SYMBOLCOMMON_NAMEaka. SYNONYMS
win.joanap (Back to overview)

Joanap

Actor(s): Lazarus Group

There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_joanap_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_joanap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 68???????? c705????????20000000 c705????????02000000 c705????????01000000 8935???????? 8935???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   68????????           |                     
            //   c705????????20000000     |     
            //   c705????????02000000     |     
            //   c705????????01000000     |     
            //   8935????????         |                     
            //   8935????????         |                     

        $sequence_1 = { 85f6 7469 8b842494000000 6a00 6a00 56 }
            // n = 6, score = 100
            //   85f6                 | test                esi, esi
            //   7469                 | je                  0x6b
            //   8b842494000000       | mov                 eax, dword ptr [esp + 0x94]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   56                   | push                esi

        $sequence_2 = { 740f 56 ffd3 8b4c2410 51 }
            // n = 5, score = 100
            //   740f                 | je                  0x11
            //   56                   | push                esi
            //   ffd3                 | call                ebx
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   51                   | push                ecx

        $sequence_3 = { 49 8dbe7c040000 8bd9 83c9ff f2ae f7d1 49 }
            // n = 7, score = 100
            //   49                   | dec                 ecx
            //   8dbe7c040000         | lea                 edi, [esi + 0x47c]
            //   8bd9                 | mov                 ebx, ecx
            //   83c9ff               | or                  ecx, 0xffffffff
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx

        $sequence_4 = { 56 e8???????? 83c404 33ff a1???????? 8b0c07 85c9 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   33ff                 | xor                 edi, edi
            //   a1????????           |                     
            //   8b0c07               | mov                 ecx, dword ptr [edi + eax]
            //   85c9                 | test                ecx, ecx

        $sequence_5 = { 53 c70316000000 52 66897b04 e8???????? 83c410 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   c70316000000         | mov                 dword ptr [ebx], 0x16
            //   52                   | push                edx
            //   66897b04             | mov                 word ptr [ebx + 4], di
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_6 = { c3 83e010 3c10 750d 6a01 }
            // n = 5, score = 100
            //   c3                   | ret                 
            //   83e010               | and                 eax, 0x10
            //   3c10                 | cmp                 al, 0x10
            //   750d                 | jne                 0xf
            //   6a01                 | push                1

        $sequence_7 = { 66c744241cffff c744241802000000 e8???????? 56 ff15???????? 83c414 }
            // n = 6, score = 100
            //   66c744241cffff       | mov                 word ptr [esp + 0x1c], 0xffff
            //   c744241802000000     | mov                 dword ptr [esp + 0x18], 2
            //   e8????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   83c414               | add                 esp, 0x14

        $sequence_8 = { 55 50 ff15???????? 68???????? 56 ffd3 }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   50                   | push                eax
            //   ff15????????         |                     
            //   68????????           |                     
            //   56                   | push                esi
            //   ffd3                 | call                ebx

        $sequence_9 = { 8b13 25ffff0000 89542426 8b5304 8954242a 8b5308 }
            // n = 6, score = 100
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   25ffff0000           | and                 eax, 0xffff
            //   89542426             | mov                 dword ptr [esp + 0x26], edx
            //   8b5304               | mov                 edx, dword ptr [ebx + 4]
            //   8954242a             | mov                 dword ptr [esp + 0x2a], edx
            //   8b5308               | mov                 edx, dword ptr [ebx + 8]

    condition:
        7 of them and filesize < 270336
}
Download all Yara Rules