100 Days of YARA – Day 8: Salsa20

Salsa20 is a stream cipher used by various ransomware software:

I took a similar approach to the rules in previous posts to find MD5 and SHA256 implementations. I found a constant by reading the source code of a Salsa20 implementation on GitHub and looking for unique constants: https://github.com/alexwebr/salsa20/blob/master/salsa20.c#L118-L125

This was able to detect Sodinokibi ransomware within my sample library:

https://www.virustotal.com/gui/file/f74c7a605588db80b0812de54ae0f5bf26fcaef8e7dce830a64cbeaddbac7673/community

rule salsa20_constants
{
	meta:
		description = "Salsa20 stream cipher constants. Used by various ransomware"
		reference = "https://github.com/alexwebr/salsa20/blob/master/salsa20.c#L118-L125"

	strings:
		$ = "expand 32-byte k"

	condition:
		all of them
}

YARA Rules Index

2 thoughts on “100 Days of YARA – Day 8: Salsa20

  1. Pingback: YARA Rules Index – DMFR SECURITY

  2. Pingback: Week 01 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s