I recently came across a malware sample that included the following, mysterious string:<\/p>\n\n\n\n
961c151d2e87f2686a955a9be24d316f1362bf21 [digit].[digit].[digit]<\/code><\/pre>\n\n\n\nThere are a few versions of this strings out there (extracted from a few malware samples downloaded in 2023):<\/p>\n\n\n\n
961c151d2e87f2686a955a9be24d316f1362bf21 2.1.1\n961c151d2e87f2686a955a9be24d316f1362bf21 3.5.0\n961c151d2e87f2686a955a9be24d316f1362bf21 3.6.1\n961c151d2e87f2686a955a9be24d316f1362bf21 3.9.1\n961c151d2e87f2686a955a9be24d316f1362bf21 3.11.2<\/pre>\n\n\n\nThe way this string is formed triggered my curiosity – it kinda looked like someone was using this hash on purpose to track the use of their code. So, I googled around and not only found<\/a> a few more occurrences of this string, but also found a yara rule<\/a> (PDF warning) that referenced it. <\/p>\n\n\n\nI had to know where it came from. <\/p>\n\n\n\n
Due to its length, I obviously suspected it is a SHA1 hash, but couldn’t figure out what secret text was hashed to create it. Eventually, I just asked<\/a> \ud83d\ude42<\/p>\n\n\n\nThe answer turned out to be pretty simple:<\/p>\n\n\n\n
echo \"JSON for Modern C++\" | sha1sum<\/pre>\n\n\n\nThanks to Niels<\/a> for revealing the secret \ud83d\ude42<\/p>\n\n\n\nTwo lessons from this little exercise:<\/p>\n\n\n\n
\n- If you don’t know, just ask<\/li>\n\n\n\n
- When you write Yara rules, make sure you are not using ‘clean’ strings<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
I recently came across a malware sample that included the following, mysterious string: There are a few versions of this strings out there (extracted from a few malware samples downloaded in 2023): 961c151d2e87f2686a955a9be24d316f1362bf21 2.1.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.5.0 961c151d2e87f2686a955a9be24d316f1362bf21 3.6.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.9.1 … Continue reading