SYMBOLCOMMON_NAMEaka. SYNONYMS
win.decaf (Back to overview)

DECAF


Ransomware written in Go.

References
2021-10-28MorphisecHido Cohen, Michael Dereviashkin
@online{cohen:20211028:decaf:d22e18a, author = {Hido Cohen and Michael Dereviashkin}, title = {{DECAF Ransomware: A New Golang Threat Makes Its Appearance}}, date = {2021-10-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance}, language = {English}, urldate = {2021-11-03} } DECAF Ransomware: A New Golang Threat Makes Its Appearance
DECAF
Yara Rules
[TLP:WHITE] win_decaf_auto (20220808 | Detects win.decaf.)
rule win_decaf_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.decaf."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.decaf"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b905000000 e9???????? 4c8d4301 0f1f4000 4c39c6 7331 488d05b4a70400 }
            // n = 7, score = 100
            //   b905000000           | dec                 eax
            //   e9????????           |                     
            //   4c8d4301             | mov                 dword ptr [esp + 0xd8], ecx
            //   0f1f4000             | dec                 ebx
            //   4c39c6               | lea                 edx, [eax + eax*2]
            //   7331                 | dec                 eax
            //   488d05b4a70400       | lea                 edx, [edx + 4]

        $sequence_1 = { 90 90 488d05a5012d00 e8???????? 8b0d???????? 8d59ff 891d???????? }
            // n = 7, score = 100
            //   90                   | imul                ecx, dword ptr [eax - 0x77], 0x48682454
            //   90                   | mov                 edx, 0xd9e1116f
            //   488d05a5012d00       | mov                 ebp, ds
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   8d59ff               | cld                 
            //   891d????????         |                     

        $sequence_2 = { b911000000 4c8d05bdf61700 41b90e000000 e8???????? 488b6c2458 4883c460 c3 }
            // n = 7, score = 100
            //   b911000000           | sub                 eax, 0x24948948
            //   4c8d05bdf61700       | fadd                dword ptr [eax]
            //   41b90e000000         | add                 byte ptr [eax], al
            //   e8????????           |                     
            //   488b6c2458           | movzx               edx, byte ptr [esp + 0x92]
            //   4883c460             | mov                 byte ptr [esp + 0x75], dl
            //   c3                   | dec                 eax

        $sequence_3 = { 4c8b442458 4889c7 4889ce 488b442440 66c7041f6941 c6441f026f b903000000 }
            // n = 7, score = 100
            //   4c8b442458           | movzx               ebp, byte ptr [esp + 0x6e]
            //   4889c7               | inc                 esp
            //   4889ce               | mov                 byte ptr [esp + 0x43], ch
            //   488b442440           | inc                 esp
            //   66c7041f6941         | movzx               ebp, byte ptr [esp + 0x72]
            //   c6441f026f           | inc                 esp
            //   b903000000           | mov                 byte ptr [esp + 0x42], ch

        $sequence_4 = { e8???????? 48898424b0000000 488d0566410500 e8???????? 48898424a8000000 48b93020300c06082a86 488908 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48898424b0000000     | mov                 eax, dword ptr [esp + 0x48]
            //   488d0566410500       | mov                 byte ptr [edi + ebx], 0x84
            //   e8????????           |                     
            //   48898424a8000000     | mov                 ecx, 1
            //   48b93020300c06082a86     | dec    ecx
            //   488908               | cmp                 eax, 6

        $sequence_5 = { 4c898424b0000000 488d05b7ae0200 4889d9 4889fb 4889f7 4c89c6 e8???????? }
            // n = 7, score = 100
            //   4c898424b0000000     | inc                 esp
            //   488d05b7ae0200       | mov                 byte ptr [esp + 0x58], bh
            //   4889d9               | inc                 esp
            //   4889fb               | movzx               ebp, byte ptr [esp + 0x63]
            //   4889f7               | inc                 esp
            //   4c89c6               | mov                 byte ptr [esp + 0x57], ch
            //   e8????????           |                     

        $sequence_6 = { e8???????? 90 66c74424417322 c64424430a c744244400000000 66c74424440202 c644244601 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | mov                 esi, ecx
            //   66c74424417322       | dec                 eax
            //   c64424430a           | mov                 eax, dword ptr [esp + 0x40]
            //   c744244400000000     | mov                 dword ptr [edi + ebx], 0x76646a64
            //   66c74424440202       | mov                 ecx, 0x11
            //   c644244601           | dec                 ecx

        $sequence_7 = { b911000000 e9???????? 4c8d4303 4c39c6 7337 4c89442478 488d05013b0700 }
            // n = 7, score = 100
            //   b911000000           | dec                 eax
            //   e9????????           |                     
            //   4c8d4303             | lea                 ecx, [esp + 0x2b0]
            //   4c39c6               | mov                 edi, 2
            //   7337                 | dec                 eax
            //   4c89442478           | mov                 esi, edi
            //   488d05013b0700       | dec                 eax

        $sequence_8 = { b908000000 e9???????? 4c8d4302 4c39c6 733d 4c89842498000000 488d05d4c80700 }
            // n = 7, score = 100
            //   b908000000           | dec                 eax
            //   e9????????           |                     
            //   4c8d4302             | mov                 dword ptr [esp + 0x308], edx
            //   4c39c6               | dec                 eax
            //   733d                 | lea                 edx, [0x25f420]
            //   4c89842498000000     | dec                 eax
            //   488d05d4c80700       | mov                 dword ptr [esp + 0x310], edx

        $sequence_9 = { c3 488b442420 c680b600000001 488b6c2438 4883c440 c3 488d0519361c00 }
            // n = 7, score = 100
            //   c3                   | mov                 eax, 8
            //   488b442420           | call                ecx
            //   c680b600000001       | dec                 eax
            //   488b6c2438           | mov                 edx, eax
            //   4883c440             | mov                 eax, 0xa
            //   c3                   | call                ecx
            //   488d0519361c00       | dec                 eax

    condition:
        7 of them and filesize < 7193600
}
Download all Yara Rules