rule pygmy_goat_aes_key {
	meta:
		author = "NCSC"
		description = "Pygmy Goat AES key built on the stack or in data"
		date = "2024-10-22"
		hash1 = "71f70d61af00542b2e9ad64abd2dda7e437536ff"
	strings:
		$dword_1 = { 59 4B 6E 77 }
		$dword_2 = { 51 6A 6D 41 }
		$dword_3 = { 54 62 41 6E }
		$dword_4 = { 52 6F 5A 6D }
		$dword_5 = { 30 66 47 37 }
		$dword_6 = { 55 5A 57 62 }
		$dword_7 = { 32 59 55 78 }
		$dword_8 = { 55 51 50 77 }
	condition:
		(uint32(0) == 0x464c457f) and all of them
}