suqitian
commented
5 years ago - Our first observed Android APK related DGA. Thanks to my colleague LiangJinjin for reversing and implementing the DGA
- TLDs cf, tk, xyz, top, online, info, gq, ga, ml
- The number of Domains 36
- DGA in Python
import hashlib from datetime import datetime from math import ceil import argparse
def week_of_month(ts): offset = ts.replace(day=1).weekday() return int(ceil((ts.day+offset)/7.0))
def dga(date, nr, length): domains = list() tlds = ["cf", "tk", "xyz", "top", "online", "info", "gq", "ga", "ml"] name = "org.teleru"
year = date.year
month = date.month
day = date.day
wom = week_of_month(date)
param = [year, month, wom, day]
idx = 0
for i in range(len(param)):
s = (i+1) * ".%02d"
s = s % tuple(param[:i+1])
s = name + s
s = hashlib.md5(s).hexdigest()
for j in tlds:
domains.append("%s.%s" % (s, j))
idx += 1
if idx >= nr:
return domains
return domainsif name=="main": parser = argparse.ArgumentParser() parser.add_argument('-t', '--time', help="Seconds since January 1, 1970 UTC") parser.add_argument("-n", "--nr", help="nr of domains to generate") parser.add_argument("-l", "--len", help="Length of SLD") args = parser.parse_args()
d = datetime.utcfromtimestamp(int(args.time))
domains = dga(d, int(args.nr), int(args.len))
for dn in domains:
print dn
MD5 b24b8cf072c778a4133db02716a82466 6aca8624257a0d24be706a8ab31e8aa5
Domains from our mobile sandbox on 2019-02-08 11:23:53