SYMBOLCOMMON_NAMEaka. SYNONYMS
win.joanap (Back to overview)

Joanap

Actor(s): Lazarus Group

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_joanap_auto (20210616 | Detects win.joanap.)
rule win_joanap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.joanap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89442430 8b44242c 894c2438 85c0 }
            // n = 4, score = 100
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   894c2438             | mov                 dword ptr [esp + 0x38], ecx
            //   85c0                 | test                eax, eax

        $sequence_1 = { e8???????? 83c404 eb0a 51 56 e8???????? 83c408 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb0a                 | jmp                 0xc
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_2 = { 8b500c 8d44242c 50 8954244c e8???????? 8b08 6a00 }
            // n = 7, score = 100
            //   8b500c               | mov                 edx, dword ptr [eax + 0xc]
            //   8d44242c             | lea                 eax, dword ptr [esp + 0x2c]
            //   50                   | push                eax
            //   8954244c             | mov                 dword ptr [esp + 0x4c], edx
            //   e8????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   6a00                 | push                0

        $sequence_3 = { 83f8ff 740b 6681ffffff 0f8272ffffff 53 ff15???????? 33d2 }
            // n = 7, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   740b                 | je                  0xd
            //   6681ffffff           | cmp                 di, 0xffff
            //   0f8272ffffff         | jb                  0xffffff78
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx

        $sequence_4 = { dd5cd010 eb49 8b0d???????? 6a1e 51 e8???????? 8b15???????? }
            // n = 7, score = 100
            //   dd5cd010             | fstp                qword ptr [eax + edx*8 + 0x10]
            //   eb49                 | jmp                 0x4b
            //   8b0d????????         |                     
            //   6a1e                 | push                0x1e
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b15????????         |                     

        $sequence_5 = { 40 3aca 74f3 8a08 880e 8a4801 }
            // n = 6, score = 100
            //   40                   | inc                 eax
            //   3aca                 | cmp                 cl, dl
            //   74f3                 | je                  0xfffffff5
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   880e                 | mov                 byte ptr [esi], cl
            //   8a4801               | mov                 cl, byte ptr [eax + 1]

        $sequence_6 = { 81e2ff000000 8a9200b92c00 32d3 885003 8b7e04 33d2 }
            // n = 6, score = 100
            //   81e2ff000000         | and                 edx, 0xff
            //   8a9200b92c00         | mov                 dl, byte ptr [edx + 0x2cb900]
            //   32d3                 | xor                 dl, bl
            //   885003               | mov                 byte ptr [eax + 3], dl
            //   8b7e04               | mov                 edi, dword ptr [esi + 4]
            //   33d2                 | xor                 edx, edx

        $sequence_7 = { e8???????? 56 e8???????? 83c418 55 e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   55                   | push                ebp
            //   e8????????           |                     

        $sequence_8 = { 56 55 ff15???????? 85c0 0f8440030000 397c2414 0f8536030000 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   55                   | push                ebp
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8440030000         | je                  0x346
            //   397c2414             | cmp                 dword ptr [esp + 0x14], edi
            //   0f8536030000         | jne                 0x33c

        $sequence_9 = { c3 8b442418 57 53 83c604 50 }
            // n = 6, score = 100
            //   c3                   | ret                 
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   57                   | push                edi
            //   53                   | push                ebx
            //   83c604               | add                 esi, 4
            //   50                   | push                eax

    condition:
        7 of them and filesize < 270336
}
Download all Yara Rules