/DGA

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

From VT:2 new seeds of Murofet #43

Open
suqitian opened this Issue Apr 10, 2018 · 2 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@suqitian
@suqitian
Member

suqitian commented Apr 10, 2018
edited

  • MD5
    f9c7354cd1cddac87e23783369af585c

  • VT analysis

  • Domains on 2018-01-29

aouotztjyhqfyte.com
aouotztjyhqfyte.org
edsvmmkxelwws.biz
edsvmmkxelwws.info
hsmpxjllqdrqjymp.biz
hsmpxjllqdrqjymp.info
idqitwnirrmjrndn.com
idqitwnirrmjrndn.net
inlomnhpstizqonm.com
inlomnhpstizqonm.net
iofhsqfrtmtzskps.com
iofhsqfrtmtzskps.info
kffownxzwvozvel.com
kffownxzwvozvel.org
kgjtxvnrxwpxxekw.net
kgjtxvnrxwpxxekw.org
kkqzijwkpqphsq.net
kkqzijwkpqphsq.org
kqynjnvlqonocuv.com
kqynjnvlqonocuv.net
...

@suqitian suqitian changed the title from From VT: to From VT:A new seed of Murofet Apr 10, 2018

@suqitian

This comment has been minimized.

Sign in to view
Member

suqitian commented Apr 10, 2018

  • Seed
    0x78e4a3c0

  • The number of domains
    1020

  • In order to cover all possibilities, need to generate 1020 domains per day
    (17 * second) % 0x3fc
    Range of second: [0, 59]

  • Test

$python  dga.py -k 0x78e4a3c0 -n 1020 -t `date +%s -d "2018-01-29 00:46:32"`
...
aouotztjyhqfyte.org
aouotztjyhqfyte.com
unqrruogowuqpuri.info
unqrruogowuqpuri.org
kvkuiytvrurezqy.biz
kvkuiytvrurezqy.com
iofhsqfrtmtzskps.info
iofhsqfrtmtzskps.com
uiguvtexspoovip.net
uiguvtexspoovip.biz
vyrzisnlohqwesp.info
vyrzisnlohqwesp.com
kffownxzwvozvel.org
kffownxzwvozvel.com
lfkmbbqjnsofheju.biz
lfkmbbqjnsofheju.org
...

@suqitian suqitian changed the title from From VT:A new seed of Murofet to From VT:two new seeds of Murofet Apr 10, 2018

@suqitian

This comment has been minimized.

Sign in to view
Member

suqitian commented Apr 10, 2018

  • Another MD5
    5df9dc5fb4886a28133656b8c55fd65b
  • Seed
    0xed79a19c
  • The number of domains
    1020
  • Test
$ python dga_tdd.py -k 0xed79a19c -n 1020 -t `date +%s -d "2018-04-10 10:00:00"`
wvvqzmrnlpmxwhly.biz
wvvqzmrnlpmxwhly.com
uzorqdovspvfvmvk.net
uzorqdovspvfvmvk.org
vsszqjkqrwumhrtu.info
vsszqjkqrwumhrtu.biz
pmnquslsesxohno.org
pmnquslsesxohno.com
qhzenflonnouslq.info
qhzenflonnouslq.org
xcsquocsngjmmmk.biz
xcsquocsngjmmmk.com
smuqierxxcqqzmn.info
smuqierxxcqqzmn.com
glmhxvfkptpxxri.net
glmhxvfkptpxxri.biz
wrtrjczcysxtmt.info
wrtrjczcysxtmt.com
npgocnmqoyvralq.org
npgocnmqoyvralq.com
lxugqomvmkpzool.biz
lxugqomvmkpzool.org
pkpnaqsmipqdwwh.net
pkpnaqsmipqdwwh.com
rivrovvhcnhhskrn.info
rivrovvhcnhhskrn.biz
osdqwstqvihvxvv.net
osdqwstqvihvxvv.org
tmquwhkklmnqortx.info
tmquwhkklmnqortx.com
llromlolzugnzxs.biz
llromlolzugnzxs.com
...

@suqitian suqitian changed the title from From VT:two new seeds of Murofet to From VT:2 new seeds of Murofet Apr 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment