{
	"id": "fdfdeace-a1bf-4569-98d4-b5e8ee640022",
	"created_at": "2026-04-06T00:14:02.163123Z",
	"updated_at": "2026-04-10T13:12:13.880681Z",
	"deleted_at": null,
	"sha1_hash": "85411fe473183c377bef5ec52815e10ff0026626",
	"title": "The First Stage of ShadowHammer – One Night in Norfolk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 629941,
	"plain_text": "The First Stage of ShadowHammer – One Night in Norfolk\r\nPublished: 2019-03-27 · Archived: 2026-04-05 20:23:43 UTC\r\nSkip to content\r\nOn 25 March, Kaspersky researchers published details of a supply chain compromise involving ASUS, a Taiwan-based computer manufacturer. As part of this compromise, a threat actor pushed malicious code to victims who\r\nconnected to the company’s servers using the ASUS Live Update feature used to deliver drivers and other updates\r\n(this blog notes that such update platforms are common across all manufacturers).\r\nThe malicious code in question is a first-stage triage tool, and details of the second-stage code have not yet been\r\nuncovered. This post documents this first-stage functionality of one of the identified variants, which compares the\r\nvictim’s MAC address to a hardcoded list prior to communicating with a C2.\r\nMalware Workflow\r\nKaspersky provided a malicious hash in its original blog post; however, pivoting using content from a tweet from\r\nCostin Raiu yields additional files. Examination of these files (either through the VirusTotal platform or manually)\r\nindicates that they come in pairs: the smaller executables are hardcoded resources within the larger executables. A\r\nfull hash list is available at the end of this post, and the hash used for this analysis is below.\r\nMD5: fa83ffde24f149f9f6d1d8bc05c0e023\r\nSHA1: b0127ce307589ef48e2658784dd83ef7aa26097b\r\nSHA256: c299b6dd210ab5779f3abd9d10544f9cae31cd5c6afc92c0fc16c8f43def7596\r\nAt the start of the malicious workflow for this code, the program dynamically resolves the LoadLibraryEx and\r\nGetProcAddress calls, which are in turn used to load additional APIs, including:\r\n– memcpy (ntdll)\r\n– memcmp (ntdll)\r\n– memset (ntdll)\r\n– MD5Init (ntdll)\r\nhttps://norfolkinfosec.com/the-first-stage-of-shadowhammer/\r\nPage 1 of 4\n\n– MD5Update (ntdll)\r\n– MD5Final (ntdll)\r\n– GetAdaptersAddresses (iphlpapi)\r\n– InternetOpenA (wininit)\r\n– InternetOpenURLA (wininit)\r\n– InternetQueryDataAvailable (wininit)\r\n– InternetReadFile (wininit)\r\nThe malware then begins allocating large sections of code to memory and begins the triage process. The first\r\nfunction in this workflow queries the device’s network adapters through the GetAdaptersAddresses API call\r\nresolved above. The network adapter information is allocated into memory. Using the MD5 Init, Update, and Final\r\ncalls, the malware calculates an MD5 hash of each adapter’s MAC address and stores this in memory for later\r\ncomparison. Documentation for these functions can be found here.\r\nThis workflow is shown below- the orange represents the parameters for the MD5Update call, one of which is the\r\naddress highlighted in blue of the stored MAC address.\r\nAfter these hash values are calculated and stored, the program compares them to a hardcoded set of MD5s. This\r\nstep determines whether or not the malware will call out to its C2. By performing comparisons of the hashes of\r\nthese values rather than the values themselves, the malware author increases the difficulty of identifying potential\r\ntargets.\r\nAt a high level, if no match is found, the C2 routine is bypassed and the malware terminates shortly thereafter. A\r\nlower-level workflow for this is shown below:\r\nhttps://norfolkinfosec.com/the-first-stage-of-shadowhammer/\r\nPage 2 of 4\n\nShould a match be found, the “test eax eax” instruction will not set the zero flag, preventing the malware from\r\njumping over the function and initiating the C2 call-out for the next (currently undisclosed) stage of activity:\r\nAdditional IndicatorsC2\r\nasushotfix[.]com\r\nHashes\r\nMD5\r\n17a36ac3e31f3a18936552aff2c80249\r\nfa83ffde24f149f9f6d1d8bc05c0e023\r\nf2f879989d967e03b9ea0938399464ab\r\n5855ce7c4a3167f0e006310eb1c76313\r\n2a95475af7a07ee95ab11caad9e99b0c\r\ncb3f78d3ff776a7afe6c56371b0c7e11\r\nhttps://norfolkinfosec.com/the-first-stage-of-shadowhammer/\r\nPage 3 of 4\n\nSHA1\r\n5039ff974a81caf331e24eea0f2b33579b00d854\r\nb0127ce307589ef48e2658784dd83ef7aa26097b\r\n2c591802d8741d6aef1a278b9aca06952f035b8f\r\n0d9d48a4545120d84df6614378456ad722d82f58\r\n0595e34841bb3562d2c30a1b22ebf20d31c3be86\r\nffdb4f49a96f382161907ea21146332d2defb7b5\r\nSHA256\r\nbca9583263f92c55ba191140668d8299ef6b760a1e940bddb0a7580ce68fef82\r\nc299b6dd210ab5779f3abd9d10544f9cae31cd5c6afc92c0fc16c8f43def7596\r\n6aedfef62e7a8ab7b8ab3ff57708a55afa1a2a6765f86d581bc99c738a68fc74\r\ncfbec77180bd67cceb2e17e64f8a8beec5e8875f47c41936b67a60093e07fcfd\r\nac0711afee5a157d084251f3443a40965fc63c57955e3a241df866cfc7315223\r\n9acd43af36f2d38077258cb2ace42d6737b43be499367e90037f4605318325f8\r\nPost navigation\r\nSource: https://norfolkinfosec.com/the-first-stage-of-shadowhammer/\r\nhttps://norfolkinfosec.com/the-first-stage-of-shadowhammer/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://norfolkinfosec.com/the-first-stage-of-shadowhammer/"
	],
	"report_names": [
		"the-first-stage-of-shadowhammer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434442,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85411fe473183c377bef5ec52815e10ff0026626.pdf",
		"text": "https://archive.orkl.eu/85411fe473183c377bef5ec52815e10ff0026626.txt",
		"img": "https://archive.orkl.eu/85411fe473183c377bef5ec52815e10ff0026626.jpg"
	}
}