Skip to content

Commit

Permalink
Refactor 2016
Browse files Browse the repository at this point in the history
  • Loading branch information
andrewaeva@ya.ru committed Feb 5, 2016
1 parent d914b23 commit 6cf4629
Show file tree
Hide file tree
Showing 7 changed files with 87 additions and 81 deletions.
42 changes: 22 additions & 20 deletions dga_algorithms/Cryptolocker.pl
View file
@@ -1,29 +1,31 @@
#!/usr/bin/perl
use strict;
use warnings;

my @t=("com", "net", "biz", "ru", "org", "co.uk", "info");
my $d; my $i; my $m; my $s; my $y;my $z;

if(scalar @ARGV !=3){
print "usage: perl dga-cryptolocker.pl $ARGV[0] d m y\n";
exit 0;
print "usage: perl dga-cryptolocker.pl $ARGV[0] d m y\n";
exit 0;
}
for($z=0; $z<100000; $z++){
$d = $ARGV[0];
$m = $ARGV[1];
$y = $ARGV[2] + $z;
$d *= 65537;
$m *= 65537;
$y *= 65537;
$s = $d>>3 ^ $y>>8 ^ $y>>11;
$s &= 3;
$s += 12;
my $n='';
for($i = 0; $i < $s; $i++){
$d = (($d<<13 & 0xFFFFFFFF)>>19 & 0xFFFFFFFF) ^ (($d>>1 & 0xFFFFFFFF)<<13 & 0xFFFFFFFF) ^ ($d>>19 & 0xFFFFFFFF); $d &= 0xFFFFFFFF;
$m = (($m<<2 & 0xFFFFFFFF)>>25 & 0xFFFFFFFF) ^ (($m>>3 & 0xFFFFFFFF)<<7 & 0xFFFFFFFF) ^ ($m>>25 & 0xFFFFFFFF); $m &= 0xFFFFFFFF;
$y = (($y<<3 & 0xFFFFFFFF)>>11 & 0xFFFFFFFF) ^ (($y>>4 & 0xFFFFFFFF)<<21 & 0xFFFFFFFF) ^ ($y>>11 & 0xFFFFFFFF); $y &= 0xFFFFFFFF;
$n.=chr(ord('a') + ($y ^ $m ^ $d) % 25);
}
my $domain=$n.'.'.$t[$z%7];
print "$domain\n";
$d = $ARGV[0];
$m = $ARGV[1];
$y = $ARGV[2] + $z;
$d *= 65537;
$m *= 65537;
$y *= 65537;
$s = $d>>3 ^ $y>>8 ^ $y>>11;
$s &= 3;
$s += 12;
my $n='';
for($i = 0; $i < $s; $i++){
$d = (($d<<13 & 0xFFFFFFFF)>>19 & 0xFFFFFFFF) ^ (($d>>1 & 0xFFFFFFFF)<<13 & 0xFFFFFFFF) ^ ($d>>19 & 0xFFFFFFFF); $d &= 0xFFFFFFFF;
$m = (($m<<2 & 0xFFFFFFFF)>>25 & 0xFFFFFFFF) ^ (($m>>3 & 0xFFFFFFFF)<<7 & 0xFFFFFFFF) ^ ($m>>25 & 0xFFFFFFFF); $m &= 0xFFFFFFFF;
$y = (($y<<3 & 0xFFFFFFFF)>>11 & 0xFFFFFFFF) ^ (($y>>4 & 0xFFFFFFFF)<<21 & 0xFFFFFFFF) ^ ($y>>11 & 0xFFFFFFFF); $y &= 0xFFFFFFFF;
$n.=chr(ord('a') + ($y ^ $m ^ $d) % 25);
}
my $domain=$n.'.'.$t[$z%7];
print "$domain\n";
}
10 changes: 3 additions & 7 deletions dga_algorithms/GameoverZeus.py
View file
Expand Up @@ -25,7 +25,6 @@ def getDate():


def seeder(index, salt):
############
edi = salt + index
edx = 0
ecx = 0x03E8
Expand Down Expand Up @@ -62,10 +61,7 @@ def generateDomain(hashlet):
print "Generating domain"
result = []
print "Hashlet : %x" % hashlet
#0042fef6:
##########
ecx = hashlet
##########
cl = 0
dl = 0
bl = 0
Expand Down Expand Up @@ -124,15 +120,15 @@ def engine(salt=0x35190501, maxiter=100000):
hashstash = [int(hashit[:8], 16), int(hashit[8:16], 16), int(hashit[16:24], 16), int(hashit[24:], 16)]
domain = ''
if True:
#while len(domain) < 0x10 :
#while len(domain) < 0x10 :
index = 0
for hashlet in hashstash:
print "Hashlet : %x" % hashlet
domain += generateDomain(socket.htonl(hashlet) & 0xFFFFFFFF)
print "\t[%d] Domain : %s" % (index, domain)
index += 1
print "[%d] Domain : %s\n" % (i, domain)
#########################

if (edx & 3 == 0):
domain += ".\x63\x6F\x6D"
elif (edx % 3 != 0 ):
Expand All @@ -142,7 +138,7 @@ def engine(salt=0x35190501, maxiter=100000):
domain += ".\x62\x69\x7A"
else:
domain += ".\x6F\x72\x67"
#########################

domains.append(domain)
return domains

Expand Down
1 change: 1 addition & 0 deletions dga_algorithms/Matsnu.py
View file
Expand Up @@ -83,6 +83,7 @@
'purple', 'ruin', 'ship', 'skirt', 'slice', 'snow', 'specialist', 'stroke', 'switch', 'trash', 'tune', 'zone',
'anger', 'award', 'bid', 'bitter', 'boot', 'bug', 'camp', 'candy', 'carpet', 'cat', 'champion', 'channel',
'clock', 'comfort', 'cow', 'crack', 'engineer', 'entrance', 'fault', 'grass', 'guy']

nouns = ['is', 'are', 'has', 'get', 'see', 'need', 'know', 'would', 'find', 'take', 'want', 'does', 'learn', 'become',
'come', 'include', 'thank', 'provide', 'create', 'add', 'understand', 'consider', 'choose', 'develop',
'remember', 'determine', 'grow', 'allow', 'supply', 'bring', 'improve', 'maintain', 'begin', 'exist', 'tend',
Expand Down
23 changes: 12 additions & 11 deletions dga_algorithms/PushDO.py
View file
@@ -1,7 +1,8 @@
import hashlib
import os

import datetime
import time
import hashlib


def rc4crypt(data, key):
Expand Down Expand Up @@ -46,21 +47,21 @@ def generateSeed(a1, a2, a3):
v8 = "1F1C1F1E1F1E1F1F1E1F1E1F"
v8 = v8.decode("hex")
result = 0
if ( a1 > 0 ):
if ( (a2 - 1) <= 0xB ):
if ((a3 - 1) <= 0x1E ):
if (a1 > 0):
if ((a2 - 1) <= 0xB):
if ((a3 - 1) <= 0x1E):
v4 = (a1 & 0x80000003) == 0
if ( (a1 & 0x80000003) < 0 ):
if ((a1 & 0x80000003) < 0):
v4 = (((a1 & 0x80000003) - 1) | 0xFFFFFFFC) == -1
if ( v4 ):
if (v4):
v8[11] = chr(0x1D)
v5 = 0
if ( a2 > 1 ):
v7 = v8 #&v8
if (a2 > 1):
v7 = v8 # &v8
v6 = a2 - 1
i7 = 0
while (v6):
v5 += ord(v7[i7]) #*v7
v5 += ord(v7[i7]) # *v7
i7 += 1
v6 -= 1
ecx = 365 * (a1 - (a1 / 4))
Expand Down Expand Up @@ -132,13 +133,13 @@ def initDGA(salt):
domains = []
day, month, year = getDate()
seed = generateSeed(year, month, day)
seed = generateString(salt, seed)#.decode("hex")
seed = generateString(salt, seed) # .decode("hex")
for i in range(100000):
hashit = hasher(seed)
domain = generateDomain(hashit.decode("hex"), 0x0A)
seed = ("%08x" % (int(hashit[:8], 16) + 0x01000000))
domains.append(domain)
#time.sleep(1)
# time.sleep(1)
return domains


Expand Down
19 changes: 11 additions & 8 deletions dga_algorithms/Rovnix.py
View file
@@ -1,6 +1,7 @@
__author__ = 'andrewa'
import datetime
import random

import datetime

usdeclar = open("../help/usdeclar.txt", 'r').read().strip().split()
for i in xrange(0, len(usdeclar)):
usdeclar[i] = ''.join(e for e in usdeclar[i] if e.isalnum())
Expand All @@ -24,16 +25,16 @@ def generateSeed(a1, a2, a3):
v8 = "1F1C1F1E1F1E1F1F1E1F1E1F"
v8 = v8.decode("hex")
result = 0
if ( a1 > 0 ):
if ( (a2 - 1) <= 0xB ):
if ((a3 - 1) <= 0x1E ):
if (a1 > 0):
if ((a2 - 1) <= 0xB):
if ((a3 - 1) <= 0x1E):
v4 = (a1 & 0x80000003) == 0
if ( (a1 & 0x80000003) < 0 ):
if ((a1 & 0x80000003) < 0):
v4 = (((a1 & 0x80000003) - 1) | 0xFFFFFFFC) == -1
if ( v4 ):
if (v4):
v8[11] = chr(0x1D)
v5 = 0
if ( a2 > 1 ):
if (a2 > 1):
v7 = v8
v6 = a2 - 1
i7 = 0
Expand All @@ -47,6 +48,7 @@ def generateSeed(a1, a2, a3):

return result


day, month, year = getDate()
seed = generateSeed(year, month, day)
next_domain = 1
Expand All @@ -73,5 +75,6 @@ def choose_word():
rem = seed % len(usdeclar)
return usdeclar[rem]


for i in xrange(0, 100000):
print generate_domain()
29 changes: 16 additions & 13 deletions dga_algorithms/Tinba.py
View file
@@ -1,4 +1,5 @@
import os

import time


Expand All @@ -15,37 +16,37 @@ def tinbaDGA(idomain, seed):
ecx = 0x10
eax = 0
edx = 0
for s in range(len(seed)) :
for s in range(len(seed)):
eax = ord(seed[s])
edx += eax
edi = idomain
ecx = 0x0C
d = 0
while ( ecx > 0 ):
while (ecx > 0):
al = eax & 0xFF
dl = edx & 0xFF
al = al + ord(idomain[d])
al = al ^ dl
al += ord(idomain[d+1])
al += ord(idomain[d + 1])
al = al & 0xFF
eax = (eax & 0xFFFFFF00)+al
edx = (edx & 0xFFFFFF00)+dl
if al > 0x61 :
if al < 0x7A :
eax = (eax & 0xFFFFFF00) +al
eax = (eax & 0xFFFFFF00) + al
edx = (edx & 0xFFFFFF00) + dl
if al > 0x61:
if al < 0x7A:
eax = (eax & 0xFFFFFF00) + al
buf += chr(al)
d += 1
ecx -= 1
continue
dl += 1
dl = dl & 0xFF
edx = (edx & 0xFFFFFF00)+dl
domain = buf+suffix
edx = (edx & 0xFFFFFF00) + dl

domain = buf + suffix
domains.append(domain)
idomain = domain
return domains
return domains


def init():
harddomain = "ssrgwnrmgrxe.com"
Expand All @@ -57,4 +58,6 @@ def init():
index += 1
fp.write(domain + '\n')
fp.close()


init()
44 changes: 22 additions & 22 deletions dga_wordlists/main.py
View file
@@ -1,20 +1,20 @@
__author__ = 'andrewa'
#-*- coding: utf-8 -*-
#alexa = open('../help/alexa.csv', 'r').read().split('\n')
#alexa_domain = []
#for i in alexa:
# -*- coding: utf-8 -*-
# alexa = open('../help/alexa.csv', 'r').read().split('\n')
# alexa_domain = []
# for i in alexa:
# i = i.split(',')
# try:
# alexa_domain.append(i[1])
# except:
# pass
#opendns_random = open('opendns-random-domains.txt', 'r').read().split('\n')
#opendns_top = open('opendns-top-domains.txt', 'r').read().split('\n')
#opendns_random.extend(alexa_domain)
#opendns_random.extend(opendns_top)
#C = open('../all_legit2.txt', 'w')
#C.seek(0)
#for i in alexa_domain:
# opendns_random = open('opendns-random-domains.txt', 'r').read().split('\n')
# opendns_top = open('opendns-top-domains.txt', 'r').read().split('\n')
# opendns_random.extend(alexa_domain)
# opendns_random.extend(opendns_top)
# C = open('../all_legit2.txt', 'w')
# C.seek(0)
# for i in alexa_domain:
# C.write(i+' 0\n')
exit(0)
######################################################
Expand All @@ -38,26 +38,26 @@
cryptolocker.append(i[0].replace('"', ''))
if i[1] == '"goz"':
goz.append(i[0].replace('"', ''))
goz_txt.write(i[0].replace('"', '')+'\n')
goz_txt.write(i[0].replace('"', '') + '\n')
if i[1] == '"newgoz"':
new_goz.append(i[0].replace('"', ''))
new_goz_txt.write(i[0].replace('"', '')+'\n')
new_goz_txt.write(i[0].replace('"', '') + '\n')
C = open('../all_dga.txt', 'w')
C.seek(0)
for i in cryptolocker:
C.write(i+' 1\n')
C.write(i + ' 1\n')
for i in zeus:
C.write(i+' 2\n')
C.write(i + ' 2\n')
for i in pushdo:
C.write(i+' 3\n')
C.write(i + ' 3\n')
for i in rovnix:
C.write(i+' 4\n')
C.write(i + ' 4\n')
for i in tinba:
C.write(i+' 5\n')
C.write(i + ' 5\n')
for i in conficker:
C.write(i.strip()+' 6\n')
C.write(i.strip() + ' 6\n')
for i in matsnu:
C.write(i+' 7\n')
C.write(i + ' 7\n')
for i in ramdo:
C.write(i+' 8\n')
C.close()
C.write(i + ' 8\n')
C.close()

0 comments on commit 6cf4629

Please sign in to comment.