{
	"id": "dd87b41b-75d0-4883-bcb7-2238aa7f01db",
	"created_at": "2026-04-06T00:16:19.625287Z",
	"updated_at": "2026-04-10T03:22:06.170371Z",
	"deleted_at": null,
	"sha1_hash": "8fa403efc0f579277a41023d23be1ea4ebcd1652",
	"title": "Reassembling Victim Domain Fragments from SUNBURST DNS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 110768,
	"plain_text": "Reassembling Victim Domain Fragments from SUNBURST DNS\r\nBy Erik Hjelmvik\r\nPublished: 2020-12-17 · Archived: 2026-04-02 11:06:39 UTC\r\n, \r\nThursday, 17 December 2020 22:30:00 (UTC/GMT)\r\nWe are releasing a free tool called SunburstDomainDecoder today, which is created in order to help CERT\r\norganizations identify victims of the trojanized SolarWinds software update, known as SUNBURST or Solorigate.\r\nSunburstDomainDecoder can be fed with DNS queries to avsvmcloud.com in order to reveal the full internal\r\ndomain names of infected companies and organizations.\r\nUPDATE December 18, 2020 (v1.1)\r\nSunburstDomainDecoder has now been updated to automatically reassemble fragmented domain name segments\r\nin order to show the full domain in the output.\r\nUPDATE December 19, 2020 (v1.2)\r\nDomain names that have been base32 encoded, such as domain names with uppercase letters, can now be\r\nextracted with SunburstDomainDecoder. The queried SUNBURST subdomains are now also included in the\r\noutput.\r\nUPDATE December 21, 2020 (v1.6)\r\nImproved parsing of base32 encoded domain names. SUNBURST victim domains like \"LKDataCenter.com\",\r\n\"Sunkistgrowers.com\" and \"BrokenArrow.Local\" can now be extracted.\r\nUPDATE December 27, 2020 (v1.7)\r\nhttps://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS\r\nPage 1 of 6\n\nImproved reassembly of long domain names, like \"CIMBMY.CIMBDomain.com\" and \"BE.AJINOMOTO-OMNICHEM.AD\", that get segmented into multiple parts. Extraction of time stamps and security applications,\r\nincluding \"Windows Defender\", \"Carbon Black\", \"CrowdStrike\", \"FireEye\", \"ESET\" and \"F-Secure\". See Sergei\r\nShevchenko's blog post Sunburst Backdoor, Part III: DGA \u0026 Security Software for more details.\r\nUPDATE January 4, 2021 (v1.8)\r\nSecurity products (WinDefend, ESET etc.) are now included in the summary output at the end. SUNBURST\r\nstage2 victims, which accept C2 domains in CNAME responses, are indicated with a \"STAGE2\" tag. The previous\r\nrelease marked stage2 queries with a \"DNSSEC\" tag. Improved extraction of truncated base32 domains, such as\r\n\"*TED.com\".\r\nUPDATE January 12, 2021 (v1.9)\r\nDNS queries with encoded timestamps are tagged with either \"AVProducts\" or \"Ping\", depending on if they\r\ninclude an update of the installed/running security products and services or not. The summary data at the end has\r\nbeen modified to also show partial domain names, such as \"paloaltonetworks*\".\r\nUPDATE February 16, 2021 (v2.0)\r\nSlightly faster and even more accurate than previous versions.\r\nDownload SunburstDomainDecoder.zip\r\nSUNBURST DNS Traffic\r\nSUNBURST victims, who have installed one of the trojanized SolarWinds Orion software updates, will query for\r\ndomain names formatted like this:\r\n\u003cSUBDOMAIN\u003e.appsync-api.eu-west-1.avsvmcloud.com\r\n\u003cSUBDOMAIN\u003e.appsync-api.us-west-2.avsvmcloud.com\r\n\u003cSUBDOMAIN\u003e.appsync-api.us-east-1.avsvmcloud.com\r\n\u003cSUBDOMAIN\u003e.appsync-api.us-east-2.avsvmcloud.com\r\nThe \"SUBDOMAIN\" string has different values for each victim and the second half of this string actually contains\r\nan encoded domain name (encrypted with a simple substitution cipher).\r\nRedDrip's decode.py\r\nThe RedDrip Team published a SUNBURST DGA decoding script yesterday, which can be used to identify\r\nSUNBURST victim organizations like CISCO and Belkin by decoding the domain names encoded in the outgoing\r\nDNS queries for subdomains of avsvmcloud.com.\r\nThis is what it looks like when RedDrip's decode.py script is fed with domain names from John Bambenek's uniq-hostnames.txt file.\r\ncat uniq-hostnames.txt | python decode.py\r\n02m6hcopd17p6h450gt3.appsync-api.us-west-2.avsvmcloud.com .gh\r\nhttps://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS\r\nPage 2 of 6\n\n039n5tnndkhrfn5cun0y0sz02hij0b12.appsync-api.us-west-2.avsvmcloud.com ad001.mtk.lo\r\n04spiistorug1jq5o6o0.appsync-api.us-west-2.avsvmcloud.com isi\r\n060mpkprgdk087ebcr1jov0te2h.appsync-api.us-east-1.avsvmcloud.com belkin.com\r\n06o0865eliou4t0btvef0b12eu1.appsync-api.us-east-1.avsvmcloud.com gncu.local\r\n07605jn8l36uranbtvef0b12eu1.appsync-api.us-east-1.avsvmcloud.com gncu.local\r\n07q2aghbohp4bncce6vi0odsovertr2s.appsync-api.us-east-1.avsvmcloud.com csnt.princegeor\r\n07ttndaugjrj4pcbtvef0b12eu1.appsync-api.us-east-1.avsvmcloud.com gncu.local\r\n08amtsejd02kobtb6h07ts2fd0b12eu1.appsync-api.eu-west-1.avsvmcloud.com sm-group.local\r\n0b0fbhp20mdsv4scwo11r0oirssrc2vv.appsync-api.us-east-2.avsvmcloud.com ville.terrebonn\r\n[...]\r\nThe beauty of this approach is that passive DNS data can be used in order to reliably identify the victims. This is\r\ngreat news for national CERTs, because they typically have readily access to passive DNS data and can use the\r\ndecoded domain names in order to identify and reach out to victims in their country.\r\nAfter using the python script provided by ReadDrip Team I noticed two things:\r\n1. The leaked domain names were internal domain names used on the victim organizations' corporate\r\nnetworks. Many of the domains were using the \".local\" suffix.\r\n2. Most of the extracted domains were truncated to around 15 bytes, which make it difficult to identify the\r\nvictim organization.\r\nTruncated Domains Fragmented Domains\r\nI later learned that what seemed to be truncated domains were actually fragmented domains, where long domain\r\nnames would be split into multiple queries. This revelation turns the output from RedDrip's python tool into an\r\ninteresting domain name puzzle. At this point I decided to take a closer look at the malicious SolarWinds update I\r\nhad downloaded from SolarWind's website a few days ago -- yes, that's right the malicious software update\r\n\"SolarWinds-Core-v2019.4.5220-Hotfix5.msp\" (MD5: 02af7cec58b9a5da1c542b5a32151ba1) was actually\r\navailable for download from SolarWinds' website long after they had been notified about their software being\r\nbackdoored!\r\nAs an example, lets' take a closer look at this DNS query from John Bambenek's passive DNS data:\r\nr1qshoj05ji05ac6eoip02jovt6i2v0c.appsync-api.us-west-2.avsvmcloud.com\r\nThis query can be broken down into three parts:\r\n1. r1qshoj05ji05ac6 : What is encoded here???\r\n2. eoip02jovt6i2v0c : Base32 encoded string \"city.kingston.\"\r\n3. .appsync-api.us-west-2.avsvmcloud.com : DNS trailer without encoded data\r\nSo, which \"City of Kingston\", or \"Kingston City\", should we contact to let them know that they have installed a\r\ntrojanized SolarWinds update? Is it Kingston Jamaica, City of Kingston NY USA, City of Kingston Ontario\r\nCanada, Kingston City Tennessee USA or City of Kingston Australia?\r\nhttps://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS\r\nPage 3 of 6\n\nAfter analyzing the \"SolarWinds.Orion.Core.BusinessLayer.dll\" file (MD5: b91ce2fa41029f6955bff20079468448)\r\nfrom the \"SolarWinds-Core-v2019.4.5220-Hotfix5.msp\" I learned that the initial \"r1qshoj05ji05ac6\" string is\r\nrepresenting a unique \"GUID\" value for the infected machine. This GUID is generated by calculating an MD5\r\nhash of the MAC address of the first active non-Loopback network interface, the domain name and the\r\n\"MachineGuid\" registry key value in \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\".\r\nThis MD5 hash is then squeezed into a tiny 8 byte array by XOR'ing overlapping bytes. The \"CreateSecureString\"\r\nfunction in the trojanized SolarWinds update then \"encrypts\" this hash using XOR with a random key, which is\r\nprepended to the data. The XOR key and the XOR'ed data is then finally base32 encoded into what makes up the\r\nfirst part of the subdomain to query for. Don't let the SUNBURST source code below fool you, it is actually using\r\nbase32 encoding with a custom alphabet even though the function is called \"Base64Encode\";\r\nImage: SUNBURST source code generates a random value between 1 and 127 as XOR key\r\nEach DNS lookup from an infected machine will query for a unique subdomain because a new XOR key will be\r\ngenerated for each request. Luckily for us, this XOR key is provided in each request, so we can use it in order to\r\n\"decrypt\" the subdomain and get the original 8 bytes derived from the MAC+domain+MachineGuid MD5 hash.\r\nThe output from my \"SunburstDomainDecoder.exe\" tool will print the \"decrypted\" 8 byte GUID in the first\r\ncolumn, the decoded victim domain segment or timestamp in the second column and the queried SUNBURST\r\nsubdomain in the last column. Each DNS query line read from standard input will generate a \"GUID\r\nDecodedHostname SunburstSubdomain\" line on standard output.\r\nSunburstDomainDecoder.exe \u003c uniq-hostnames.txt\r\nF18613981DEC4D1A 2020-10-02T21:00:00.0000000Z 02m6hcopd17p6h450gt3\r\nBD6DEFBBE9FEA3A9 ad001.mtk.lo 039n5tnndkhrfn5cun0y0sz02hij0b12\r\n2BF8DE15406EA780 2020-08-25T03:00:00.0000000Z 043o9vacvthf0v95t81l\r\n573DEB889FC54130 2020-08-13T21:00:00.0000000Z,WindowsDefender_RUNNING,CrowdStrike_RUNNING\r\n04jrge684mgk4eq8m8adfg7\r\nhttps://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS\r\nPage 4 of 6\n\n518092C8FD571806 2020-06-09T22:30:00.0000000Z 04r0rndp6aom5fq5g6p1\r\nF18613981DEC4D1A 2020-07-06T08:30:00.0000000Z 04spiistorug1jq5o6o0\r\nBC1CB013239B4B92 2020-04-25T10:00:00.0000000Z 05q2sp0v4b5ramdf71l7\r\n3ED2E979D53B2523 belkin.com 060mpkprgdk087ebcr1jov0te2h\r\n4225A5C345C1FC8E gncu.local 06o0865eliou4t0btvef0b12eu1\r\n[...]\r\nThe tool then finishes off by outputting the domains that are complete or at least have the last part of their domain\r\nintact. Some of these domains are complete because they were short enough to fit in one single SUNBURST DNS\r\nquery, while others have been pieced together by SunburstDomainDecoder from domain fragments arriving in\r\nseparate SUNBURST DNS queries.\r\n[...]\r\nF59BBAACBA3493C0 dufferincounty.on.ca\r\nF5D6AA262381B084 glu.com\r\nF9024D5B1E9717C6 gyldendal.local\r\nF90BDDB47E495629 central.pima.gov\r\nF956B5EF56BCF666 coxnet.cox.com\r\nF9A9387F7D252842 city.kingston.on.ca\r\nFB0B50553BC00DED gloucesterva.net\r\nFBB6164BC2B0DFAD ARYZTA.COM\r\nFD04AC52C95A1B0A bmrn.com\r\nFDFCAB8E4C0AB3EE ansc.gob.pe\r\nFE7FF8C9104A0508 thoughtspot.int\r\nFF6760F36DB3D7DC smes.org\r\nWe can now see that it was \"city.kingston.on.ca\", (City of Kingston, Ontario, Canada) who had installed a\r\ntrojanized SolarWinds update.\r\nDownload SunburstDomainDecoder\r\nThe C# source code and a compiled Windows binary for SunburstDomainDecoder is available here:\r\nhttps://www.netresec.com/files/SunburstDomainDecoder.zip\r\nThe source code and Windows binary is shared under a Creative Commons CC-BY license, which means that you\r\nare free to:\r\nShare : copy and redistribute the material in any medium or format\r\nhttps://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS\r\nPage 5 of 6\n\nAdapt : remix, transform, and build upon the material for any purpose, even commercially.\r\nProvided that you give appropriate credit, provide a link to the license, and indicate if changes were made.\r\nRunning SunburstDomainDecoder on Linux/MacOS\r\nWanna run SunburstDomainDecoder.exe but not in Windows? No problems, the tool runs perfectly fine in Mono.\r\nAnother option is to build SunburstDomainDecoder.cs as a .NET core project in Linux.\r\n.NET Reversing\r\nWould you like to verify my findings or learn more about .NET reverse engineering? Cool, then I'd recommend\r\nthat you download dnSpy in order to reverse engineer the SUNBURST .NET DLL (which can be extracted from\r\nthe msp installer with 7zip). Or you can have a look at the already extracted OrionImprovementBusinessLayer.cs\r\non GitHub.\r\nPosted by Erik Hjelmvik on Thursday, 17 December 2020 22:30:00 (UTC/GMT)\r\nTags: #SunburstDomainDecoder#SUNBURST#SolarWinds#Solorigate#XOR#domain#DNS#pDNS#Windows\r\nDefender#Carbon Black#FireEye#ESET#F-Secure#Trojan#avsvmcloud\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS\r\nhttps://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS"
	],
	"report_names": [
		"?page=Blog\u0026month=2020-12\u0026post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS"
	],
	"threat_actors": [],
	"ts_created_at": 1775434579,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8fa403efc0f579277a41023d23be1ea4ebcd1652.pdf",
		"text": "https://archive.orkl.eu/8fa403efc0f579277a41023d23be1ea4ebcd1652.txt",
		"img": "https://archive.orkl.eu/8fa403efc0f579277a41023d23be1ea4ebcd1652.jpg"
	}
}