Ransomware written in Go.
rule win_decaf_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.decaf." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.decaf" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 488b0d???????? 48898c24b8010000 488d051fb61400 e8???????? 833d????????00 750e } // n = 7, score = 100 // e8???????? | // 488b0d???????? | // 48898c24b8010000 | mov ebx, 0x14 // 488d051fb61400 | dec eax // e8???????? | // 833d????????00 | // 750e | lea eax, [0x1a54b8] $sequence_1 = { ffd1 488b08 4889c2 b8a3ffffff ffd1 48c744241000000000 488b4c2428 } // n = 7, score = 100 // ffd1 | mov ecx, dword ptr [esp + 0x1e40] // 488b08 | dec eax // 4889c2 | mov ecx, dword ptr [esp + 0x968] // b8a3ffffff | dec eax // ffd1 | mov dword ptr [eax + 8], ecx // 48c744241000000000 | jne 0xf69 // 488b4c2428 | dec eax $sequence_2 = { c644241f48 c644241ec1 31c0 eb13 0fb654041f 0fb674041e 01f2 } // n = 7, score = 100 // c644241f48 | lea eax, [edi + esi*8] // c644241ec1 | dec ebp // 31c0 | lea eax, [eax - 0x10] // eb13 | dec eax // 0fb654041f | mov ebx, dword ptr [esp + 0xe8] // 0fb674041e | dec eax // 01f2 | mov ecx, ebx $sequence_3 = { b81a000000 ffd1 488b08 4889c2 b8eaffffff ffd1 488b08 } // n = 7, score = 100 // b81a000000 | mov ebx, dword ptr [esp + 0x50] // ffd1 | dec eax // 488b08 | mov edi, eax // 4889c2 | dec eax // b8eaffffff | mov esi, ecx // ffd1 | dec eax // 488b08 | mov eax, dword ptr [esp + 0x48] $sequence_4 = { 4c894c2450 4488542447 488d05e26a0c00 6690 e8???????? 488b7c2458 48894f10 } // n = 7, score = 100 // 4c894c2450 | adc ecx, dword ptr [eax - 0x77] // 4488542447 | push esp // 488d05e26a0c00 | and al, 0x58 // 6690 | dec eax // e8???????? | // 488b7c2458 | mov edx, 0x1e190715 // 48894f10 | or byte ptr [edx], al $sequence_5 = { b804000000 e9???????? 4983f808 754d 4c8d4302 4c39c6 7337 } // n = 7, score = 100 // b804000000 | dec eax // e9???????? | // 4983f808 | mov eax, dword ptr [esp + 0x40] // 754d | mov dword ptr [edi + ebx], 0x11666916 // 4c8d4302 | mov ecx, 0x11 // 4c39c6 | dec eax // 7337 | mov ebx, dword ptr [esp + 0x48] $sequence_6 = { 440fb66c245d 44886c2445 440fb66c2460 44886c2444 440fb66c2465 44886c2443 440fb66c2458 } // n = 7, score = 100 // 440fb66c245d | sub edx, eax // 44886c2445 | mov byte ptr [eax + 0x1a], dl // 440fb66c2460 | movzx edx, byte ptr [esp + 0x78] // 44886c2444 | mov byte ptr [eax + 0x19], dl // 440fb66c2465 | movzx edx, byte ptr [esp + 0x4f] // 44886c2443 | inc esp // 440fb66c2458 | movzx eax, byte ptr [esp + 0x7c] $sequence_7 = { e8???????? 488b542470 4c8b5220 488b842498010000 488b9c24d0010000 b910000000 4889cf } // n = 7, score = 100 // e8???????? | // 488b542470 | dec eax // 4c8b5220 | mov dword ptr [esp + 8], eax // 488b842498010000 | dec eax // 488b9c24d0010000 | lea eax, [0x7226d] // b910000000 | dec eax // 4889cf | mov ecx, edx $sequence_8 = { eb1e 440fb6441c1c 418d1410 8d5230 8854341c 40887c1c1c 4883c002 } // n = 7, score = 100 // eb1e | dec esp // 440fb6441c1c | lea eax, [eax + 0x13] // 418d1410 | dec esp // 8d5230 | lea ecx, [ecx - 0x13] // 8854341c | dec esp // 40887c1c1c | lea ebx, [ecx - 0x18] // 4883c002 | dec esp $sequence_9 = { c644243f00 440f11bc24a0000000 440f11bc2490000000 b802000080 488d1de1fe1400 b937000000 bf09000000 } // n = 7, score = 100 // c644243f00 | lea eax, [0x1b5fc6] // 440f11bc24a0000000 | mov ebx, 0x20 // 440f11bc2490000000 | dec eax // b802000080 | lea eax, [0x1b33a0] // 488d1de1fe1400 | dec eax // b937000000 | mov ebp, dword ptr [esp + 0x150] // bf09000000 | dec eax condition: 7 of them and filesize < 7193600 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY