those SunBurst / SolarWinds hashes


Royce Williams
 

If anyone's doing analysis and needs a list of what all of the hashes are used for, I made a reference:
As of this morning, it's complete - all hashes have been cracked. We (my usual cracking collaborators) didn't get the last three stragglers - another researcher, a non-cracking-specialist, had already gotten them all!

https://twitter.com/TychoTithonus/status/1341024203303124992

One of my crackin' colleagues has also submitted a PR to add each one as comments to this deobfuscated/defanged code, to assist with analysis:

https://github.com/etlownoise/fakesunburst/pull/1/files

Once that PR is accepted (or if you just pull the submitter's fork), you can read the source code with each hash's solution in context. The etlownoise deobfuscation is one of the best quality, I'm told - and it can even be used in the lab for testing if needed, due to its being defanged (but YMMV, I haven't done this myself, use caution, etc etc.)

Royce

-- 
Royce Williams
Tech Solvency

Join nuga@groups.io to automatically receive all group messages.