SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brambul (Back to overview)

Brambul

aka: SORRYBRUTE

Actor(s): Lazarus Group


Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

References
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_brambul_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_brambul_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7d1 2bf9 8d5304 8bc1 8bf7 8bfa }
            // n = 6, score = 100
            //   f7d1                 | not                 ecx
            //   2bf9                 | sub                 edi, ecx
            //   8d5304               | lea                 edx, [ebx + 4]
            //   8bc1                 | mov                 eax, ecx
            //   8bf7                 | mov                 esi, edi
            //   8bfa                 | mov                 edi, edx

        $sequence_1 = { 5b 81c494050000 c21000 8b3d???????? }
            // n = 4, score = 100
            //   5b                   | pop                 ebx
            //   81c494050000         | add                 esp, 0x594
            //   c21000               | ret                 0x10
            //   8b3d????????         |                     

        $sequence_2 = { 7418 8b831c020000 85c0 750e 8bcb e8???????? }
            // n = 6, score = 100
            //   7418                 | je                  0x1a
            //   8b831c020000         | mov                 eax, dword ptr [ebx + 0x21c]
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_3 = { 50 ffd6 8d4c246c 8d542478 51 8d442444 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8d4c246c             | lea                 ecx, [esp + 0x6c]
            //   8d542478             | lea                 edx, [esp + 0x78]
            //   51                   | push                ecx
            //   8d442444             | lea                 eax, [esp + 0x44]

        $sequence_4 = { 57 ffd6 50 ff15???????? 5f 5e 5d }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   50                   | push                eax
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_5 = { 0bda 8b5054 03da 8d8c199979825a 8bd1 c1ea13 c1e10d }
            // n = 7, score = 100
            //   0bda                 | or                  ebx, edx
            //   8b5054               | mov                 edx, dword ptr [eax + 0x54]
            //   03da                 | add                 ebx, edx
            //   8d8c199979825a       | lea                 ecx, [ecx + ebx + 0x5a827999]
            //   8bd1                 | mov                 edx, ecx
            //   c1ea13               | shr                 edx, 0x13
            //   c1e10d               | shl                 ecx, 0xd

        $sequence_6 = { 8955fc 3930 7509 41 83c004 83f90f }
            // n = 6, score = 100
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   3930                 | cmp                 dword ptr [eax], esi
            //   7509                 | jne                 0xb
            //   41                   | inc                 ecx
            //   83c004               | add                 eax, 4
            //   83f90f               | cmp                 ecx, 0xf

        $sequence_7 = { 8d842498000000 52 8d4c2458 50 }
            // n = 4, score = 100
            //   8d842498000000       | lea                 eax, [esp + 0x98]
            //   52                   | push                edx
            //   8d4c2458             | lea                 ecx, [esp + 0x58]
            //   50                   | push                eax

        $sequence_8 = { d2e2 0ada 8b542410 881c16 8a9c2488000000 d2e3 2bf8 }
            // n = 7, score = 100
            //   d2e2                 | shl                 dl, cl
            //   0ada                 | or                  bl, dl
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   881c16               | mov                 byte ptr [esi + edx], bl
            //   8a9c2488000000       | mov                 bl, byte ptr [esp + 0x88]
            //   d2e3                 | shl                 bl, cl
            //   2bf8                 | sub                 edi, eax

        $sequence_9 = { 894e2f 894e35 66390a 7505 663908 742f }
            // n = 6, score = 100
            //   894e2f               | mov                 dword ptr [esi + 0x2f], ecx
            //   894e35               | mov                 dword ptr [esi + 0x35], ecx
            //   66390a               | cmp                 word ptr [edx], cx
            //   7505                 | jne                 7
            //   663908               | cmp                 word ptr [eax], cx
            //   742f                 | je                  0x31

        $sequence_10 = { 57 6800040000 68???????? 55 e8???????? 83c40c }
            // n = 6, score = 100
            //   57                   | push                edi
            //   6800040000           | push                0x400
            //   68????????           |                     
            //   55                   | push                ebp
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_11 = { 8bca 8d945dc4000000 83e103 f3a4 8d4b40 be???????? 8d7c4d00 }
            // n = 7, score = 100
            //   8bca                 | mov                 ecx, edx
            //   8d945dc4000000       | lea                 edx, [ebp + ebx*2 + 0xc4]
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8d4b40               | lea                 ecx, [ebx + 0x40]
            //   be????????           |                     
            //   8d7c4d00             | lea                 edi, [ebp + ecx*2]

        $sequence_12 = { 66c744241c0200 e8???????? 8d542404 8bf0 52 687e660480 56 }
            // n = 7, score = 100
            //   66c744241c0200       | mov                 word ptr [esp + 0x1c], 2
            //   e8????????           |                     
            //   8d542404             | lea                 edx, [esp + 4]
            //   8bf0                 | mov                 esi, eax
            //   52                   | push                edx
            //   687e660480           | push                0x8004667e
            //   56                   | push                esi

        $sequence_13 = { 50 53 68???????? ff15???????? 8b4d14 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   53                   | push                ebx
            //   68????????           |                     
            //   ff15????????         |                     
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]

        $sequence_14 = { ffd6 8b54242c 6a32 8d8424c4000000 52 50 }
            // n = 6, score = 100
            //   ffd6                 | call                esi
            //   8b54242c             | mov                 edx, dword ptr [esp + 0x2c]
            //   6a32                 | push                0x32
            //   8d8424c4000000       | lea                 eax, [esp + 0xc4]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_15 = { 8b6c2420 83fdff 0f8413050000 53 57 6800040000 68???????? }
            // n = 7, score = 100
            //   8b6c2420             | mov                 ebp, dword ptr [esp + 0x20]
            //   83fdff               | cmp                 ebp, -1
            //   0f8413050000         | je                  0x519
            //   53                   | push                ebx
            //   57                   | push                edi
            //   6800040000           | push                0x400
            //   68????????           |                     

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules