A recently came across a sample that included the following, mysterious string:

961c151d2e87f2686a955a9be24d316f1362bf21 [digit].[digit].[digit]

I googled around and not only found a few more occurrences of this string, but also found a yara rule (PDF warning) that referenced it.

I had to know where it came from.

I suspected it is a SHA1 hash, but couldn’t figure out what secret text was hashed to create it. Eventually, I just asked 🙂

The answer turned out to be pretty simple:

echo "JSON for Modern C++" | sha1sum

Thanks to Niels for revealing the secret 🙂

Two lessons from this little exercise:

• If you don’t know, just ask
• When you write Yara rules, make sure you are not using ‘clean’ strings