SYMBOLCOMMON_NAMEaka. SYNONYMS
win.decaf (Back to overview)

DECAF


Ransomware written in Go.

References
2021-10-28MorphisecHido Cohen, Michael Dereviashkin
@online{cohen:20211028:decaf:d22e18a, author = {Hido Cohen and Michael Dereviashkin}, title = {{DECAF Ransomware: A New Golang Threat Makes Its Appearance}}, date = {2021-10-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance}, language = {English}, urldate = {2021-11-03} } DECAF Ransomware: A New Golang Threat Makes Its Appearance
DECAF
Yara Rules
[TLP:WHITE] win_decaf_auto (20230407 | Detects win.decaf.)
rule win_decaf_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.decaf."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.decaf"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488b0d???????? 48898c24b8010000 488d051fb61400 e8???????? 833d????????00 750e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   48898c24b8010000     | mov                 ebx, 0x14
            //   488d051fb61400       | dec                 eax
            //   e8????????           |                     
            //   833d????????00       |                     
            //   750e                 | lea                 eax, [0x1a54b8]

        $sequence_1 = { ffd1 488b08 4889c2 b8a3ffffff ffd1 48c744241000000000 488b4c2428 }
            // n = 7, score = 100
            //   ffd1                 | mov                 ecx, dword ptr [esp + 0x1e40]
            //   488b08               | dec                 eax
            //   4889c2               | mov                 ecx, dword ptr [esp + 0x968]
            //   b8a3ffffff           | dec                 eax
            //   ffd1                 | mov                 dword ptr [eax + 8], ecx
            //   48c744241000000000     | jne    0xf69
            //   488b4c2428           | dec                 eax

        $sequence_2 = { c644241f48 c644241ec1 31c0 eb13 0fb654041f 0fb674041e 01f2 }
            // n = 7, score = 100
            //   c644241f48           | lea                 eax, [edi + esi*8]
            //   c644241ec1           | dec                 ebp
            //   31c0                 | lea                 eax, [eax - 0x10]
            //   eb13                 | dec                 eax
            //   0fb654041f           | mov                 ebx, dword ptr [esp + 0xe8]
            //   0fb674041e           | dec                 eax
            //   01f2                 | mov                 ecx, ebx

        $sequence_3 = { b81a000000 ffd1 488b08 4889c2 b8eaffffff ffd1 488b08 }
            // n = 7, score = 100
            //   b81a000000           | mov                 ebx, dword ptr [esp + 0x50]
            //   ffd1                 | dec                 eax
            //   488b08               | mov                 edi, eax
            //   4889c2               | dec                 eax
            //   b8eaffffff           | mov                 esi, ecx
            //   ffd1                 | dec                 eax
            //   488b08               | mov                 eax, dword ptr [esp + 0x48]

        $sequence_4 = { 4c894c2450 4488542447 488d05e26a0c00 6690 e8???????? 488b7c2458 48894f10 }
            // n = 7, score = 100
            //   4c894c2450           | adc                 ecx, dword ptr [eax - 0x77]
            //   4488542447           | push                esp
            //   488d05e26a0c00       | and                 al, 0x58
            //   6690                 | dec                 eax
            //   e8????????           |                     
            //   488b7c2458           | mov                 edx, 0x1e190715
            //   48894f10             | or                  byte ptr [edx], al

        $sequence_5 = { b804000000 e9???????? 4983f808 754d 4c8d4302 4c39c6 7337 }
            // n = 7, score = 100
            //   b804000000           | dec                 eax
            //   e9????????           |                     
            //   4983f808             | mov                 eax, dword ptr [esp + 0x40]
            //   754d                 | mov                 dword ptr [edi + ebx], 0x11666916
            //   4c8d4302             | mov                 ecx, 0x11
            //   4c39c6               | dec                 eax
            //   7337                 | mov                 ebx, dword ptr [esp + 0x48]

        $sequence_6 = { 440fb66c245d 44886c2445 440fb66c2460 44886c2444 440fb66c2465 44886c2443 440fb66c2458 }
            // n = 7, score = 100
            //   440fb66c245d         | sub                 edx, eax
            //   44886c2445           | mov                 byte ptr [eax + 0x1a], dl
            //   440fb66c2460         | movzx               edx, byte ptr [esp + 0x78]
            //   44886c2444           | mov                 byte ptr [eax + 0x19], dl
            //   440fb66c2465         | movzx               edx, byte ptr [esp + 0x4f]
            //   44886c2443           | inc                 esp
            //   440fb66c2458         | movzx               eax, byte ptr [esp + 0x7c]

        $sequence_7 = { e8???????? 488b542470 4c8b5220 488b842498010000 488b9c24d0010000 b910000000 4889cf }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b542470           | dec                 eax
            //   4c8b5220             | mov                 dword ptr [esp + 8], eax
            //   488b842498010000     | dec                 eax
            //   488b9c24d0010000     | lea                 eax, [0x7226d]
            //   b910000000           | dec                 eax
            //   4889cf               | mov                 ecx, edx

        $sequence_8 = { eb1e 440fb6441c1c 418d1410 8d5230 8854341c 40887c1c1c 4883c002 }
            // n = 7, score = 100
            //   eb1e                 | dec                 esp
            //   440fb6441c1c         | lea                 eax, [eax + 0x13]
            //   418d1410             | dec                 esp
            //   8d5230               | lea                 ecx, [ecx - 0x13]
            //   8854341c             | dec                 esp
            //   40887c1c1c           | lea                 ebx, [ecx - 0x18]
            //   4883c002             | dec                 esp

        $sequence_9 = { c644243f00 440f11bc24a0000000 440f11bc2490000000 b802000080 488d1de1fe1400 b937000000 bf09000000 }
            // n = 7, score = 100
            //   c644243f00           | lea                 eax, [0x1b5fc6]
            //   440f11bc24a0000000     | mov    ebx, 0x20
            //   440f11bc2490000000     | dec    eax
            //   b802000080           | lea                 eax, [0x1b33a0]
            //   488d1de1fe1400       | dec                 eax
            //   b937000000           | mov                 ebp, dword ptr [esp + 0x150]
            //   bf09000000           | dec                 eax

    condition:
        7 of them and filesize < 7193600
}
Download all Yara Rules