Skip to content

AdamWhiteHat/SunBurstReadable

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

Properties

Properties

 
 

.gitattributes

.gitattributes

 
 

ConfigManager.cs

ConfigManager.cs

 
 

CryptoHelper.cs

CryptoHelper.cs

 
 

DnsHelper.cs

DnsHelper.cs

 
 

DnsRecords.cs

DnsRecords.cs

 
 

Enums.cs

Enums.cs

 
 

HttpHelper.cs

HttpHelper.cs

 
 

IPAddressesHelper.cs

IPAddressesHelper.cs

 
 

Job.cs

Job.cs

 
 

NativeMethods.cs

NativeMethods.cs

 
 

ProcessTracker.cs

ProcessTracker.cs

 
 

Program.cs

Program.cs

 
 

Proxy.cs

Proxy.cs

 
 

README.md

README.md

 
 

RegistryHelper.cs

RegistryHelper.cs

 
 

ServiceConfiguration.cs

ServiceConfiguration.cs

 
 

Settings.cs

Settings.cs

 
 

SunBurstDefanged.csproj

SunBurstDefanged.csproj

 
 

SunBurstDefanged.sln

SunBurstDefanged.sln

 
 

Utilities.cs

Utilities.cs

 
 

ZipHelper.cs

ZipHelper.cs

 
 

Repository files navigation

SunBurstReadable

SunBurst source code. SunBurst is the SolarWinds malware.

This code was taken from https://github.com/etlownoise/fakesunburst. However, you'll notice all the code exists in a single 5000+ line code file. In order to make the code more readable and digestible, I broke up the code, placing each class into its own .cs file and then fixed any errors. Additionally, I placed all the shared settings in it's own class, and all the shared utility functions in it's own class.

This made the code a lot more digestible and understanding the code was a breeze after that. This version of the SunBurst source code is designed to be much more readable, hence the name, SunBurstReadable.

  • You may notice that the project type is currently a .NET library. This means it is not executable, and the Main function in the Program class is not an actual entry point. This is to prevent accidental execution, as well as, perhaps, intentional execution; This code cannot be taken and used as malware without modification.
  • The code was no longer able to be tested/executed anyways; windows now prevents this. Even fragments of the code will not run, based on heuristics (I personally encountered this trying to decrypt some strings).
  • This version has also been defanged in several places throughout the code to prevent the harmful areas of the code from being hit.
  • The C&C domain names and IP addresses have been sinkholed by Microsoft and will no longer work.
  • I have made other subtle changes to frustrate efforts of someone attempting to use certain parts of this code for malicious purposes.

About

SunBurst source code broken up by classes so that it is more readable.

Resources

Readme
Activity

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages