{
	"id": "85edcbc9-4ce1-4703-a9bf-d3daa545a754",
	"created_at": "2026-04-06T00:19:17.407916Z",
	"updated_at": "2026-04-10T03:20:07.272616Z",
	"deleted_at": null,
	"sha1_hash": "e6756795670c11bfc503016b2e4b5ed7135b37bb",
	"title": "Skylight Cyber | Unleash The Hash",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 122562,
	"plain_text": "Skylight Cyber | Unleash The Hash\r\nArchived: 2026-04-05 18:44:22 UTC\r\nTL;DR: The latest list of plain-text MAC addresses targeted in the ShadowHammer ASUS breach can be\r\ndownloaded here.\r\nYou can find the extended list containing more complete information here.\r\nLast Updated: 30/Mar/2019\r\nYou have probably heard of the ShadowHammer hack by now.\r\nA truly disturbing case that shows yet again, that nothing can be 100% trusted, not even a formally signed update\r\nfrom a well known vendor.\r\nAccording to available information, the threat actors have infected computers en-masse, but have targeted specific\r\nmachines based on their MAC address.\r\nThe question of who did this and why is intriguing, but not one we were trying to answer in this case.\r\nFirst thing’s first - if information regarding targets exists, it should be made publicly available to the security\r\ncommunity so we can better protect ourselves.\r\nKaspersky have released an online tool that allows you to check your MAC address against a DB of victim MAC\r\naddresses (which is hidden).\r\nGood on Kaspersky on one hand, but on the other hand, this is highly inefficient, and does not really serve the\r\nsecurity community.\r\nSo, we thought it would be a good idea to extract the list and make it public so that every security practitioner\r\nwould be able to bulk compare them to known machines in their domain.\r\nIf you are interested in the list it can be downloaded here or here for the extended list.\r\nIf you are interested in learning how we extracted it, read on, it was a short yet sweet ride, kind of like the CTFs\r\nwe love so much, and thank you Kaspersky for the challenge!\r\nPhase I - getting the bulk list in binary format\r\nIn conjunction with the website, Kaspersky have released an executable that checks if your machine has been\r\ntargeted. Naturally, since it is an offline tool, it means that the full list of MAC addresses has to be contained\r\nwithin that executable.\r\nSo, up goes IDA and we go hunting for the MAC list.\r\nBefore even taking a look at the disassembled code, we can hypothesize how such a tool might work:\r\nExtract local MAC addresses\r\nCalculate hashes for those addresses\r\nCompare the local list with addresses that are embedded in the executable\r\nhttps://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/\r\nPage 1 of 7\n\nA quick look at the disassembly shows that the entire logic of the program was written inside WinMain() (classic\r\nsecurity researcher coding style…).\r\nSure enough, the program follows the expected steps.\r\nWe can see that the first thing the tool does is extract the local MAC addresses and hash them.\r\nFollowing that, we can immediately recognize two sets of nested loops, and further analysis reveals that there are\r\nactually two different lists the tool compares the hashes of the local MAC addresses to.\r\nFinding the two lists is straightforward, and the total weight of the hashes is 19936 bytes.\r\nPhase II - what the hash?!\r\nSo now that we have the list, and knowing that the threat actors used MD5 hashes, we have to brute force these\r\nMD5s, which should be pretty straightforward.\r\nHowever, something doesn’t seem right from the get go.\r\nMD5 hashes are 16 bytes (128 bit) long, but dividing the list of hashes by 16 yields 1246, which doesn’t make\r\nsense as we know from publications that there should be around 600 addresses.\r\nMoreover, the hash comparison loops seems to work in 32 bytes increments, suggesting a different hashing\r\nalgorithm than MD5.\r\nWe need to dig deeper…\r\nLooking at the hashing routine, we find this:\r\nhashing routine constants\r\nFor people involved with cryptography, these constants are an instant tell-tale sign of SHA2-256. SHA256’s hash\r\nsize is 32 bytes long, matching the comparison routine.\r\nhttps://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/\r\nPage 2 of 7\n\nWe don’t consider disassembling crypto code as a fun afternoon activity, and so we’ve opted to try the short path\r\nfirst. Let’s hash one of the few known target MAC addresses with SHA2-256 and see if we get a hit. Nothing in\r\nlife is easy, especially not crypto, so of course, the approach failed, and we did not get a hit.\r\nLittle did we know that these are not vanilla SHA256 hashes at all.\r\nPhase III - Who are you Mr. hash?\r\nReluctantly, we had to dig deeper into the hashing routine.\r\nFollowing a reference implementation of SHA256 and the disassembly, we’ve noticed that the code calls\r\nSHA256_Transform (the inner function that performs transformations on the inner algorithm state) with a constant\r\nthat seems to be four bytes long.\r\nhttps://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/\r\nPage 3 of 7\n\nDisassembly of hashing routine\r\nWell, “That must be it!”, they’ve salted the hash, we figured. But why would they do that? Are they trying to hide\r\nthose MAC addresses?\r\nAnyway, we’ve tried the blackbox approach using known target MAC address hashed with the discovered salt\r\n(0xad, 0x12, 0xf4, 0x19) to see if we get a match, but it failed again.\r\nhttps://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/\r\nPage 4 of 7\n\nDynamically analyzing calls to the SHA256_Transform function demonstrated that the hash is actually calculated\r\non repeated sequences of the salt + MAC address.\r\nsalt (0xad,0x12,0xf4,0x19) followed by 70:8B:CD:10:43:18\r\nRevisiting the disassembled code, we can spot a constant (10,000) being used to break a loop. Could they be\r\nrunning the hashing algorithm 10,000 times with the salt?\r\nLet’s have a go with the following code and test it:\r\n$salt = \"\\xad\\x12\\xf4\\x19\";\r\n$mac = \"\\x70\\x8b\\xcd\\x10\\x43\\x18\"; // 70:8B:CD:10:43:18 (one of the few MD5s that were published and we brute-fo\r\n$ctx = hash_init(\"sha256\");\r\nfor($i=0;$i\u003c10000;$i++)\r\n hash_update($ctx, \"$salt$mac\");\r\nprint hash_final($ctx);\r\nWhich yields “cde5d9a781e56f37351be146a4389a975a9838f0fe13710f3501202e8ca2fb7a”. This hash is part of\r\nthe list of hashes embedded in Kaspersky’s executable. Yes! This is definitive proof!\r\nNow that we have the hashing algorithm we can start brute-forcing.\r\nPhase IV - We’re going to need a bigger cat\r\nYou can write your own code to brute-force hashes, but there is a lot of know-how involved in making the most\r\nuse out of your Hardware.\r\nFor us, Hashcat was an obvious choice, given that it’s an open-source and flexible tool.\r\nWe tried stretching Hashcat’s features to their fullest, but couldn’t find a way to use the algorithm we saw in\r\nKaspersky’s code ( If you know of a method, please share in the comments).\r\nAfter a sigh that was heard throughout the continent, we set about to modify Hashcat to support the new scheme.\r\nTrying to compile \u0026 build most open-source cross-platform projects on Windows is a pain and Hashcat is no\r\ndifferent, so we’ve switched to our Linux box.\r\nActually, it was surprisingly easy to enhance Hashcat and all we had to do is add two lines of code inside the\r\nOpenCL implementation of SHA2-256 (Hashcat algorithm #01400), as follows:\r\nhttps://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/\r\nPage 5 of 7\n\nHashcat code modification\r\nAnd with that we were good to go.\r\nPhase V - She’s not gonna hold, Captain!\r\nTrying to brute-force the entire space of MAC addresses, hashed using SHA256 on the repeated salt+MAC is not\r\nfeasible in a reasonable amount of time and resources.\r\nTherefore, we had to reduce the address space.\r\nA MAC address is comprised of the prefix (3 bytes) and a suffix (3 bytes). Prefixes are allocated to vendors.\r\nWe used a couple of different strategies to limit the prefixes we were targeting:\r\nLimit to only known, assigned MAC address prefixes.\r\nReduce further by following information released by other security vendors: 360 Threat Intelligence Center\r\ntweeted a nice infographic detailing the distribution of vendors of targeted MAC addresses. We could use\r\nthat list to limit the prefixes we were brute-forcing.\r\nLimit to prefixes assigned to AsusTek.\r\nEven with all of those strategies in place, brute forcing a single prefix was going to take us ~3 hours on our\r\nmodest hardware. With a narrowed down list of around 1300 prefixes, that meant 162.5 days, a tad bit more than\r\nwe would have liked.\r\nhttps://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/\r\nPage 6 of 7\n\nPhase VI - victory\r\nWith that in mind, we realized that to do brute-forcing you need a brute!\r\nEnter Amazon’s AWS p3.16xlarge instance.\r\nThese beasts carry eight (you read correctly) of NVIDIA’s V100 Tesla 16GB GPUs.\r\nAs Al Pacino once said - “Say hello to my little friend!” :)\r\nThe entire set of 1300 prefixes was brute-forced in less than an hour.\r\nSo far, we’ve managed to extract 583 out of 619 hashes, others probably have different vendors associated with\r\nthem.\r\nIf you’ve found a MAC address that is not on our list, please contact us and we’ll update accordingly (or share in\r\nthe comments section).\r\nThanks again Kaspersky for an enjoyable afternoon!\r\nSource: https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/\r\nhttps://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/"
	],
	"report_names": [
		"unleash-the-hash-shadowhammer-mac-list"
	],
	"threat_actors": [],
	"ts_created_at": 1775434757,
	"ts_updated_at": 1775791207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6756795670c11bfc503016b2e4b5ed7135b37bb.pdf",
		"text": "https://archive.orkl.eu/e6756795670c11bfc503016b2e4b5ed7135b37bb.txt",
		"img": "https://archive.orkl.eu/e6756795670c11bfc503016b2e4b5ed7135b37bb.jpg"
	}
}