SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brambul (Back to overview)

Brambul

aka: SORRYBRUTE

Actor(s): Lazarus Group


Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

References
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2022-03-02} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2022-03-02} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_brambul_auto (20221125 | Detects win.brambul.)
rule win_brambul_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.brambul."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f840d020000 a0???????? 3c34 7404 }
            // n = 4, score = 100
            //   0f840d020000         | je                  0x213
            //   a0????????           |                     
            //   3c34                 | cmp                 al, 0x34
            //   7404                 | je                  6

        $sequence_1 = { 8d940ad9026f67 8bcf 8bea c1ed12 }
            // n = 4, score = 100
            //   8d940ad9026f67       | lea                 edx, [edx + ecx + 0x676f02d9]
            //   8bcf                 | mov                 ecx, edi
            //   8bea                 | mov                 ebp, edx
            //   c1ed12               | shr                 ebp, 0x12

        $sequence_2 = { eb0c 8b542414 6a00 8d44247a 52 50 55 }
            // n = 7, score = 100
            //   eb0c                 | jmp                 0xe
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   6a00                 | push                0
            //   8d44247a             | lea                 eax, [esp + 0x7a]
            //   52                   | push                edx
            //   50                   | push                eax
            //   55                   | push                ebp

        $sequence_3 = { 8b458c 8db5887fffff 3bc6 742c 8db5887fffff 8d8d887fffff }
            // n = 6, score = 100
            //   8b458c               | mov                 eax, dword ptr [ebp - 0x74]
            //   8db5887fffff         | lea                 esi, [ebp - 0x8078]
            //   3bc6                 | cmp                 eax, esi
            //   742c                 | je                  0x2e
            //   8db5887fffff         | lea                 esi, [ebp - 0x8078]
            //   8d8d887fffff         | lea                 ecx, [ebp - 0x8078]

        $sequence_4 = { 8b442424 57 83c102 50 51 }
            // n = 5, score = 100
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   57                   | push                edi
            //   83c102               | add                 ecx, 2
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_5 = { 83feff 750c e8???????? 3d33270000 750c 85f6 7cca }
            // n = 7, score = 100
            //   83feff               | cmp                 esi, -1
            //   750c                 | jne                 0xe
            //   e8????????           |                     
            //   3d33270000           | cmp                 eax, 0x2733
            //   750c                 | jne                 0xe
            //   85f6                 | test                esi, esi
            //   7cca                 | jl                  0xffffffcc

        $sequence_6 = { 897d90 e8???????? 83c410 395dec }
            // n = 4, score = 100
            //   897d90               | mov                 dword ptr [ebp - 0x70], edi
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   395dec               | cmp                 dword ptr [ebp - 0x14], ebx

        $sequence_7 = { 85c0 0f84f3000000 83f8ff 0f84ea000000 68???????? 50 ff15???????? }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f84f3000000         | je                  0xf9
            //   83f8ff               | cmp                 eax, -1
            //   0f84ea000000         | je                  0xf0
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 7e11 8a540601 8a1c06 2ada 881c06 40 3bc1 }
            // n = 7, score = 100
            //   7e11                 | jle                 0x13
            //   8a540601             | mov                 dl, byte ptr [esi + eax + 1]
            //   8a1c06               | mov                 bl, byte ptr [esi + eax]
            //   2ada                 | sub                 bl, dl
            //   881c06               | mov                 byte ptr [esi + eax], bl
            //   40                   | inc                 eax
            //   3bc1                 | cmp                 eax, ecx

        $sequence_9 = { c1eb0b 0bd3 8bde 03d7 f7d3 0bda 33df }
            // n = 7, score = 100
            //   c1eb0b               | shr                 ebx, 0xb
            //   0bd3                 | or                  edx, ebx
            //   8bde                 | mov                 ebx, esi
            //   03d7                 | add                 edx, edi
            //   f7d3                 | not                 ebx
            //   0bda                 | or                  ebx, edx
            //   33df                 | xor                 ebx, edi

        $sequence_10 = { c1e917 c1e309 0bcb 8bda }
            // n = 4, score = 100
            //   c1e917               | shr                 ecx, 0x17
            //   c1e309               | shl                 ebx, 9
            //   0bcb                 | or                  ecx, ebx
            //   8bda                 | mov                 ebx, edx

        $sequence_11 = { c1e109 0bf9 8bcb 03fb }
            // n = 4, score = 100
            //   c1e109               | shl                 ecx, 9
            //   0bf9                 | or                  edi, ecx
            //   8bcb                 | mov                 ecx, ebx
            //   03fb                 | add                 edi, ebx

        $sequence_12 = { 80c120 8888a0994000 eb1f 83f861 7213 83f87a }
            // n = 6, score = 100
            //   80c120               | add                 cl, 0x20
            //   8888a0994000         | mov                 byte ptr [eax + 0x4099a0], cl
            //   eb1f                 | jmp                 0x21
            //   83f861               | cmp                 eax, 0x61
            //   7213                 | jb                  0x15
            //   83f87a               | cmp                 eax, 0x7a

        $sequence_13 = { 7cef 8d43ff 83f801 7c13 8a1428 8a5c28ff 02da }
            // n = 7, score = 100
            //   7cef                 | jl                  0xfffffff1
            //   8d43ff               | lea                 eax, [ebx - 1]
            //   83f801               | cmp                 eax, 1
            //   7c13                 | jl                  0x15
            //   8a1428               | mov                 dl, byte ptr [eax + ebp]
            //   8a5c28ff             | mov                 bl, byte ptr [eax + ebp - 1]
            //   02da                 | add                 bl, dl

        $sequence_14 = { 8bf0 83c404 83fb01 bf08000000 c60600 c744241401000000 }
            // n = 6, score = 100
            //   8bf0                 | mov                 esi, eax
            //   83c404               | add                 esp, 4
            //   83fb01               | cmp                 ebx, 1
            //   bf08000000           | mov                 edi, 8
            //   c60600               | mov                 byte ptr [esi], 0
            //   c744241401000000     | mov                 dword ptr [esp + 0x14], 1

        $sequence_15 = { 8d8dc85dffff 51 8d8db45dffff 51 }
            // n = 4, score = 100
            //   8d8dc85dffff         | lea                 ecx, [ebp - 0xa238]
            //   51                   | push                ecx
            //   8d8db45dffff         | lea                 ecx, [ebp - 0xa24c]
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules