SYMBOLCOMMON_NAMEaka. SYNONYMS
win.joanap (Back to overview)

Joanap

Actor(s): Lazarus Group

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_joanap_auto (20220516 | Detects win.joanap.)
rule win_joanap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.joanap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6880000000 56 ff15???????? 53 56 ff15???????? 57 }
            // n = 7, score = 100
            //   6880000000           | push                0x80
            //   56                   | push                esi
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   57                   | push                edi

        $sequence_1 = { c1fb18 8a8900ba2c00 32cb 8bde 88480c 33c9 8a4c2412 }
            // n = 7, score = 100
            //   c1fb18               | sar                 ebx, 0x18
            //   8a8900ba2c00         | mov                 cl, byte ptr [ecx + 0x2cba00]
            //   32cb                 | xor                 cl, bl
            //   8bde                 | mov                 ebx, esi
            //   88480c               | mov                 byte ptr [eax + 0xc], cl
            //   33c9                 | xor                 ecx, ecx
            //   8a4c2412             | mov                 cl, byte ptr [esp + 0x12]

        $sequence_2 = { 03c3 57 50 51 ff15???????? }
            // n = 5, score = 100
            //   03c3                 | add                 eax, ebx
            //   57                   | push                edi
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_3 = { c1e003 8d0c10 8b542420 8911 8b542424 }
            // n = 5, score = 100
            //   c1e003               | shl                 eax, 3
            //   8d0c10               | lea                 ecx, [eax + edx]
            //   8b542420             | mov                 edx, dword ptr [esp + 0x20]
            //   8911                 | mov                 dword ptr [ecx], edx
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]

        $sequence_4 = { 8b5c2408 55 56 57 8b7c2424 6a01 }
            // n = 6, score = 100
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   55                   | push                ebp
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]
            //   6a01                 | push                1

        $sequence_5 = { c3 8bc6 5e 83c410 }
            // n = 4, score = 100
            //   c3                   | ret                 
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   83c410               | add                 esp, 0x10

        $sequence_6 = { a1???????? 6aff 668b4824 51 6a00 6a00 e8???????? }
            // n = 7, score = 100
            //   a1????????           |                     
            //   6aff                 | push                -1
            //   668b4824             | mov                 cx, word ptr [eax + 0x24]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_7 = { 8b54240c 6a01 6820bf0200 56 }
            // n = 4, score = 100
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   6a01                 | push                1
            //   6820bf0200           | push                0x2bf20
            //   56                   | push                esi

        $sequence_8 = { b870210000 e8???????? 53 55 }
            // n = 4, score = 100
            //   b870210000           | mov                 eax, 0x2170
            //   e8????????           |                     
            //   53                   | push                ebx
            //   55                   | push                ebp

        $sequence_9 = { 7e4b 53 55 8bac2414010000 47 81e7ff000000 8a4c3c10 }
            // n = 7, score = 100
            //   7e4b                 | jle                 0x4d
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   8bac2414010000       | mov                 ebp, dword ptr [esp + 0x114]
            //   47                   | inc                 edi
            //   81e7ff000000         | and                 edi, 0xff
            //   8a4c3c10             | mov                 cl, byte ptr [esp + edi + 0x10]

    condition:
        7 of them and filesize < 270336
}
Download all Yara Rules