| ID | C0032 |
| Objective(s) | Data |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 13 October 2020 |
| Last Modified | 5 December 2023 |
Malware may derive a checksum from some block of data. The checksum is often used for data validation.
| Name | ID | Description |
|---|---|---|
| Adler | C0032.005 | Malware computes an Adler checksum. |
| BSD | C0032.003 | Malware computes a BSD checksum. |
| CRC32 | C0032.001 | Malware computes a CRC32 checksum. |
| Luhn | C0032.002 | Malware uses Luhn algorithm, often to validate identification numbers (e.g, credit card number). |
| Name | Date | Method | Description |
|---|---|---|---|
| Dark Comet | 2008 | C0032.001 | Dark Comet hashes data with CRC32. [1] |
| Gamut | 2014 | C0032.001 | Gamut hashes data with CRC32. [1] |
| Locky Bart | 2017 | C0032.001 | Locky Bart hashes data with CRC32. [1] |
| UP007 | 2016 | C0032.001 | UP007 hashes data with CRC32. [1] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| validate payment card number using luhn algorithm | Checksum::Luhn (C0032.002) | -- |
| compute adler32 checksum | Checksum::Adler (C0032.005) | -- |
| hash data with CRC32 | Checksum::CRC32 (C0032.001) | RtlComputeCrc32 |
| validate payment card number using luhn algorithm with lookup table | Checksum::Luhn (C0032.002) | -- |
| validate payment card number using luhn algorithm with no lookup table | Checksum::Luhn (C0032.002) | -- |
[1] capa v4.0, analyzed at MITRE on 10/12/2022