16 lines
711 B
Text
16 lines
711 B
Text
rule malware_windows_moonlightmaze_loki2crypto
|
|
{
|
|
meta:
|
|
description = "Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */"
|
|
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
|
|
author = "Costin Raiu, Kaspersky Lab"
|
|
md5_1 = "19fbd8cbfb12482e8020a887d6427315"
|
|
md5_2 = "ea06b213d5924de65407e8931b1e4326"
|
|
md5_3 = "14ecd5e6fc8e501037b54ca263896a11"
|
|
md5_4 = "e079ec947d3d4dacb21e993b760a65dc"
|
|
md5_5 = "edf900cebb70c6d1fcab0234062bfc28"
|
|
strings:
|
|
$modulus = {DA E1 01 CD D8 C9 70 AF C2 E4 F2 7A 41 8B 43 39 52 9B 4B 4D E5 85 F8 49}
|
|
condition:
|
|
$modulus
|
|
}
|