Skip to content

The following repository contains a modified version of SUNBURST with cracekd hashes, comments and annotations.

Notifications You must be signed in to change notification settings

ITAYC0HEN/SUNBURST-Cracked

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

Sunburst Cracked

Sunburst is the trojaned version of SolarWinds Orion that contains a malicious backdoor in a class named OrionImprovementBusinessLayer.

The following repository contains a modified version of this decompiled class with the following modifications:

  • Deobfuscated Strings
  • Inline comments with the cracked values per each FNV-1a hash
  • Additional inline comments

An examples of inline comments:

private static readonly ulong[] assemblyTimeStamps = new ulong[]
{
    2597124982561782591UL	/* apimonitor-x64 (Rohitab - RE/Malware analysis) */,
    2600364143812063535UL	/* apimonitor-x86 (Rohitab - RE/Malware analysis) */,
    13464308873961738403UL	/* autopsy64 (Autopsy - Forensics) */,
    4821863173800309721UL	/* autopsy (Autopsy - Forensics) */,
    ...
    ...

The decompiled class was extracted from the following sample: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6

Acknowledgements

The analysis and comments in the modified class are based on work conducted by the community and I. Specifically, I want to refer and thank to these works:

  • The entire community who worked on cracking these hashes - The cracked hashes can be found on FireEye's repository
  • The Hashcat team and Royce Williams for their detailed work on these hashes

About

The following repository contains a modified version of SUNBURST with cracekd hashes, comments and annotations.

Resources

Stars

Watchers

Forks

Releases

No releases published

Sponsor this project

Packages

No packages published

Languages