From sandbox: The DGA of MyDoom

[suqitian]

• MD5 5ca475be33c4cb2117837310c43446c0

• Domains generated on 2019/01/03 in the sandbox

  qammswnqrn.info
  eawesnrrhs.ws
  rqmprewqns.org
  wpmsewhnmh.in
  rhhwmqqsqh.org
  hsnmqqhpna.net
  nmmmsaqpmh.us
  wppnhmqssr.in
  qamnewnrrn.info
  heswwrahna.net
  qhnppspnma.info
  wawwrwqaqh.in
  rsrapqrwna.org
  eprqerqwns.ws
  rnrswahmsa.org
  hnqrsapmnn.net
  narpqrehqs.us
  mppqprmnnr.in
  arshsernqa.com
  wrerrqpseh.in
  rhhhaqanan.org
  mnnhwehhsr.in
  neepnmhqrn.us
  wnhraasnsh.in
  asnenehqsa.com
  mqwnqqqeeh.in
  anqphrhenn.com
  hneapamsqh.net
  ahneneqamn.com
  wmhmqsqsqa.in
  arremamwwa.com
  hpmespenrn.net
  nnesearqra.us
  mrrmwsewnn.in
  neqehapwhn.us
  ewaspmnssh.ws
  awrapnpaqn.com
  hepeamqrpn.net
  prpmaawpsn.in
  wrrehreama.in

[suqitian]

• TLDs [com, biz, us, net, org, ws, info, in]
• The number of domains 51 domain per day
• Test

  $ python dga.py -t `date +%s -d "2019-01-03 09:25:28"`
  qammswnqrn.info
  eawesnrrhs.ws
  rqmprewqns.org
  wpmsewhnmh.in
  rhhwmqqsqh.org
  hsnmqqhpna.net
  nmmmsaqpmh.us
  wppnhmqssr.in
  qamnewnrrn.info
  heswwrahna.net
  qhnppspnma.info
  wawwrwqaqh.in
  rsrapqrwna.org
  eprqerqwns.ws
  rnrswahmsa.org
  hnqrsapmnn.net
  narpqrehqs.us
  mppqprmnnr.in
  arshsernqa.com
  wrerrqpseh.in
  rhhhaqanan.org
  mnnhwehhsr.in
  neepnmhqrn.us
  wnhraasnsh.in
  asnenehqsa.com
  mqwnqqqeeh.in
  anqphrhenn.com
  hneapamsqh.net
  ahneneqamn.com
  wmhmqsqsqa.in
  arremamwwa.com
  hpmespenrn.net
  ...

  dga.py is here.

[suqitian]

• Python code

  
  '''
  DGA of Mydoom
  '''

import argparse from datetime import datetime

def dga(date, seed, nr, tlds): _sld = ['e', 'v', 'l', 'k', 'r', 'd', 'o', 'h', 'l', 'p'] magic = 'nj' len_sld = len(_sld) for i in range(len_sld): for j in range(len(magic)): _sld[i] = chr(ord(_sld[i]) ^ ((ord(magic[j]) + i * j) & 0xff))

_seed = seed + date.year + date.month + date.day

for i in range(nr):
    if i == nr - 1:
        _seed = seed

    _seed = ((_seed * 0x19660d) + 0x3c6ef35f) & 0xffffffff

    sld = ''
    tld = ''
    m = _seed
    for j in range(len_sld):
        idx = m % len_sld
        sld += _sld[idx]
        if j == 0:
            if idx < 7:
                tld = tlds[idx]
            else:
                tld = tlds[-1]

        m = m / len_sld

    print sld + '.' + tld

if name=="main": parser = argparse.ArgumentParser() parser.add_argument('-t', '--time', help="Seconds since January 1, 1970 UTC") parser.add_argument("-n", "--nr", help="nr of domains", type=int, default=51) parser.add_argument("-s", "--seed", help="RAND_MAX", default="0xfa8") parser.add_argument("-T", "--tlds", help="TLD", default="com-biz-us-net-org-ws-info-in")

args = parser.parse_args()

d = datetime.utcfromtimestamp(int(args.time))
tlds = args.tlds.split('-')
dga(d, int(args.seed, 16), args.nr, tlds)

[suqitian]

• The other samples

  78f9412e51f846dae6c3a6aa9df97ad7
  b47326e714ac74ff018dfc69367f8bfb
  0de520277a7905d5f61146cb27e88f20
  6632b9e147d1037b067bf002ce7b92ab
  a674e222c1fcf52211fe6b851bb3082b
  76263a4b1bf38efc27dd6073342932a3
  a3fae8f07be2ea1baf6e5c59473c1aa8
  7123267a2f546c3a1a66c0750900395b
  ...