SYMBOLCOMMON_NAMEaka. SYNONYMS
win.joanap (Back to overview)

Joanap

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References
2020-02-19LexfoLexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2017-02-12SymantecA L Johnson
Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-02-01Blue Coat Systems IncSnorre Fagerland
From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2015-10-26SymantecA L Johnson
Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_joanap_auto (20230808 | Detects win.joanap.)
rule win_joanap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.joanap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b8c242c010000 66c74424140200 51 c744241c7f000001 ff15???????? 8d542414 }
            // n = 6, score = 100
            //   8b8c242c010000       | mov                 ecx, dword ptr [esp + 0x12c]
            //   66c74424140200       | mov                 word ptr [esp + 0x14], 2
            //   51                   | push                ecx
            //   c744241c7f000001     | mov                 dword ptr [esp + 0x1c], 0x100007f
            //   ff15????????         |                     
            //   8d542414             | lea                 edx, [esp + 0x14]

        $sequence_1 = { 56 85c0 57 0f8483000000 53 ff15???????? 50 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   85c0                 | test                eax, eax
            //   57                   | push                edi
            //   0f8483000000         | je                  0x89
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_2 = { 0f8488000000 6a04 e8???????? 8b442414 8d6b06 66897304 }
            // n = 6, score = 100
            //   0f8488000000         | je                  0x8e
            //   6a04                 | push                4
            //   e8????????           |                     
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   8d6b06               | lea                 ebp, [ebx + 6]
            //   66897304             | mov                 word ptr [ebx + 4], si

        $sequence_3 = { f7d1 49 81f908020000 7332 56 ff15???????? 8bf8 }
            // n = 7, score = 100
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx
            //   81f908020000         | cmp                 ecx, 0x208
            //   7332                 | jae                 0x34
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_4 = { 750c 8d8c24b8020000 e9???????? 8d8c241b020000 51 56 ffd7 }
            // n = 7, score = 100
            //   750c                 | jne                 0xe
            //   8d8c24b8020000       | lea                 ecx, [esp + 0x2b8]
            //   e9????????           |                     
            //   8d8c241b020000       | lea                 ecx, [esp + 0x21b]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   ffd7                 | call                edi

        $sequence_5 = { 85c0 0f85cbfeffff 8b4c2410 51 ff15???????? 57 ff15???????? }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f85cbfeffff         | jne                 0xfffffed1
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_6 = { ff15???????? 85c0 0f84cf000000 8b4c2420 51 6a01 68ff0f1f00 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84cf000000         | je                  0xd5
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   51                   | push                ecx
            //   6a01                 | push                1
            //   68ff0f1f00           | push                0x1f0fff

        $sequence_7 = { 55 8bac2420010000 56 8b35???????? 57 33ff 8b842424010000 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8bac2420010000       | mov                 ebp, dword ptr [esp + 0x120]
            //   56                   | push                esi
            //   8b35????????         |                     
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   8b842424010000       | mov                 eax, dword ptr [esp + 0x124]

        $sequence_8 = { 8b442414 83c018 47 3dd0020000 89442414 0f8c73ffffff 8b742410 }
            // n = 7, score = 100
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   83c018               | add                 eax, 0x18
            //   47                   | inc                 edi
            //   3dd0020000           | cmp                 eax, 0x2d0
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   0f8c73ffffff         | jl                  0xffffff79
            //   8b742410             | mov                 esi, dword ptr [esp + 0x10]

        $sequence_9 = { 0bc0 5b 81c470210000 c3 6a01 6820bf0200 8d8c2488010000 }
            // n = 7, score = 100
            //   0bc0                 | or                  eax, eax
            //   5b                   | pop                 ebx
            //   81c470210000         | add                 esp, 0x2170
            //   c3                   | ret                 
            //   6a01                 | push                1
            //   6820bf0200           | push                0x2bf20
            //   8d8c2488010000       | lea                 ecx, [esp + 0x188]

    condition:
        7 of them and filesize < 270336
}
Download all Yara Rules