From 360 Sandbox: A length of 9-20, a-x, tlds: [ddns.net]
suqitian opened this issue · 2 comments
suqitian commented
- MD5
08232e7b2f4d1753bc872a100673b05a - Hints from 360 Sanbox on 2016-04-05
acgaaqsovipeos.ddns.net
echufivoci.ddns.net
kaukihviavfui.ddns.net
lobuxewofiraap.ddns.net
olleitumsebe.ddns.net
ompeuhumhuas.ddns.net
vukaewloetu.ddns.net
xuxakuiwet.ddns.net - Then I run that sample in Cuckoo again. I guess this sample should implement a time dependent DGA, because the DNS queries change into these:
saotociwu.ddns.net
amefluri.ddns.net
ushetonauwnume.ddns.net
ilciiwvuu.ddns.net
avudiptak.ddns.net
uqapgerukeequ.ddns.net
uweqxutiuxuxo.ddns.net
hareremagaopavi.ddns.net
soebubcuqiegsaa.ddns.net
antosauca.ddns.net
ipvoesenox.ddns.net
aqdeudbepekeda.ddns.net
owqaehreutwaubh.ddns.net
qaucububfoli.ddns.net
nopuoriwxuahpi.ddns.net
houvacoflimeb.ddns.net
luenatamgeovtig.ddns.net
faicigap.ddns.net
keusawaqxeu.ddns.net
qiwuukoxi.ddns.net
avciuteseckepo.ddns.net
xioduwta.ddns.net
xiikvoirebu.ddns.net
kaarqufamafe.ddns.net
foekacloxuriab.ddns.net
fericaopo.ddns.net
tiuqodigo.ddns.net
opatovapiwvi.ddns.net
etcarutoimqion.ddns.net
elixofbee.ddns.net
geavmaavdioqugi.ddns.net
bucietguiqfi.ddns.net
apxusumuq.ddns.net
abivebuku.ddns.net
ugekabamo.ddns.net
qesaluwoi.ddns.net
huwexihiotab.ddns.net
wiopokfimuoqab.ddns.net
fubiuritsaup.ddns.net
hehacoaqushu.ddns.net
opuxnoolowa.ddns.net
funosomo.ddns.net
uhripikiig.ddns.net
abgugoewuxcef.ddns.net
dunaeqemelgeb.ddns.net
onwiigotqeo.ddns.net
alubunivucru.ddns.net
unfauqrefiancex.ddns.net
kupuseipruofpe.ddns.net
xuecxauh.ddns.net
adpoxeevocg.ddns.net
evfoandu.ddns.net
vuoguluco.ddns.net
baovlauhagukma.ddns.net
baamsegie.ddns.net
rohihedewi.ddns.net
ebegudnoonqeit.ddns.net
sotufosenowuovo.ddns.net
neavuteqil.ddns.net
ihivweircee.ddns.net
oseppoeg.ddns.net
coivepvawokiubs.ddns.net
xeseumhea.ddns.net
ubdawoqulual.ddns.net
meicocfeqiwiva.ddns.net
urdaveremao.ddns.net
ecundiemuve.ddns.net
doegkecepekexov.ddns.net
pouvtexoxuh.ddns.net
xeatorikaga.ddns.net
baedfeetxiebd.ddns.net
oxceetutvuipha.ddns.net
uhsiedidqekuevu.ddns.net
opkuaqocc.ddns.net
doodisegaribik.ddns.net
reqoxuan.ddns.net
quexotvutaarpe.ddns.net
mohoophaofi.ddns.net
moaftoliecovud.ddns.net
ifedetvigogoug.ddns.net
atulakecuplal.ddns.net
goduecweqiop.ddns.net
ecasviparofouqv.ddns.net
ukibotsiewivi.ddns.net
geimivilp.ddns.net
tuumilupiwg.ddns.net
expeagfasuabi.ddns.net
ocroowxoohexbe.ddns.net
oqibenaxiseho.ddns.net
gososiqemile.ddns.net
upuqvouvgep.ddns.net
afrusiboikec.ddns.net
uposrifac.ddns.net
unuptopikifuise.ddns.net
liwiwusea.ddns.net
geraguquhifa.ddns.net
ivxeviagpinoid.ddns.net
ahuqavhupaigvoe.ddns.net
digeosqilau.ddns.net
paawarlodav.ddns.net
kawuelogahuwgeu.ddns.net
dituabwuba.ddns.net
dudotiuse.ddns.net
imiccipucesitua.ddns.net
heiqsicuwouwu.ddns.net
lexibiuludquo.ddns.net
igboecga.ddns.net
ekafovceu.ddns.net
ogogpiixopr.ddns.net
esneuqtuarumiv.ddns.net
loqoullap.ddns.net
ixneepgi.ddns.net
daiwtugo.ddns.net
avsuobunnakokii.ddns.net
xuahworoepbi.ddns.net
ufelehugn.ddns.net
ikkeaqugqe.ddns.net
ahsedaovcaab.ddns.net
uvavkidesiduwa.ddns.net
ponuavhigoa.ddns.net
ursoituloqisi.ddns.net
ebehwihaegabeqt.ddns.net
suqitian commented
It is really DGA of symmi, thank you @hongliangliu.
The different between this binary and the implementation of johannes bader are:
- the number of domains is 4192
- the function of create_seed change into this:
return 1000 * date.month + date.year + seed_const
it means this DGA generate 4192 domains per month
Compare domain list below with that generated by Cuckoo, they contain the same contents.
$ python dga_new.py -d "2004-06-16" | less
saotociwu.ddns.net
amefluri.ddns.net
ushetonauwnume.ddns.net
ilciiwvuu.ddns.net
avudiptak.ddns.net
uqapgerukeequ.ddns.net
uweqxutiuxuxo.ddns.net
ikkeaqugqe.ddns.net
hareremagaopavi.ddns.net
soebubcuqiegsaa.ddns.net
antosauca.ddns.net
ipvoesenox.ddns.net
aqdeudbepekeda.ddns.net
patch:
$ diff dga_new.py dga.py
6c6
< nr_of_domains = 4192
---
> nr_of_domains = 64
42,43c42
< return 1000 * date.month + date.year + seed_const
< #return 10000*(date.day//days_period*100 + date.month) + date.year + seed_const
---
> return 10000*(date.day//days_period*100 + date.month) + date.year + seed_const
phunterlau commented
@suqitian oh, I thought symmi was dead..