SYMBOLCOMMON_NAMEaka. SYNONYMS
win.joanap (Back to overview)

Joanap

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_joanap_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_joanap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7513 6a1e ff15???????? 85ff 75a9 5f 5e }
            // n = 7, score = 100
            //   7513                 | jne                 0x15
            //   6a1e                 | push                0x1e
            //   ff15????????         |                     
            //   85ff                 | test                edi, edi
            //   75a9                 | jne                 0xffffffab
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_1 = { 8bd1 c1fa08 8a8000b92c00 32c2 8b54242c 8806 46 }
            // n = 7, score = 100
            //   8bd1                 | mov                 edx, ecx
            //   c1fa08               | sar                 edx, 8
            //   8a8000b92c00         | mov                 al, byte ptr [eax + 0x2cb900]
            //   32c2                 | xor                 al, dl
            //   8b54242c             | mov                 edx, dword ptr [esp + 0x2c]
            //   8806                 | mov                 byte ptr [esi], al
            //   46                   | inc                 esi

        $sequence_2 = { 51 56 c7803c05000001000000 e8???????? 83c414 83f8ff 7440 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   56                   | push                esi
            //   c7803c05000001000000     | mov    dword ptr [eax + 0x53c], 1
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   83f8ff               | cmp                 eax, -1
            //   7440                 | je                  0x42

        $sequence_3 = { 6a01 6860ea0000 8d442420 6a10 }
            // n = 4, score = 100
            //   6a01                 | push                1
            //   6860ea0000           | push                0xea60
            //   8d442420             | lea                 eax, [esp + 0x20]
            //   6a10                 | push                0x10

        $sequence_4 = { 740b 85db 7407 56 ff15???????? 5f 5e }
            // n = 7, score = 100
            //   740b                 | je                  0xd
            //   85db                 | test                ebx, ebx
            //   7407                 | je                  9
            //   56                   | push                esi
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_5 = { 89742414 8b149500c32c00 8b742438 8b1c8d00bf2c00 33c9 8a4c241b 33d3 }
            // n = 7, score = 100
            //   89742414             | mov                 dword ptr [esp + 0x14], esi
            //   8b149500c32c00       | mov                 edx, dword ptr [edx*4 + 0x2cc300]
            //   8b742438             | mov                 esi, dword ptr [esp + 0x38]
            //   8b1c8d00bf2c00       | mov                 ebx, dword ptr [ecx*4 + 0x2cbf00]
            //   33c9                 | xor                 ecx, ecx
            //   8a4c241b             | mov                 cl, byte ptr [esp + 0x1b]
            //   33d3                 | xor                 edx, ebx

        $sequence_6 = { 0f852b010000 6a00 55 6a64 68???????? e8???????? }
            // n = 6, score = 100
            //   0f852b010000         | jne                 0x131
            //   6a00                 | push                0
            //   55                   | push                ebp
            //   6a64                 | push                0x64
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_7 = { e8???????? 83c410 83f8ff 745e 85c0 7410 8d54241c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   83f8ff               | cmp                 eax, -1
            //   745e                 | je                  0x60
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x12
            //   8d54241c             | lea                 edx, [esp + 0x1c]

        $sequence_8 = { 51 56 ffd7 85c0 a3???????? 7533 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   7533                 | jne                 0x35

        $sequence_9 = { 6a1e 50 e8???????? 8b15???????? 8d0c40 dd03 }
            // n = 6, score = 100
            //   6a1e                 | push                0x1e
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b15????????         |                     
            //   8d0c40               | lea                 ecx, [eax + eax*2]
            //   dd03                 | fld                 qword ptr [ebx]

    condition:
        7 of them and filesize < 270336
}
Download all Yara Rules