360netlab/DGA

From VT: A length of 10-15, a-z. tlds: [com], unpredictable DGA

suqitian opened this issue · 1 comments

  • MD5s
    5bbb6d8c1d27f962427777cdbc1c11d5
    c8e576a095eaf36edeb47175ba9b16f2
    c68151a15a88a0b3cdda1bbcba2aac89

  • Domains

dvzejqipdw.com
lotnptdatj.com
lyrbqcnynrzk.com
ohrhywpjwslk.com
pmcetqvgssvk.com
tfuypxmfgbmh.com
tpchekteer.com
vjxfspyxky.com

ahnmhhaxqmxbaj.com
cjxdzcrmkjdqctl.com
fwlqhjbwjzdavc.com
glzjtshrugau.com
pcjsthmobaxct.com
qrpxcvntrct.com
yppervqsbhtbdux.com
zwekgmilcs.com

dekmubqkuxqhue.com
dqdmeznkiygrjv.com
hgdazksaghsagf.com
hljfvdmlhot.com
igaftxinblhu.com
mqpljbgkczm.com
nnkmgbvthwxhg.com
pozxzlmrzexlzbn.com
  • RDTSC instruction in PRNG leading to unpredictable domain.
syshost:004071AE PRNG proc near
syshost:004071AE rdtsc
syshost:004071B0 mov     ecx, eax
syshost:004071B2 mov     eax, off_410018
syshost:004071B7 push    esi
syshost:004071B8 mov     esi, edx
syshost:004071BA mov     edx, offset unk_36A6E006
syshost:004071BF mul     edx
syshost:004071C1 add     ecx, eax
syshost:004071C3 mov     eax, off_410014
syshost:004071C8 adc     esi, edx
syshost:004071CA xor     edx, edx
syshost:004071CC add     ecx, dword ptr qword_41000C+4
syshost:004071D2 mov     off_410018, eax
syshost:004071D7 mov     eax, dword ptr qword_41000C
syshost:004071DC adc     esi, edx
syshost:004071DE mov     off_410014, eax
syshost:004071E3 mov     dword ptr qword_41000C+4, esi
syshost:004071E9 mov     dword ptr qword_41000C, ecx
syshost:004071EF mov     eax, ecx
syshost:004071F1 pop     esi
syshost:004071F2 retn

unsigned int __cdecl range(unsigned int a1, unsigned int a2)
{
  unsigned int result; // eax@2

  if ( a1 <= a2 )
    result = a1 + ((int (*)(void))PRNG)() % (a2 - a1 + 1);
  else
    result = 0;
  return result;
}

int __stdcall DGA(int a1)
{
  unsigned int v1; // esi@1
  int domain_len; // edi@1
  int v3; // eax@3
  int v4; // ST18_4@4
  __int16 domain; // [sp+8h] [bp-84h]@2
  __int16 v7; // [sp+Ah] [bp-82h]@3
  __int16 v8[62]; // [sp+Ch] [bp-80h]@3
  int v9; // [sp+88h] [bp-4h]@3

  v1 = 0;
  domain_len = ((int (__cdecl *)(signed int, signed int))range)(10, 15);
  if ( domain_len )
  {
    do
      *(&domain + v1++) = ((int (__cdecl *)(signed int, signed int))range)('a', 'z');
    while ( v1 < domain_len );
  }
  *(&domain + v1) = '.';
  *(&v7 + v1) = 'c';
  v8[v1] = 'o';
  v3 = 2 * v1 + 6;
  *(__int16 *)((char *)&domain + v3) = 'm';
  *(__int16 *)((char *)&v7 + v3) = 0;
  if ( !sub_40C258(&domain, 1, 192, 0, &v9, 0) )
  {
    v4 = v9;
    dword_410AD0[a1] = *(_DWORD *)(v9 + 24);
    sub_40C252(v4, 1);
  }
  return 0;
}