SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brambul (Back to overview)

Brambul

aka: SORRYBRUTE

Actor(s): Lazarus Group


Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

References
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2022-03-02} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2022-03-02} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_brambul_auto (20220516 | Detects win.brambul.)
rule win_brambul_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.brambul."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d442460 57 50 e8???????? 8d4c2410 51 }
            // n = 6, score = 100
            //   8d442460             | lea                 eax, [esp + 0x60]
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   51                   | push                ecx

        $sequence_1 = { a4 bb30d6616c c0b885b104e3c1 267e1f }
            // n = 4, score = 100
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   bb30d6616c           | mov                 ebx, 0x6c61d630
            //   c0b885b104e3c1       | sar                 byte ptr [eax - 0x1cfb4e7b], 0xc1
            //   267e1f               | jle                 0x22

        $sequence_2 = { 331c9580312f00 8bd1 c1ea0a 83e23f 33c3 c1ef02 }
            // n = 6, score = 100
            //   331c9580312f00       | xor                 ebx, dword ptr [edx*4 + 0x2f3180]
            //   8bd1                 | mov                 edx, ecx
            //   c1ea0a               | shr                 edx, 0xa
            //   83e23f               | and                 edx, 0x3f
            //   33c3                 | xor                 eax, ebx
            //   c1ef02               | shr                 edi, 2

        $sequence_3 = { 8a5504 8a4505 68???????? 68???????? 52 }
            // n = 5, score = 100
            //   8a5504               | mov                 dl, byte ptr [ebp + 4]
            //   8a4505               | mov                 al, byte ptr [ebp + 5]
            //   68????????           |                     
            //   68????????           |                     
            //   52                   | push                edx

        $sequence_4 = { 8b9dac49ffff 50 8d45e4 50 8d85c85dffff 50 }
            // n = 6, score = 100
            //   8b9dac49ffff         | mov                 ebx, dword ptr [ebp - 0xb654]
            //   50                   | push                eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   8d85c85dffff         | lea                 eax, [ebp - 0xa238]
            //   50                   | push                eax

        $sequence_5 = { 0bf2 43 83f814 72ee 895dfc 8b4de0 }
            // n = 6, score = 100
            //   0bf2                 | or                  esi, edx
            //   43                   | inc                 ebx
            //   83f814               | cmp                 eax, 0x14
            //   72ee                 | jb                  0xfffffff0
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]

        $sequence_6 = { 8d45ec 50 e8???????? 8b4590 83c410 3b458c }
            // n = 6, score = 100
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   83c410               | add                 esp, 0x10
            //   3b458c               | cmp                 eax, dword ptr [ebp - 0x74]

        $sequence_7 = { 8b5004 a1???????? 898c2484000000 8b0d???????? 8984248c000000 }
            // n = 5, score = 100
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   a1????????           |                     
            //   898c2484000000       | mov                 dword ptr [esp + 0x84], ecx
            //   8b0d????????         |                     
            //   8984248c000000       | mov                 dword ptr [esp + 0x8c], eax

        $sequence_8 = { 81c424010000 c3 8bac2438010000 55 56 }
            // n = 5, score = 100
            //   81c424010000         | add                 esp, 0x124
            //   c3                   | ret                 
            //   8bac2438010000       | mov                 ebp, dword ptr [esp + 0x138]
            //   55                   | push                ebp
            //   56                   | push                esi

        $sequence_9 = { 56 57 683f000f00 6a00 53 ff15???????? 8bf8 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   683f000f00           | push                0xf003f
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_10 = { 8dac2e40b340c0 8bf5 c1ee17 c1e509 }
            // n = 4, score = 100
            //   8dac2e40b340c0       | lea                 ebp, [esi + ebp - 0x3fbf4cc0]
            //   8bf5                 | mov                 esi, ebp
            //   c1ee17               | shr                 esi, 0x17
            //   c1e509               | shl                 ebp, 9

        $sequence_11 = { 0f8eee000000 40 8945e8 ff45f8 03f2 }
            // n = 5, score = 100
            //   0f8eee000000         | jle                 0xf4
            //   40                   | inc                 eax
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   ff45f8               | inc                 dword ptr [ebp - 8]
            //   03f2                 | add                 esi, edx

        $sequence_12 = { 8bcf 2bcb 8a11 8817 }
            // n = 4, score = 100
            //   8bcf                 | mov                 ecx, edi
            //   2bcb                 | sub                 ecx, ebx
            //   8a11                 | mov                 dl, byte ptr [ecx]
            //   8817                 | mov                 byte ptr [edi], dl

        $sequence_13 = { 8dac2970bcbfbe 8bcd c1e117 c1ed09 0bcd 8b684c 03ce }
            // n = 7, score = 100
            //   8dac2970bcbfbe       | lea                 ebp, [ecx + ebp - 0x41404390]
            //   8bcd                 | mov                 ecx, ebp
            //   c1e117               | shl                 ecx, 0x17
            //   c1ed09               | shr                 ebp, 9
            //   0bcd                 | or                  ecx, ebp
            //   8b684c               | mov                 ebp, dword ptr [eax + 0x4c]
            //   03ce                 | add                 ecx, esi

        $sequence_14 = { 23ea 0bcd 8b6840 03cd }
            // n = 4, score = 100
            //   23ea                 | and                 ebp, edx
            //   0bcd                 | or                  ecx, ebp
            //   8b6840               | mov                 ebp, dword ptr [eax + 0x40]
            //   03cd                 | add                 ecx, ebp

        $sequence_15 = { 8b4d08 46 3b750c 72d1 8b842b48ffffff 8365ec00 }
            // n = 6, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   46                   | inc                 esi
            //   3b750c               | cmp                 esi, dword ptr [ebp + 0xc]
            //   72d1                 | jb                  0xffffffd3
            //   8b842b48ffffff       | mov                 eax, dword ptr [ebx + ebp - 0xb8]
            //   8365ec00             | and                 dword ptr [ebp - 0x14], 0

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules