Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_loki2crypto.yara

17 lines
711 B
Text
Raw Permalink Normal View History

rule malware_windows_moonlightmaze_loki2crypto
{
meta:
description = "Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
author = "Costin Raiu, Kaspersky Lab"
md5_1 = "19fbd8cbfb12482e8020a887d6427315"
md5_2 = "ea06b213d5924de65407e8931b1e4326"
md5_3 = "14ecd5e6fc8e501037b54ca263896a11"
md5_4 = "e079ec947d3d4dacb21e993b760a65dc"
md5_5 = "edf900cebb70c6d1fcab0234062bfc28"
strings:
$modulus = {DA E1 01 CD D8 C9 70 AF C2 E4 F2 7A 41 8B 43 39 52 9B 4B 4D E5 85 F8 49}
condition:
$modulus
}