I recently came across a malware sample that included the following, mysterious string:
There are a few versions of this strings out there (extracted from a few malware samples downloaded in 2023):
961c151d2e87f2686a955a9be24d316f1362bf21 2.1.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.5.0 961c151d2e87f2686a955a9be24d316f1362bf21 3.6.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.9.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.11.2
The way this string is formed triggered my curiosity – it kinda looked like someone was using this hash on purpose to track the use of their code. So, I googled around and not only found a few more occurrences of this string, but also found a yara rule (PDF warning) that referenced it.
I had to know where it came from.
Due to its length, I obviously suspected it is a SHA1 hash, but couldn’t figure out what secret text was hashed to create it. Eventually, I just asked 🙂
The answer turned out to be pretty simple:
echo "JSON for Modern C++" | sha1sum
Thanks to Niels for revealing the secret 🙂
Two lessons from this little exercise:
- If you don’t know, just ask
- When you write Yara rules, make sure you are not using ‘clean’ strings