100 Days of YARA – Day 30: CRC32

CRC32 is an error-detecting algorithm common in networking software. It is also a popular choice for hashing APIs, program names, and the like due to its ease of implementation.

This article shows Gootkit malware employing CRC32 to hash program names to avoid simple matches with strings or similar tools: https://www.lastline.com/labsblog/evasive-malware-tricks/

More links to malware abusing CRC32 in a similar fashion can be found here: https://pinboard.in/u:droberson/t:crc32/

Although this rule may have a lot of false-positive matches, it is useful to know that a sample may have implemented CRC32, as this may speed up analysis.

rule crypto_constants_crc32
{
	meta:
		author = "Daniel Roberson"
		description = "crc32 constants"

	strings:
		$r4 = { 96300777 }
		$r5 = { 2c610eee }
		$r6 = { ba510999 }
		$r7 = { 19c46d07 }
		$r8 = { 8ff46a70 }
/*$r9 = { 35a563e9 }
$r10 = { a395649e }
$r11 = { 3288db0e }
$r12 = { a4b8dc79 }
$r13 = { 1ee9d5e0 }
$r14 = { 88d9d297 }
$r15 = { 2b4cb609 }
$r16 = { bd7cb17e }
$r17 = { 072db8e7 }
$r18 = { 911dbf90 }
$r19 = { 6410b71d }
$r20 = { f220b06a }
$r21 = { 4871b9f3 }
$r22 = { de41be84 }
$r23 = { 7dd4da1a }
$r24 = { ebe4dd6d }
$r25 = { 51b5d4f4 }
$r26 = { c785d383 }
$r27 = { 56986c13 }
*/
	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 30: CRC32

  1. Pingback: Week 04 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s