{
	"id": "abee914c-06d1-4d0d-9c32-8074ac6233c8",
	"created_at": "2026-04-06T00:15:08.082296Z",
	"updated_at": "2026-04-10T03:21:22.663751Z",
	"deleted_at": null,
	"sha1_hash": "d8ca889dd6d282001d49b474535689d83e1de167",
	"title": "Analysis of the ShadowHammer backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 382385,
	"plain_text": "Analysis of the ShadowHammer backdoor\r\nBy mauronz\r\nPublished: 2019-03-27 · Archived: 2026-04-05 22:39:53 UTC\r\nOn March 25, Kim Zetter published an astonishing story describing a supply-chain attack against ASUS which\r\nwas run between June and November 2018. The ASUS Live Update software was backdoored in order to attack a\r\nvery specific group of targets. The campaign, named ShadowHammer, was discovered and investigated by\r\nKaspersky Lab, which will present the full details during SAS2019.\r\nNOTE: as of yet Kaspersky has only published a single sample of the backdoor (hash:\r\naa15eb28292321b586c27d8401703494), so the analysis and the considerations presented in this post are specific\r\nto that. Once more samples come out it may become necessary to perform some adjustments.\r\nThe backdoored setup.exe\r\nThe ASUS software is distributed as a zip archive containing 3 files, setup.exe and two versions of 409.msi. The\r\nbackdoor resides in the first one. The malicious code is executed just before the program exits.\r\nThe call to execute_backdoor overwrites a call to a legitimate function just before the execution of ExitProcess.\r\nhttps://mauronz.github.io/shadowhammer-backdoor\r\nPage 1 of 6\n\nexecute_backdoor is straightforward. First, it allocates a region of memory with read, write and execution\r\npermissions. It then retrieves the encrypted shellcode data using hardcoded offsets and decrypts it in the allocated\r\nmemory. Finally, it calls the entrypoint of the shellcode, once again with a hardcoded offset.\r\nIt is worth noting that the two functions used to execute the malicious shellcode, execute_backdoor and decrypt,\r\nare both located at the end of the .text section of the executable. This indicates that they were added directly to the\r\nlegitimate compiled file, rather than during compilation.\r\nThe shellcode\r\nThe shellcode starts by dynamically loading the DLLs it needs and then retrieves the addresses of the required\r\nexported functions. The most interesting ones are iphlpapi.dll, used to retrieve the MAC addresses of the machine,\r\nhttps://mauronz.github.io/shadowhammer-backdoor\r\nPage 2 of 6\n\nand wininet.dll, for the communication with the C\u0026C.\r\nThe next step is to get the MAC addresses of all the interfaces. To obtain this information, the shellcode uses the\r\nAPI function GetAdaptersAddresses. To avoid revealing the targeted addresses, the authors of the backdoor stored\r\ntheir MD5 hashes. In order to correctly check the correspondence, for each interface of the machine, the shellcode\r\ncomputes the MD5 hash of the MAC address.\r\nWe can now look at how the backdoor checks if the retrieved MAC addresses match any of the targeted ones. The\r\ndata of each target is stored in the following data structure:\r\nstruct mac_data {\r\n DWORD type;\r\n BYTE md5_hash1[0x10];\r\nhttps://mauronz.github.io/shadowhammer-backdoor\r\nPage 3 of 6\n\nDWORD sep1;\r\n BYTE md5_hash2[0x10];\r\n DWORD sep2;\r\n}\r\nsep1 and sep2 are always 0. type can be either 1 or 2. If type is 1, in order to match this target the\r\nmachine just needs to have a MAC address with an MD5 equal to md5_hash1 ; md5_hash2 is filled with 0.\r\nInstead, if type is 2, both md5_hash1 and md5_hash2 have an actual value and they both must be found in the\r\nMAC addresses of the machine.\r\nIn the example below, we can see type in red, md5_hash1 in blue and md5_hash2 in green.\r\nAs mentioned by Vitaly Kamluk from Kaspersky Lab, the complete list of targets is scattered among different\r\nsamples of the backdoor. This specific sample contains 18 of them.\r\nTarget identified\r\nIf the MAC addresses match one of those in the target list, the shellcode contacts the C\u0026C with the following\r\nURL\r\nhxxps://asushotfix[.]com/logo2.jpg?\r\nfollowed by the hex encode of the matched md5_hash1 .\r\nUsing the WININET APIs, the shellcode of the second stage is downloaded and saved in another memory region\r\nwith read, write, execute permission. Finally it is executed.\r\nNot a target\r\nIf instead the current machine is not a target, the shellcode performs one final action. It creates a file named idx.ini\r\nin the folder of the current user, where it stores a date a week after the current one. The purpose of this file is\r\nunclear.\r\nhttps://mauronz.github.io/shadowhammer-backdoor\r\nPage 4 of 6\n\nAt least for this sample, the backdoor does not perform any malicious activity on machines that are not targeted.\r\nThere is no form of persistence, so the people behind ShadowHammer cannot reobtain execution unless the\r\nsetup.exe file is run again by a user.\r\nList of target data\r\ntype: 2\r\n00b006c7dab6ace6c25c3799eb2b6e14\r\n5977baa3f8ce0ca1c96d6ac9a40c9a91\r\ntype: 1\r\n00b006c7dab6ace6c25c3799eb2b6e14\r\ntype: 1\r\n409d8eebce8546e56a0ad740667aadbd\r\ntype: 1\r\n7da42dd34574d4e1a7ea0e708e7bc9a6\r\ntype: 2\r\nade62a257adf118418c5b2913267543e\r\n4268aed64aa5fff2020d2447790d7d32\r\ntype: 1\r\n7b14c53fd3604cc1ebca5af4415afed5\r\ntype: 1\r\n3a8ea62e32b4ecbe33df500a28ebc873\r\ntype: 1\r\ncc16956c9506cd2bb389a7d7da2433bd\r\nhttps://mauronz.github.io/shadowhammer-backdoor\r\nPage 5 of 6\n\ntype: 2\r\nfe4ccc64159253a6019304f17102886d\r\nf241c3073a5777742c341472e2d43eec\r\ntype: 1\r\n4ec2564ace982dc58c1039bf6d6ea83c\r\ntype: 2\r\nab0cef9e5957129e23fba178120fa20b\r\nf758024e734077c70532e90251c5df02\r\ntype: 1\r\nf35a60617ab336de4daac799676d07b6\r\ntype: 1\r\n6a62ead801802a5c9ec828d0c1edbb5b\r\ntype: 1\r\n600c7b52e7f80832e3cee84fcec88b9d\r\ntype: 2\r\n6e75b2d7470e9864d19e48cb360caf64\r\nfb559bcd103ee0fcb0cf4161b0fafb19\r\ntype: 1\r\n690ad61ec7859a0964216b66b5d33b1a\r\ntype: 2\r\n09da9df3a050afad0df0ef963b41b6e2\r\nfae3b06ab27f2b0f7c29bf7f2b03f83f\r\ntype: 1\r\nd4b958671f47bf5dcd08705d80de9a53\r\nSource: https://mauronz.github.io/shadowhammer-backdoor\r\nhttps://mauronz.github.io/shadowhammer-backdoor\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://mauronz.github.io/shadowhammer-backdoor"
	],
	"report_names": [
		"shadowhammer-backdoor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434508,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8ca889dd6d282001d49b474535689d83e1de167.pdf",
		"text": "https://archive.orkl.eu/d8ca889dd6d282001d49b474535689d83e1de167.txt",
		"img": "https://archive.orkl.eu/d8ca889dd6d282001d49b474535689d83e1de167.jpg"
	}
}