From PDNS: Another fix length of 7, a-z. tlds: [ru, com]

suqitian commented 7 years ago

The range of 3ld is from 'update' to 'update33'.

Sample domains from PDNS.

update.bcmeays.ru
update.bhtgvgd.ru
update.bjqlscz.ru
update.buicfza.com
update.buqgkvy.ru
update.ckwvect.com
update.cmbwgpt.ru
update.coqqtuy.ru
update.cxabxmn.ru
update.dkwktat.ru
update.dpyabij.ru
update.dpzsqdm.ru
update.dtqutmz.ru
update.duhpcxu.ru
update.dywkeki.ru
update.enyzyeq.ru
update.eyfudfb.ru
update.fcjziku.ru
update.fsfzgut.ru
update.fvojelg.ru
update.galnpfd.ru
update.gbuhxnb.ru
update.gmdqfbb.ru
update.gojrckb.com
update.haikgpx.ru
update.hdpnrvz.ru
update.hhuflmr.ru
update.hrorczy.com
update.hyjuwfz.ru
update.icdghvi.ru
update.indmszq.ru
update.izshmxw.ru
update.jbioydq.ru
update.juppdqq.ru
update.jxevrvv.ru
update.jzgjldk.ru
update.kedmtgy.com
update.klcgduk.ru
update.kvfwrbc.ru
update.lnjgukh.ru
update.lzeaeac.ru
update.mcuyfnh.ru
update.mefzluk.ru
update.mlxfyoz.ru
update.msmrlsa.ru
update.myfvwmj.ru
update.mzvapmw.ru
update.nugdtbl.ru
update.nyrfkra.ru
update.nzmmbxw.ru
update.osqhhum.ru
update.othihmm.ru
update.pblkxax.com
update.peyjasy.ru
update.pgzarrr.ru
update.ptaabfj.com
update.qbasipa.ru
update.qeprhiu.ru
update.qhlhtmd.ru
update.qlpyewm.ru
update.rgmriau.ru
update.rpzbtxx.ru
update.rqtcxnh.ru
update.rvzordc.ru
update.ryorpcr.ru
update.sbshxhb.ru
update.slvefiv.ru
update.tpiqcmd.ru
update.trawxsf.ru
update.tsferre.ru
update.ttkkmvk.com
update.ujozgxz.ru
update.ukwqrlk.ru
update.uqhbgyb.ru
update.usildbq.ru
update.utqudlq.ru
update.vcfkruz.ru
update.vfppkkd.ru
update.vhbyqsa.ru
update.vscpuki.ru
update.vuebcdx.ru
update.whbnuik.ru
update.whtjpzk.ru
update.widvmyb.com
update.xamnebn.ru
update.xfetdwu.ru
update.xsqckec.ru
update.ybdnfqm.ru
update.yncupri.com
update.zdkhdhg.ru
update.zhwkwzd.ru
update.zkerayl.ru
update.zlgqgfd.ru
update.zpbjdeb.ru
update0.bcmeays.ru
update0.bhtgvgd.ru
update0.bjqlscz.ru
update0.buicfza.com
update0.buqgkvy.ru
update0.ckwvect.com
update0.cmbwgpt.ru
update0.coqqtuy.ru
update0.cxabxmn.ru
update0.dkwktat.ru
update0.dpyabij.ru
update0.dpzsqdm.ru
update0.dtqutmz.ru
update0.duhpcxu.ru
update0.dywkeki.ru
update0.enyzyeq.ru
update0.eyfudfb.ru
update0.fcjziku.ru
update0.fsfzgut.ru
update0.fvojelg.ru
update0.galnpfd.ru
update0.gbuhxnb.ru
update0.gmdqfbb.ru
update0.gojrckb.com
update0.haikgpx.ru
update0.hdpnrvz.ru
update0.hhuflmr.ru
update0.hrorczy.com
update0.hyjuwfz.ru
update0.icdghvi.ru
update0.indmszq.ru
update0.izshmxw.ru
update0.jbioydq.ru
update0.juppdqq.ru
update0.jxevrvv.ru
update0.jzgjldk.ru
update0.kedmtgy.com
update0.klcgduk.ru
update0.kvfwrbc.ru
update0.lnjgukh.ru
update0.lzeaeac.ru
update0.malijoo.ru
update0.mcuyfnh.ru
update0.mefzluk.ru
update0.mlxfyoz.ru
update0.mqecrky.ru
update0.msmrlsa.ru
update0.myfvwmj.ru
update0.mzvapmw.ru
update0.nugdtbl.ru
update0.nyrfkra.ru
update0.nzmmbxw.ru
update0.osqhhum.ru
update0.othihmm.ru
update0.pblkxax.com
update0.peyjasy.ru
update0.pgzarrr.ru
update0.ptaabfj.com
update0.qbasipa.ru
update0.qeprhiu.ru
update0.qhlhtmd.ru
update0.qlpyewm.ru
update0.rgmriau.ru
update0.rpzbtxx.ru
update0.rqtcxnh.ru
update0.rvzordc.ru
update0.ryorpcr.ru
update0.sbshxhb.ru
update0.slvefiv.ru
update0.tpiqcmd.ru
update0.trawxsf.ru
update0.tsferre.ru
update0.ttkkmvk.com
update0.ujozgxz.ru
update0.ukwqrlk.ru
update0.uqhbgyb.ru
update0.usildbq.ru
update0.utqudlq.ru
update0.vcfkruz.ru
update0.vfppkkd.ru
update0.vhbyqsa.ru
update0.vscpuki.ru
update0.vuebcdx.ru
update0.whbnuik.ru
update0.whtjpzk.ru
update0.widvmyb.com
update0.xamnebn.ru
update0.xfetdwu.ru
update0.xsqckec.ru
update0.ybdnfqm.ru
update0.yncupri.com
update0.zdkhdhg.ru
update0.zhwkwzd.ru
update0.zkerayl.ru
update0.zlgqgfd.ru
update0.zpbjdeb.ru

suqitian commented 7 years ago

Not DGA
MD5 33d32552d7b0c7f86d9ddefc3ba2b24b

Some domains extracted from this MD5

update.wasyellowindexhotel.ru:3003
update.bllpkrp.ru:5613
update.lzeaeac.ru:5580
update.nzmxmto.ru:8771
update.enyzyeq.ru:5755
update.qlpyewm.ru:9638
update.kdcmwuz.ru:4168
update.jzgjldk.ru:9917
update.lutmkwr.ru:6009
update.dpyabij.ru:6853
update.whtjpzk.ru:8649
update.coqqtuy.ru:4244
update.usildbq.ru:8409
update.qeprhiu.ru:8050
update.ryorpcr.ru:4723
update.nydwhwi.ru:1489
update.zybcdvt.ru:2759
update.bjqlscz.ru:3711
update.lnjgukh.ru:3408
update.klcgduk.ru:9782
update.jxevrvv.ru:3157
update.trawxsf.ru:2941
update.qbasipa.ru:9787
update.uqhbgyb.ru:2551
update.othihmm.ru:9347
update.rqtcxnh.ru:3539
update.gmdqfbb.ru:2855
update.uvttrpa.ru:5795
update.mcuyfnh.ru:3958
update.cxabxmn.ru:5066
update.mefzluk.ru:5530
update.jjetwqy.com:9829
update.qnbphfs.com:7112
update.kcyiskl.com:1151
update.aheegfe.com:8078
update.thgasbx.com:5255
update.malijoo.ru:1832
update.mqecrky.ru:3156
update.lssexmj.ru:8899
update.pgzarrr.ru:5764
update.cmbwgpt.ru:8966
update.dkwktat.ru:6777
update.msmrlsa.ru:6295
update.hhuflmr.ru:3182
update.nyrfkra.ru:2539
update.vhbyqsa.ru:2015
update.vcfkruz.ru:1446
update.hdpnrvz.ru:5418
update.vfppkkd.ru:2400
update.zkerayl.ru:5138
update.mzvapmw.ru:7216
update.dtqutmz.ru:5054
update.xsqckec.ru:5997
update.whbnuik.ru:4470
update.fvojelg.ru:7308
update.eyfudfb.ru:7386
update.fcjziku.ru:2153
update.xfetdwu.ru:5327
update.duhpcxu.ru:2078
update.jbioydq.ru:7073
update.bhtgvgd.ru:8656
update.zdkhdhg.ru:2108
update.ukwqrlk.ru:5326
update.rpzbtxx.ru:5613
update.zhwkwzd.ru:5836
update.kvfwrbc.ru:7325
update.xamnebn.ru:7323
update.utqudlq.ru:2200
update.nugdtbl.ru:6108
update.mlxfyoz.ru:5337
update.juppdqq.ru:8768
update.fsfzgut.ru:4533
update.ybdnfqm.ru:1021
update.osqhhum.ru:2816
update.rvzordc.ru:8862
update.vscpuki.ru:4264
update.myfvwmj.ru:9065
update.buqgkvy.ru:8745
update.sbshxhb.ru:6267
update.wtlhdra.ru:7422
update.zlgqgfd.ru:3313
update.vuebcdx.ru:7609
update.izshmxw.ru:7837
update.bcmeays.ru:6357
update.rsiapih.ru:3729
update.sradamw.ru:6302
update.tpiqcmd.ru:7109
update.hyjuwfz.ru:2036
update.icdghvi.ru:6788
update.peyjasy.ru:2233
update.dpzsqdm.ru:6310
update.gbuhxnb.ru:4014
update.tsferre.ru:2801
update.qhlhtmd.ru:1418
update.indmszq.ru:1974
update.slvefiv.ru:1966
update.zpbjdeb.ru:3829
update.dywkeki.ru:8529
update.rgmriau.ru:1078
update.nzmmbxw.ru:5857
update.ujozgxz.ru:7420
update.haikgpx.ru:9689
update.galnpfd.ru:8510
update.jiyyflf.com:3444
update.yffmaca.com:8370
update.xznabib.com:8916
update.nvrhczh.com:8021
update.pblkxax.com:1287
update.ptaabfj.com:1166
update.gojrckb.com:5687
update.widvmyb.com:6422
update.ckwvect.com:3150
update.abokqau.com:3123
update.vmqmrjp.com:4410
update.yncupri.com:4232
update.utnllxe.com:4863
update.xavzdzk.com:8975
update.kedmtgy.com:1039
update.buicfza.com:4681
update.hrorczy.com:8834
update.dramijh.com:7685
update.ttkkmvk.com:9251
update.fbhfard.com:3775

phunterlau commented 7 years ago

some new waves are observed recently with ru only TLD, all query type A. For example, the core domains are like these, detected with very strong correlation, no subdomains:

date -u
Tue Oct 17 22:10:20 UTC 2017

bhzlyxh.ru.,1
qsxxzni.ru.,1
gwjijru.ru.,1
fyxkmbh.ru.,1
qwoumzw.ru.,1
kulfxxy.ru.,1
nrxboty.ru.,1
pyjhhpx.ru.,1
qwwzlam.ru.,1
sbckhnb.ru.,1
yboqlxs.ru.,1
qyccsug.ru.,1
nmtydik.ru.,1
uzpadrm.ru.,1
dqoudex.ru.,1
ssopuyk.ru.,1
gqlgpob.ru.,1
fgqjwdl.ru.,1
tdmxpmi.ru.,1
rxzyglt.ru.,1
qmwekpe.ru.,1
reczrhm.ru.,1
diacfxa.ru.,1
neffcrf.ru.,1
qhrywlc.ru.,1
hmiwbxq.ru.,1
wyudsya.ru.,1
lyfsnwj.ru.,1
kmgcsug.ru.,1

meanwhile, the wasyellowindexhotel.ru has many new FQDNs like w1.wasyellowindexhotel.ru w17.wasyellowindexhotel.ru w18.wasyellowindexhotel.ru. An educated guess can lead to some new variant.

baderj commented 6 years ago

There is a DGA in the binary. It generates a new domain every 10 seconds

void __stdcall __noreturn query_fake_domains(LPVOID lpThreadParameter)
{
  signed int i; // esi@1
  int attempts; // esi@3
  CHAR full_domain; // [esp+4h] [ebp-80h]@4
  char domain[4]; // [esp+44h] [ebp-40h]@2

  while ( 1 )
  {
    do
    {
      i = 0;
      do
        domain[i++] = rand() % 25 + 'a';
      while ( i < 7 );
      *&domain[i] = 'ur.';
      attempts = 0;
    }
    while ( number_of_resolves <= 0 );
    do
    {
      wsprintfA(&full_domain, pFakeDomainPattern, attempts, domain);
      if ( inet_addr(domain) == -1 && !gethostbyname(domain) )
        Sleep(1000u);
      Sleep(10000u);
      ++attempts;
    }
    while ( attempts < number_of_resolves );
  }
}

https://imgur.com/a/GU5ti

The PRNG is seeded with GetTickCount and the domains are therefore not predictable. The domains look like the hardcoded domains though, and I think they are used as decoys.

suqitian commented 6 years ago

Hi Bader, thanks for pointing this out, also thanks for sharing so many DGA implementation at GitHub :)

phunterlau commented 6 years ago

@baderj thanks for sharing this DGA. We see many of them are resolved in our DNS traffic, which may not look like decoys. Do you have further analysis of this malware? Thanks.

ptresearch commented 6 years ago

Hello @baderj

Could you please share the hash or even sample from which this DGA is?

baderj commented 6 years ago

I looked at this sample

md5:    f2ebc1ee228298f149eff64cc2548f03
sha1:   c51a8db70986c21b44d3e78b092e0e29102f857c
sha256: 11fc02dd825c8e67d58cc40a47e3f4c572097bd58c6aae80591a5fb73b9167f2

It unpacks to

md5:    d0be78dc1e0a109bb8e1d80665819c9a
sha1:   4d67f2b80bcce6f7042203fc9be96f10da90dc0f
sha256: 029e1a73abd9b9b741ec2a051f5ae3329b4ec3780f9690a73aab2e2c6f965fbe

Sorry I wasn't clear in my first comment: There is a large list of hardcoded domains with ports that the malware contact. But in addition to that, there is a DGA that generates domains that look exactly like the hardcoded domains. The seeding of the DGA is done with GetTickCount and therefore unpredictable. Those DGA domains are generated every 10 seconds.

suqitian commented 6 years ago

Finding an analysis article on this issue, unfortunately, is in Chinese. http[:]//www.freebuf.com/column/153424.html Also found another hash with this DGA:

MD5:      54b5e6ae6a4eb6139b10d4ad25df32c2
SHA1:     9f479661020ccb94792315b2ae07738bdb4912cb
SHA256: 4cef263eba381523aa3ad23235e9d512028f41466f2ad1f4319ea4aa8c4d562d

360netlab / DGA

From PDNS: Another fix length of 7, a-z. tlds: [ru, com] #36