100 Days of YARA – Day 8: Salsa20

Salsa20 is a stream cipher used by various ransomware software:

I took a similar approach to the rules in previous posts to find MD5 and SHA256 implementations. I found a constant by reading the source code of a Salsa20 implementation on GitHub and looking for unique constants: https://github.com/alexwebr/salsa20/blob/master/salsa20.c#L118-L125

This was able to detect Sodinokibi ransomware within my sample library:


rule salsa20_constants
		description = "Salsa20 stream cipher constants. Used by various ransomware"
		reference = "https://github.com/alexwebr/salsa20/blob/master/salsa20.c#L118-L125"

		$ = "expand 32-byte k"

		all of them

YARA Rules Index

2 thoughts on “100 Days of YARA – Day 8: Salsa20

  1. Pingback: YARA Rules Index – DMFR SECURITY

  2. Pingback: Week 01 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s