DECAF (Malware Family)

DECAF

Ransomware written in Go.
References

2021-10-28 ⋅ Morphisec ⋅ Hido Cohen, Michael Dereviashkin
DECAF Ransomware: A New Golang Threat Makes Its Appearance
DECAF
Yara Rules

[TLP:WHITE] win_decaf_auto (20230715 | Detects win.decaf.)
rule win_decaf_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.decaf."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.decaf"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 4983f802 7548 4c8d4301 4c39c6 7331 488d05d3a10e00 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4983f802             | dec                 eax
            //   7548                 | lea                 ebx, [0x16949d]
            //   4c8d4301             | nop                 dword ptr [eax]
            //   4c39c6               | dec                 eax
            //   7331                 | mov                 ebx, eax
            //   488d05d3a10e00       | dec                 eax

        $sequence_1 = { 4889f1 e8???????? 4489d0 b902000000 e8???????? 4489c0 b902000000 }
            // n = 7, score = 100
            //   4889f1               | inc                 esp
            //   e8????????           |                     
            //   4489d0               | movzx               ebp, byte ptr [esp + 0x68]
            //   b902000000           | inc                 esp
            //   e8????????           |                     
            //   4489c0               | mov                 byte ptr [esp + 0x47], ch
            //   b902000000           | inc                 esp

        $sequence_2 = { e8???????? 4889442428 48c70000000000 488d0534a90d00 e8???????? 4889442420 488d0503f20e00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4889442428           | mov                 dword ptr [esp + 0x80], eax
            //   48c70000000000       | mov                 byte ptr [esp + 0x47], 1
            //   488d0534a90d00       | dec                 eax
            //   e8????????           |                     
            //   4889442420           | mov                 ecx, dword ptr [esp + 0x98]
            //   488d0503f20e00       | dec                 eax

        $sequence_3 = { e8???????? 488d3d437a1f00 e8???????? e8???????? 48898424080e0000 48899c24a00b0000 488b0d???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d3d437a1f00       | lea                 ebx, [0xba741]
            //   e8????????           |                     
            //   e8????????           |                     
            //   48898424080e0000     | dec                 eax
            //   48899c24a00b0000     | mov                 ecx, dword ptr [esp + 0xf0]
            //   488b0d????????       |                     

        $sequence_4 = { 488bbc24b0000000 48897818 488bbc24e0000000 48897828 4c8b8424a8000000 4c894030 eb37 }
            // n = 7, score = 100
            //   488bbc24b0000000     | xor                 edx, eax
            //   48897818             | mov                 byte ptr [eax + 0xf], dl
            //   488bbc24e0000000     | movzx               edx, byte ptr [esp + 0x5d]
            //   48897828             | inc                 esp
            //   4c8b8424a8000000     | xor                 edx, eax
            //   4c894030             | mov                 byte ptr [eax + 0xe], dl
            //   eb37                 | movzx               edx, byte ptr [esp + 0x54]

        $sequence_5 = { 488b8c24e0030000 e8???????? 488d3d7b331c00 e8???????? e8???????? 48898424e8030000 48899c24f8000000 }
            // n = 7, score = 100
            //   488b8c24e0030000     | xor                 edx, eax
            //   e8????????           |                     
            //   488d3d7b331c00       | mov                 byte ptr [eax + 0x16], dl
            //   e8????????           |                     
            //   e8????????           |                     
            //   48898424e8030000     | movzx               edx, byte ptr [esp + 0x4d]
            //   48899c24f8000000     | inc                 esp

        $sequence_6 = { b900001000 0f1f440000 e8???????? b900001000 e8???????? 488d05ce0a1900 bb11000000 }
            // n = 7, score = 100
            //   b900001000           | dec                 eax
            //   0f1f440000           | mov                 ebx, dword ptr [esp + 0xf8]
            //   e8????????           |                     
            //   b900001000           | dec                 eax
            //   e8????????           |                     
            //   488d05ce0a1900       | test                edx, edx
            //   bb11000000           | jg                  0x921

        $sequence_7 = { eb1c 4889c7 488b8c2410130000 e8???????? 488d3db3ac1f00 e8???????? e8???????? }
            // n = 7, score = 100
            //   eb1c                 | dec                 eax
            //   4889c7               | lea                 ecx, [0x157585]
            //   488b8c2410130000     | dec                 eax
            //   e8????????           |                     
            //   488d3db3ac1f00       | mov                 dword ptr [eax + 8], ecx
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_8 = { b8b7ffffff ffd1 488b08 4889c2 b866000000 ffd1 488b08 }
            // n = 7, score = 100
            //   b8b7ffffff           | dec                 eax
            //   ffd1                 | mov                 dword ptr [eax], ecx
            //   488b08               | dec                 eax
            //   4889c2               | mov                 ecx, dword ptr [esp + 0xad8]
            //   b866000000           | dec                 eax
            //   ffd1                 | mov                 dword ptr [eax + 8], ecx
            //   488b08               | jne                 0x9b7

        $sequence_9 = { e8???????? 4889842440160000 48899c24d0040000 488b0d???????? 48898c24f01f0000 488d0543f00b00 0f1f00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4889842440160000     | mov                 ecx, ebx
            //   48899c24d0040000     | dec                 eax
            //   488b0d????????       |                     
            //   48898c24f01f0000     | mov                 ebx, edi
            //   488d0543f00b00       | dec                 eax
            //   0f1f00               | mov                 edi, esi

    condition:
        7 of them and filesize < 7193600
}
Download all Yara Rules
DECAF Propose Change

References

Yara Rules

DECAF
