From VT: A length of 10-15, a-z. tlds: [com], unpredictable DGA
suqitian opened this issue · 1 comments
suqitian commented
-
MD5s
5bbb6d8c1d27f962427777cdbc1c11d5
c8e576a095eaf36edeb47175ba9b16f2
c68151a15a88a0b3cdda1bbcba2aac89 -
Domains
dvzejqipdw.com
lotnptdatj.com
lyrbqcnynrzk.com
ohrhywpjwslk.com
pmcetqvgssvk.com
tfuypxmfgbmh.com
tpchekteer.com
vjxfspyxky.com
ahnmhhaxqmxbaj.com
cjxdzcrmkjdqctl.com
fwlqhjbwjzdavc.com
glzjtshrugau.com
pcjsthmobaxct.com
qrpxcvntrct.com
yppervqsbhtbdux.com
zwekgmilcs.com
dekmubqkuxqhue.com
dqdmeznkiygrjv.com
hgdazksaghsagf.com
hljfvdmlhot.com
igaftxinblhu.com
mqpljbgkczm.com
nnkmgbvthwxhg.com
pozxzlmrzexlzbn.com
suqitian commented
- RDTSC instruction in PRNG leading to unpredictable domain.
syshost:004071AE PRNG proc near
syshost:004071AE rdtsc
syshost:004071B0 mov ecx, eax
syshost:004071B2 mov eax, off_410018
syshost:004071B7 push esi
syshost:004071B8 mov esi, edx
syshost:004071BA mov edx, offset unk_36A6E006
syshost:004071BF mul edx
syshost:004071C1 add ecx, eax
syshost:004071C3 mov eax, off_410014
syshost:004071C8 adc esi, edx
syshost:004071CA xor edx, edx
syshost:004071CC add ecx, dword ptr qword_41000C+4
syshost:004071D2 mov off_410018, eax
syshost:004071D7 mov eax, dword ptr qword_41000C
syshost:004071DC adc esi, edx
syshost:004071DE mov off_410014, eax
syshost:004071E3 mov dword ptr qword_41000C+4, esi
syshost:004071E9 mov dword ptr qword_41000C, ecx
syshost:004071EF mov eax, ecx
syshost:004071F1 pop esi
syshost:004071F2 retn
unsigned int __cdecl range(unsigned int a1, unsigned int a2)
{
unsigned int result; // eax@2
if ( a1 <= a2 )
result = a1 + ((int (*)(void))PRNG)() % (a2 - a1 + 1);
else
result = 0;
return result;
}
int __stdcall DGA(int a1)
{
unsigned int v1; // esi@1
int domain_len; // edi@1
int v3; // eax@3
int v4; // ST18_4@4
__int16 domain; // [sp+8h] [bp-84h]@2
__int16 v7; // [sp+Ah] [bp-82h]@3
__int16 v8[62]; // [sp+Ch] [bp-80h]@3
int v9; // [sp+88h] [bp-4h]@3
v1 = 0;
domain_len = ((int (__cdecl *)(signed int, signed int))range)(10, 15);
if ( domain_len )
{
do
*(&domain + v1++) = ((int (__cdecl *)(signed int, signed int))range)('a', 'z');
while ( v1 < domain_len );
}
*(&domain + v1) = '.';
*(&v7 + v1) = 'c';
v8[v1] = 'o';
v3 = 2 * v1 + 6;
*(__int16 *)((char *)&domain + v3) = 'm';
*(__int16 *)((char *)&v7 + v3) = 0;
if ( !sub_40C258(&domain, 1, 192, 0, &v9, 0) )
{
v4 = v9;
dword_410AD0[a1] = *(_DWORD *)(v9 + 24);
sub_40C252(v4, 1);
}
return 0;
}