SYMBOLCOMMON_NAMEaka. SYNONYMS
win.joanap (Back to overview)

Joanap

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_joanap_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_joanap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d942433010000 52 56 ffd7 85c0 a3???????? }
            // n = 6, score = 100
            //   8d942433010000       | lea                 edx, [esp + 0x133]
            //   52                   | push                edx
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   a3????????           |                     

        $sequence_1 = { 83f8ff 0f8496000000 6683bc245810000000 0f8587000000 8bde 8b942454100000 c1e305 }
            // n = 7, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   0f8496000000         | je                  0x9c
            //   6683bc245810000000     | cmp    word ptr [esp + 0x1058], 0
            //   0f8587000000         | jne                 0x8d
            //   8bde                 | mov                 ebx, esi
            //   8b942454100000       | mov                 edx, dword ptr [esp + 0x1054]
            //   c1e305               | shl                 ebx, 5

        $sequence_2 = { 5d 5b 81c44c200000 c3 8b7c2428 8d4c2420 51 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   81c44c200000         | add                 esp, 0x204c
            //   c3                   | ret                 
            //   8b7c2428             | mov                 edi, dword ptr [esp + 0x28]
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   51                   | push                ecx

        $sequence_3 = { 6820bf0200 8d842488010000 8b5120 6a04 50 56 89942494010000 }
            // n = 7, score = 100
            //   6820bf0200           | push                0x2bf20
            //   8d842488010000       | lea                 eax, [esp + 0x188]
            //   8b5120               | mov                 edx, dword ptr [ecx + 0x20]
            //   6a04                 | push                4
            //   50                   | push                eax
            //   56                   | push                esi
            //   89942494010000       | mov                 dword ptr [esp + 0x194], edx

        $sequence_4 = { 6820bf0200 8d54245c 6a08 52 53 89442468 894c246c }
            // n = 7, score = 100
            //   6820bf0200           | push                0x2bf20
            //   8d54245c             | lea                 edx, [esp + 0x5c]
            //   6a08                 | push                8
            //   52                   | push                edx
            //   53                   | push                ebx
            //   89442468             | mov                 dword ptr [esp + 0x68], eax
            //   894c246c             | mov                 dword ptr [esp + 0x6c], ecx

        $sequence_5 = { 8d0440 83c408 c1e003 8b54242c 8d8898d72d00 89a898d72d00 897904 }
            // n = 7, score = 100
            //   8d0440               | lea                 eax, [eax + eax*2]
            //   83c408               | add                 esp, 8
            //   c1e003               | shl                 eax, 3
            //   8b54242c             | mov                 edx, dword ptr [esp + 0x2c]
            //   8d8898d72d00         | lea                 ecx, [eax + 0x2dd798]
            //   89a898d72d00         | mov                 dword ptr [eax + 0x2dd798], ebp
            //   897904               | mov                 dword ptr [ecx + 4], edi

        $sequence_6 = { 0f85d9020000 8b442418 85c0 0f86f4010000 6681fb0640 7570 }
            // n = 6, score = 100
            //   0f85d9020000         | jne                 0x2df
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   85c0                 | test                eax, eax
            //   0f86f4010000         | jbe                 0x1fa
            //   6681fb0640           | cmp                 bx, 0x4006
            //   7570                 | jne                 0x72

        $sequence_7 = { 83c404 eb58 8d4e03 51 e8???????? 83c404 eb4a }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   eb58                 | jmp                 0x5a
            //   8d4e03               | lea                 ecx, [esi + 3]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb4a                 | jmp                 0x4c

        $sequence_8 = { ff15???????? 85c0 0f84cf000000 8b4c2420 51 6a01 68ff0f1f00 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84cf000000         | je                  0xd5
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   51                   | push                ecx
            //   6a01                 | push                1
            //   68ff0f1f00           | push                0x1f0fff

        $sequence_9 = { 0bc0 5b 81c470210000 c3 6a01 6820bf0200 8d8c2488010000 }
            // n = 7, score = 100
            //   0bc0                 | or                  eax, eax
            //   5b                   | pop                 ebx
            //   81c470210000         | add                 esp, 0x2170
            //   c3                   | ret                 
            //   6a01                 | push                1
            //   6820bf0200           | push                0x2bf20
            //   8d8c2488010000       | lea                 ecx, [esp + 0x188]

    condition:
        7 of them and filesize < 270336
}
Download all Yara Rules