            //   83c418               | add                 esp, 0x18
            //   6a32                 | push                0x32
            //   ffd6                 | call                esi
            //   4b                   | dec                 ebx

        $sequence_8 = { 0bcb 8bdf f7d3 03ca 0bd9 }
            // n = 5, score = 100
            //   0bcb                 | or                  ecx, ebx
            //   8bdf                 | mov                 ebx, edi
            //   f7d3                 | not                 ebx
            //   03ca                 | add                 ecx, edx
            //   0bd9                 | or                  ebx, ecx

        $sequence_9 = { 7505 804c247401 55 8bcb e8???????? 85c0 }
            // n = 6, score = 100
            //   7505                 | jne                 7
            //   804c247401           | or                  byte ptr [esp + 0x74], 1
            //   55                   | push                ebp
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_10 = { 8b15???????? 89442440 a0???????? 894c2450 8b0d???????? }
            // n = 5, score = 100
            //   8b15????????         |                     
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   a0????????           |                     
            //   894c2450             | mov                 dword ptr [esp + 0x50], ecx
            //   8b0d????????         |                     

        $sequence_11 = { 897d90 c745ec01000000 8b558c 8365f800 3bfa 895dfc 897508 }
            // n = 7, score = 100
            //   897d90               | mov                 dword ptr [ebp - 0x70], edi
            //   c745ec01000000       | mov                 dword ptr [ebp - 0x14], 1
            //   8b558c               | mov                 edx, dword ptr [ebp - 0x74]
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   3bfa                 | cmp                 edi, edx
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   897508               | mov                 dword ptr [ebp + 8], esi

        $sequence_12 = { 83c410 85c0 0f8590010000 8d442428 8d4c2430 50 57 }
            // n = 7, score = 100
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   0f8590010000         | jne                 0x196
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   8d4c2430             | lea                 ecx, [esp + 0x30]
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_13 = { 8945dc 7605 8945fc 8bd0 6a01 8913 }
            // n = 6, score = 100
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   7605                 | jbe                 7
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8bd0                 | mov                 edx, eax
            //   6a01                 | push                1
            //   8913                 | mov                 dword ptr [ebx], edx

        $sequence_14 = { 0bce 8bf1 33f5 33f2 03f3 8dbc37a1ebd96e }
            // n = 6, score = 100
            //   0bce                 | or                  ecx, esi
            //   8bf1                 | mov                 esi, ecx
            //   33f5                 | xor                 esi, ebp
            //   33f2                 | xor                 esi, edx
            //   03f3                 | add                 esi, ebx
            //   8dbc37a1ebd96e       | lea                 edi, [edi + esi + 0x6ed9eba1]

        $sequence_15 = { 03c7 8d942486000000 8d0c8510202f00 51 52 ffd6 8b44242c }
            // n = 7, score = 100
            //   03c7                 | add                 eax, edi
            //   8d942486000000       | lea                 edx, [esp + 0x86]
            //   8d0c8510202f00       | lea                 ecx, [eax*4 + 0x2f2010]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ffd6                 | call                esi
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules