From sandbox: The DGA of MyDoom

Question

From sandbox: The DGA of MyDoom

suqitian opened this issue 6 years ago · 3 comments

MD5
5ca475be33c4cb2117837310c43446c0
Domains generated on 2019/01/03 in the sandbox

qammswnqrn.info
eawesnrrhs.ws
rqmprewqns.org
wpmsewhnmh.in
rhhwmqqsqh.org
hsnmqqhpna.net
nmmmsaqpmh.us
wppnhmqssr.in
qamnewnrrn.info
heswwrahna.net
qhnppspnma.info
wawwrwqaqh.in
rsrapqrwna.org
eprqerqwns.ws
rnrswahmsa.org
hnqrsapmnn.net
narpqrehqs.us
mppqprmnnr.in
arshsernqa.com
wrerrqpseh.in
rhhhaqanan.org
mnnhwehhsr.in
neepnmhqrn.us
wnhraasnsh.in
asnenehqsa.com
mqwnqqqeeh.in
anqphrhenn.com
hneapamsqh.net
ahneneqamn.com
wmhmqsqsqa.in
arremamwwa.com
hpmespenrn.net
nnesearqra.us
mrrmwsewnn.in
neqehapwhn.us
ewaspmnssh.ws
awrapnpaqn.com
hepeamqrpn.net
prpmaawpsn.in
wrrehreama.in

Answer 1 · 2019-01-07T08:26:23.000Z

TLDs
[com, biz, us, net, org, ws, info, in]
The number of domains
51 domain per day
Test

$ python dga.py -t `date +%s -d "2019-01-03 09:25:28"`
qammswnqrn.info
eawesnrrhs.ws
rqmprewqns.org
wpmsewhnmh.in
rhhwmqqsqh.org
hsnmqqhpna.net
nmmmsaqpmh.us
wppnhmqssr.in
qamnewnrrn.info
heswwrahna.net
qhnppspnma.info
wawwrwqaqh.in
rsrapqrwna.org
eprqerqwns.ws
rnrswahmsa.org
hnqrsapmnn.net
narpqrehqs.us
mppqprmnnr.in
arshsernqa.com
wrerrqpseh.in
rhhhaqanan.org
mnnhwehhsr.in
neepnmhqrn.us
wnhraasnsh.in
asnenehqsa.com
mqwnqqqeeh.in
anqphrhenn.com
hneapamsqh.net
ahneneqamn.com
wmhmqsqsqa.in
arremamwwa.com
hpmespenrn.net
...

dga.py is here.

Answer 2 · 2019-01-07T08:28:11.000Z

Python code

'''
    DGA of Mydoom
'''

import argparse
from datetime import datetime

def dga(date, seed, nr, tlds):
    _sld = ['e', 'v', 'l', 'k', 'r', 'd', 'o', 'h', 'l', 'p']
    magic = 'nj'
    len_sld = len(_sld)
    for i in range(len_sld):
        for j in range(len(magic)):
            _sld[i] = chr(ord(_sld[i]) ^ ((ord(magic[j]) + i * j) & 0xff))

    _seed = seed + date.year + date.month + date.day

    for i in range(nr):
        if i == nr - 1:
            _seed = seed

        _seed = ((_seed * 0x19660d) + 0x3c6ef35f) & 0xffffffff

        sld = ''
        tld = ''
        m = _seed
        for j in range(len_sld):
            idx = m % len_sld
            sld += _sld[idx]
            if j == 0:
                if idx < 7:
                    tld = tlds[idx]
                else:
                    tld = tlds[-1]

            m = m / len_sld

        print sld + '.' + tld

if __name__=="__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--time', help="Seconds since January 1, 1970 UTC")
    parser.add_argument("-n", "--nr", help="nr of domains", type=int, default=51)
    parser.add_argument("-s", "--seed", help="RAND_MAX", default="0xfa8")
    parser.add_argument("-T", "--tlds", help="TLD", default="com-biz-us-net-org-ws-info-in")

    args = parser.parse_args()

    d = datetime.utcfromtimestamp(int(args.time))
    tlds = args.tlds.split('-')
    dga(d, int(args.seed, 16), args.nr, tlds)

Answer 3 · 2019-01-07T08:31:32.000Z

The other samples

78f9412e51f846dae6c3a6aa9df97ad7
b47326e714ac74ff018dfc69367f8bfb
0de520277a7905d5f61146cb27e88f20
6632b9e147d1037b067bf002ce7b92ab
a674e222c1fcf52211fe6b851bb3082b
76263a4b1bf38efc27dd6073342932a3
a3fae8f07be2ea1baf6e5c59473c1aa8
7123267a2f546c3a1a66c0750900395b
...