Skip to content
/ sunburst_kit Public

Testing tools for analysis of the Sunburst backdoor

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Pir00t/sunburst_kit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
EncVars
EncVars
 
 
FNV
FNV
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

sunburst_kit

Testing tools for analysis of the Sunburst backdoor reported by FireEye (Written for Python3)

sunburst_FNV.py

Requirements: pip install fnvhash

This script can be used to attempt to decode the hardcoded values from within SUNBURST backdoor. This can be done by either passing a file of guess strings (bit like a dictionary attack) or via bruteforce.

Usage

Passing process file

python3 sunburst_FNV.py -f processes.txt --values hardcodedVal.txt

Bruteforce

python3 sunburst_FNV.py -b --values hardcodedVal.txt

Note that this is rudimentary bruteforce and is not fully optimised!

processes.txt populated from https://github.com/fireeye/sunburst_countermeasures/blob/main/fnv1a_xor_hashes.txt

sunburst_b64.py

This script pulls out the encoded strings within OrionImprovementBusinessLayer that use the DeflateStream Class of the .NET's System.IO.Compression library and base64 encoding. It then removes any duplicate base64 values before inflating to return the decoded string value.

Usage

python3 sunburst_b64.py -f <decompiled OrionImprovementBusinessLayer>

About

Testing tools for analysis of the Sunburst backdoor

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages