SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brambul (Back to overview)

Brambul

aka: SORRYBRUTE

Actor(s): Lazarus Group


Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

References
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_brambul_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_brambul_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c3 c1ef02 8b1c9580352f00 83e73f c1e902 }
            // n = 5, score = 100
            //   33c3                 | xor                 eax, ebx
            //   c1ef02               | shr                 edi, 2
            //   8b1c9580352f00       | mov                 ebx, dword ptr [edx*4 + 0x2f3580]
            //   83e73f               | and                 edi, 0x3f
            //   c1e902               | shr                 ecx, 2

        $sequence_1 = { 3bc1 0f8d2e010000 6a10 e8???????? 8be8 6a14 }
            // n = 6, score = 100
            //   3bc1                 | cmp                 eax, ecx
            //   0f8d2e010000         | jge                 0x134
            //   6a10                 | push                0x10
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax
            //   6a14                 | push                0x14

        $sequence_2 = { 0f84ea000000 68???????? 50 ff15???????? 8bf0 }
            // n = 5, score = 100
            //   0f84ea000000         | je                  0xf0
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_3 = { f3a5 8bc8 83e103 f3a4 33f6 8b7c2410 }
            // n = 6, score = 100
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   33f6                 | xor                 esi, esi
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]

        $sequence_4 = { 8b8c2424020000 8d542448 51 55 52 e8???????? }
            // n = 6, score = 100
            //   8b8c2424020000       | mov                 ecx, dword ptr [esp + 0x224]
            //   8d542448             | lea                 edx, [esp + 0x48]
            //   51                   | push                ecx
            //   55                   | push                ebp
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_5 = { 6a00 6a00 ffd7 8d4c2414 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ffd7                 | call                edi
            //   8d4c2414             | lea                 ecx, [esp + 0x14]

        $sequence_6 = { 8bd6 33d3 33d1 03d5 8dbc17e599dbe6 }
            // n = 5, score = 100
            //   8bd6                 | mov                 edx, esi
            //   33d3                 | xor                 edx, ebx
            //   33d1                 | xor                 edx, ecx
            //   03d5                 | add                 edx, ebp
            //   8dbc17e599dbe6       | lea                 edi, [edi + edx - 0x1924661b]

        $sequence_7 = { 8dbe24020000 83c9ff 33c0 f2ae f7d1 2bf9 }
            // n = 6, score = 100
            //   8dbe24020000         | lea                 edi, [esi + 0x224]
            //   83c9ff               | or                  ecx, 0xffffffff
            //   33c0                 | xor                 eax, eax
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   f7d1                 | not                 ecx
            //   2bf9                 | sub                 edi, ecx

        $sequence_8 = { 8bf0 83c60c 6a0f ffd7 }
            // n = 4, score = 100
            //   8bf0                 | mov                 esi, eax
            //   83c60c               | add                 esi, 0xc
            //   6a0f                 | push                0xf
            //   ffd7                 | call                edi

        $sequence_9 = { 03cd 8bea 8db40e9979825a 8bce }
            // n = 4, score = 100
            //   03cd                 | add                 ecx, ebp
            //   8bea                 | mov                 ebp, edx
            //   8db40e9979825a       | lea                 esi, [esi + ecx + 0x5a827999]
            //   8bce                 | mov                 ecx, esi

        $sequence_10 = { d3ee 0fb64a01 2bc1 8a4a02 880f 47 }
            // n = 6, score = 100
            //   d3ee                 | shr                 esi, cl
            //   0fb64a01             | movzx               ecx, byte ptr [edx + 1]
            //   2bc1                 | sub                 eax, ecx
            //   8a4a02               | mov                 cl, byte ptr [edx + 2]
            //   880f                 | mov                 byte ptr [edi], cl
            //   47                   | inc                 edi

        $sequence_11 = { 68???????? 68???????? 50 897c2448 }
            // n = 4, score = 100
            //   68????????           |                     
            //   68????????           |                     
            //   50                   | push                eax
            //   897c2448             | mov                 dword ptr [esp + 0x48], edi

        $sequence_12 = { 68a3c946ab 18d4 92 5d 754d d92d???????? 129ae0c183bf }
            // n = 7, score = 100
            //   68a3c946ab           | push                0xab46c9a3
            //   18d4                 | sbb                 ah, dl
            //   92                   | xchg                eax, edx
            //   5d                   | pop                 ebp
            //   754d                 | jne                 0x4f
            //   d92d????????         |                     
            //   129ae0c183bf         | adc                 bl, byte ptr [edx - 0x407c3e20]

        $sequence_13 = { 8bb4243c010000 3bde 0f8df3000000 b945000000 33c0 }
            // n = 5, score = 100
            //   8bb4243c010000       | mov                 esi, dword ptr [esp + 0x13c]
            //   3bde                 | cmp                 ebx, esi
            //   0f8df3000000         | jge                 0xf9
            //   b945000000           | mov                 ecx, 0x45
            //   33c0                 | xor                 eax, eax

        $sequence_14 = { 8d442434 52 8d4c2418 50 51 8d942498040000 }
            // n = 6, score = 100
            //   8d442434             | lea                 eax, [esp + 0x34]
            //   52                   | push                edx
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d942498040000       | lea                 edx, [esp + 0x498]

        $sequence_15 = { 897c2418 03c2 3bc7 8944241c 0f8e04010000 eb07 }
            // n = 6, score = 100
            //   897c2418             | mov                 dword ptr [esp + 0x18], edi
            //   03c2                 | add                 eax, edx
            //   3bc7                 | cmp                 eax, edi
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   0f8e04010000         | jle                 0x10a
            //   eb07                 | jmp                 9

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules