100 Days of YARA – Day 30: CRC32

On By DanielIn 100 days of Yara

CRC32 is an error-detecting algorithm common in networking software. It is also a popular choice for hashing APIs, program names, and the like due to its ease of implementation.

This article shows Gootkit malware employing CRC32 to hash program names to avoid simple matches with strings or similar tools: https://www.lastline.com/labsblog/evasive-malware-tricks/

More links to malware abusing CRC32 in a similar fashion can be found here: https://pinboard.in/u:droberson/t:crc32/

Although this rule may have a lot of false-positive matches, it is useful to know that a sample may have implemented CRC32, as this may speed up analysis.

rule crypto_constants_crc32
{
	meta:
		author = "Daniel Roberson"
		description = "crc32 constants"

	strings:
		$r4 = { 96300777 }
		$r5 = { 2c610eee }
		$r6 = { ba510999 }
		$r7 = { 19c46d07 }
		$r8 = { 8ff46a70 }
/*$r9 = { 35a563e9 }
$r10 = { a395649e }
$r11 = { 3288db0e }
$r12 = { a4b8dc79 }
$r13 = { 1ee9d5e0 }
$r14 = { 88d9d297 }
$r15 = { 2b4cb609 }
$r16 = { bd7cb17e }
$r17 = { 072db8e7 }
$r18 = { 911dbf90 }
$r19 = { 6410b71d }
$r20 = { f220b06a }
$r21 = { 4871b9f3 }
$r22 = { de41be84 }
$r23 = { 7dd4da1a }
$r24 = { ebe4dd6d }
$r25 = { 51b5d4f4 }
$r26 = { c785d383 }
$r27 = { 56986c13 }
*/
	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 30: CRC32

  1. Pingback: Week 04 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s