Tweet

Colin Hardy 💻

15 Dec, 8 tweets, 3 min read

#SolarWinds #SUNBURST malware checks for a long list of security processes and services running on the endpoint to try and evade detection. It does this by hashing the lowercase process name and comparing it against hardcoded values. Thread 👇

The hashing function isn't one I'm familiar with, FNV1A, but seems pretty straight forward to understand

FireEye did a great job in brute-forcing many of the hardcoded hashes and identified a big list of security tools that the malware is checking for

github.com/fireeye/sunbur…

There are many hashes that need to be identified so I've written a tool in Go which replicates the hashing algorithm.

Feed it a list of processes and it'll hash and compare them to the list of hardcoded hashes. I've already identified some that FireEye hadn't got to yet

You can grab a copy of my code here, hope it helps!

github.com/cybercdh/hacks…

Example output, green indicates a match in the hardcoded values:

Boom - another one.
5183687599225757871 : msmpeng

And another
10374841591685794123 : win64_remotex64

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Share this page!

Colin Hardy 💻

Try unrolling a thread yourself!

Did Thread Reader help you today?

Like this author's thread?