360netlab/DGA

From 360 Sandbox: A length of 9-20, a-x, tlds: [ddns.net]

suqitian opened this issue · 2 comments

  • MD5
    08232e7b2f4d1753bc872a100673b05a
  • Hints from 360 Sanbox on 2016-04-05
    acgaaqsovipeos.ddns.net
    echufivoci.ddns.net
    kaukihviavfui.ddns.net
    lobuxewofiraap.ddns.net
    olleitumsebe.ddns.net
    ompeuhumhuas.ddns.net
    vukaewloetu.ddns.net
    xuxakuiwet.ddns.net
  • Then I run that sample in Cuckoo again. I guess this sample should implement a time dependent DGA, because the DNS queries change into these:
    saotociwu.ddns.net
    amefluri.ddns.net
    ushetonauwnume.ddns.net
    ilciiwvuu.ddns.net
    avudiptak.ddns.net
    uqapgerukeequ.ddns.net
    uweqxutiuxuxo.ddns.net
    hareremagaopavi.ddns.net
    soebubcuqiegsaa.ddns.net
    antosauca.ddns.net
    ipvoesenox.ddns.net
    aqdeudbepekeda.ddns.net
    owqaehreutwaubh.ddns.net
    qaucububfoli.ddns.net
    nopuoriwxuahpi.ddns.net
    houvacoflimeb.ddns.net
    luenatamgeovtig.ddns.net
    faicigap.ddns.net
    keusawaqxeu.ddns.net
    qiwuukoxi.ddns.net
    avciuteseckepo.ddns.net
    xioduwta.ddns.net
    xiikvoirebu.ddns.net
    kaarqufamafe.ddns.net
    foekacloxuriab.ddns.net
    fericaopo.ddns.net
    tiuqodigo.ddns.net
    opatovapiwvi.ddns.net
    etcarutoimqion.ddns.net
    elixofbee.ddns.net
    geavmaavdioqugi.ddns.net
    bucietguiqfi.ddns.net
    apxusumuq.ddns.net
    abivebuku.ddns.net
    ugekabamo.ddns.net
    qesaluwoi.ddns.net
    huwexihiotab.ddns.net
    wiopokfimuoqab.ddns.net
    fubiuritsaup.ddns.net
    hehacoaqushu.ddns.net
    opuxnoolowa.ddns.net
    funosomo.ddns.net
    uhripikiig.ddns.net
    abgugoewuxcef.ddns.net
    dunaeqemelgeb.ddns.net
    onwiigotqeo.ddns.net
    alubunivucru.ddns.net
    unfauqrefiancex.ddns.net
    kupuseipruofpe.ddns.net
    xuecxauh.ddns.net
    adpoxeevocg.ddns.net
    evfoandu.ddns.net
    vuoguluco.ddns.net
    baovlauhagukma.ddns.net
    baamsegie.ddns.net
    rohihedewi.ddns.net
    ebegudnoonqeit.ddns.net
    sotufosenowuovo.ddns.net
    neavuteqil.ddns.net
    ihivweircee.ddns.net
    oseppoeg.ddns.net
    coivepvawokiubs.ddns.net
    xeseumhea.ddns.net
    ubdawoqulual.ddns.net
    meicocfeqiwiva.ddns.net
    urdaveremao.ddns.net
    ecundiemuve.ddns.net
    doegkecepekexov.ddns.net
    pouvtexoxuh.ddns.net
    xeatorikaga.ddns.net
    baedfeetxiebd.ddns.net
    oxceetutvuipha.ddns.net
    uhsiedidqekuevu.ddns.net
    opkuaqocc.ddns.net
    doodisegaribik.ddns.net
    reqoxuan.ddns.net
    quexotvutaarpe.ddns.net
    mohoophaofi.ddns.net
    moaftoliecovud.ddns.net
    ifedetvigogoug.ddns.net
    atulakecuplal.ddns.net
    goduecweqiop.ddns.net
    ecasviparofouqv.ddns.net
    ukibotsiewivi.ddns.net
    geimivilp.ddns.net
    tuumilupiwg.ddns.net
    expeagfasuabi.ddns.net
    ocroowxoohexbe.ddns.net
    oqibenaxiseho.ddns.net
    gososiqemile.ddns.net
    upuqvouvgep.ddns.net
    afrusiboikec.ddns.net
    uposrifac.ddns.net
    unuptopikifuise.ddns.net
    liwiwusea.ddns.net
    geraguquhifa.ddns.net
    ivxeviagpinoid.ddns.net
    ahuqavhupaigvoe.ddns.net
    digeosqilau.ddns.net
    paawarlodav.ddns.net
    kawuelogahuwgeu.ddns.net
    dituabwuba.ddns.net
    dudotiuse.ddns.net
    imiccipucesitua.ddns.net
    heiqsicuwouwu.ddns.net
    lexibiuludquo.ddns.net
    igboecga.ddns.net
    ekafovceu.ddns.net
    ogogpiixopr.ddns.net
    esneuqtuarumiv.ddns.net
    loqoullap.ddns.net
    ixneepgi.ddns.net
    daiwtugo.ddns.net
    avsuobunnakokii.ddns.net
    xuahworoepbi.ddns.net
    ufelehugn.ddns.net
    ikkeaqugqe.ddns.net
    ahsedaovcaab.ddns.net
    uvavkidesiduwa.ddns.net
    ponuavhigoa.ddns.net
    ursoituloqisi.ddns.net
    ebehwihaegabeqt.ddns.net

It is really DGA of symmi, thank you @hongliangliu.

The different between this binary and the implementation of johannes bader are:

  1. the number of domains is 4192
  2. the function of create_seed change into this:
    return 1000 * date.month + date.year + seed_const
    it means this DGA generate 4192 domains per month

Compare domain list below with that generated by Cuckoo, they contain the same contents.

$ python dga_new.py -d "2004-06-16" | less
saotociwu.ddns.net
amefluri.ddns.net
ushetonauwnume.ddns.net
ilciiwvuu.ddns.net
avudiptak.ddns.net
uqapgerukeequ.ddns.net
uweqxutiuxuxo.ddns.net
ikkeaqugqe.ddns.net
hareremagaopavi.ddns.net
soebubcuqiegsaa.ddns.net
antosauca.ddns.net
ipvoesenox.ddns.net
aqdeudbepekeda.ddns.net

patch:

$ diff dga_new.py dga.py 
6c6
< nr_of_domains = 4192
---
> nr_of_domains = 64
42,43c42
<     return 1000 * date.month + date.year + seed_const
<     #return 10000*(date.day//days_period*100 + date.month) + date.year + seed_const
---
>     return 10000*(date.day//days_period*100 + date.month) + date.year + seed_const

@suqitian oh, I thought symmi was dead..