Skip to content

Latest commit

 

History

History
64 lines (52 loc) · 2.5 KB

checksum.md

File metadata and controls

64 lines (52 loc) · 2.5 KB
ID C0032
Objective(s) Data
Related ATT&CK Techniques None
Version 2.0
Created 13 October 2020
Last Modified 5 December 2023

Checksum

Malware may derive a checksum from some block of data. The checksum is often used for data validation.

Methods

Name ID Description
Adler C0032.005 Malware computes an Adler checksum.
BSD C0032.003 Malware computes a BSD checksum.
CRC32 C0032.001 Malware computes a CRC32 checksum.
Luhn C0032.002 Malware uses Luhn algorithm, often to validate identification numbers (e.g, credit card number).

Use in Malware

Name Date Method Description
Dark Comet 2008 C0032.001 Dark Comet hashes data with CRC32. [1]
Gamut 2014 C0032.001 Gamut hashes data with CRC32. [1]
Locky Bart 2017 C0032.001 Locky Bart hashes data with CRC32. [1]
UP007 2016 C0032.001 UP007 hashes data with CRC32. [1]

Detection

Tool: capa Mapping APIs
validate payment card number using luhn algorithm Checksum::Luhn (C0032.002) --
compute adler32 checksum Checksum::Adler (C0032.005) --
hash data with CRC32 Checksum::CRC32 (C0032.001) RtlComputeCrc32
validate payment card number using luhn algorithm with lookup table Checksum::Luhn (C0032.002) --
validate payment card number using luhn algorithm with no lookup table Checksum::Luhn (C0032.002) --

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022