SYMBOLCOMMON_NAMEaka. SYNONYMS
win.joanap (Back to overview)

Joanap

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
Yara Rules
[TLP:WHITE] win_joanap_auto (20230125 | Detects win.joanap.)
rule win_joanap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.joanap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c0 83fb06 0f95c0 40 c1e005 85db 8b902ceb2c00 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   83fb06               | cmp                 ebx, 6
            //   0f95c0               | setne               al
            //   40                   | inc                 eax
            //   c1e005               | shl                 eax, 5
            //   85db                 | test                ebx, ebx
            //   8b902ceb2c00         | mov                 edx, dword ptr [eax + 0x2ceb2c]

        $sequence_1 = { 85c0 a3???????? 750c 8d8c24b8020000 e9???????? 8d8424ad010000 50 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   750c                 | jne                 0xe
            //   8d8c24b8020000       | lea                 ecx, [esp + 0x2b8]
            //   e9????????           |                     
            //   8d8424ad010000       | lea                 eax, [esp + 0x1ad]
            //   50                   | push                eax

        $sequence_2 = { 8d8c2458020000 50 57 68???????? 51 ffd5 8b442424 }
            // n = 7, score = 100
            //   8d8c2458020000       | lea                 ecx, [esp + 0x258]
            //   50                   | push                eax
            //   57                   | push                edi
            //   68????????           |                     
            //   51                   | push                ecx
            //   ffd5                 | call                ebp
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]

        $sequence_3 = { e9???????? 8d842408010000 50 56 ffd7 85c0 a3???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8d842408010000       | lea                 eax, [esp + 0x108]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   a3????????           |                     

        $sequence_4 = { 3bc6 746e 56 68???????? 68???????? c705????????20000000 }
            // n = 6, score = 100
            //   3bc6                 | cmp                 eax, esi
            //   746e                 | je                  0x70
            //   56                   | push                esi
            //   68????????           |                     
            //   68????????           |                     
            //   c705????????20000000     |     

        $sequence_5 = { 8906 8b0d???????? 68???????? 6a00 6a00 894e0c c74608???????? }
            // n = 7, score = 100
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b0d????????         |                     
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   894e0c               | mov                 dword ptr [esi + 0xc], ecx
            //   c74608????????       |                     

        $sequence_6 = { 8b4214 85c0 7434 6a01 8d442424 6820bf0200 50 }
            // n = 7, score = 100
            //   8b4214               | mov                 eax, dword ptr [edx + 0x14]
            //   85c0                 | test                eax, eax
            //   7434                 | je                  0x36
            //   6a01                 | push                1
            //   8d442424             | lea                 eax, [esp + 0x24]
            //   6820bf0200           | push                0x2bf20
            //   50                   | push                eax

        $sequence_7 = { 8b442414 8d6b06 66897b04 b92c000000 8db050ffffff 8bfd c703b2000000 }
            // n = 7, score = 100
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   8d6b06               | lea                 ebp, [ebx + 6]
            //   66897b04             | mov                 word ptr [ebx + 4], di
            //   b92c000000           | mov                 ecx, 0x2c
            //   8db050ffffff         | lea                 esi, [eax - 0xb0]
            //   8bfd                 | mov                 edi, ebp
            //   c703b2000000         | mov                 dword ptr [ebx], 0xb2

        $sequence_8 = { 55 ff15???????? 8b5c2430 81e3ffff0000 8d83f9bfffff 83f80c 0f87c8000000 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   ff15????????         |                     
            //   8b5c2430             | mov                 ebx, dword ptr [esp + 0x30]
            //   81e3ffff0000         | and                 ebx, 0xffff
            //   8d83f9bfffff         | lea                 eax, [ebx - 0x4007]
            //   83f80c               | cmp                 eax, 0xc
            //   0f87c8000000         | ja                  0xce

        $sequence_9 = { ff15???????? 85c0 7523 8d4c2420 e8???????? b801000000 8b8c2494040000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7523                 | jne                 0x25
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   e8????????           |                     
            //   b801000000           | mov                 eax, 1
            //   8b8c2494040000       | mov                 ecx, dword ptr [esp + 0x494]

    condition:
        7 of them and filesize < 270336
}
Download all Yara Rules