Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

From VT: A length of 10-15, a-z. tlds: [com], unpredictable DGA #48

Open
suqitian opened this issue Nov 30, 2018 · 1 comment
Open

From VT: A length of 10-15, a-z. tlds: [com], unpredictable DGA #48

suqitian opened this issue Nov 30, 2018 · 1 comment

Comments

@suqitian
Copy link
Member

  • MD5s
    5bbb6d8c1d27f962427777cdbc1c11d5
    c8e576a095eaf36edeb47175ba9b16f2
    c68151a15a88a0b3cdda1bbcba2aac89

  • Domains

dvzejqipdw.com
lotnptdatj.com
lyrbqcnynrzk.com
ohrhywpjwslk.com
pmcetqvgssvk.com
tfuypxmfgbmh.com
tpchekteer.com
vjxfspyxky.com

ahnmhhaxqmxbaj.com
cjxdzcrmkjdqctl.com
fwlqhjbwjzdavc.com
glzjtshrugau.com
pcjsthmobaxct.com
qrpxcvntrct.com
yppervqsbhtbdux.com
zwekgmilcs.com

dekmubqkuxqhue.com
dqdmeznkiygrjv.com
hgdazksaghsagf.com
hljfvdmlhot.com
igaftxinblhu.com
mqpljbgkczm.com
nnkmgbvthwxhg.com
pozxzlmrzexlzbn.com
@suqitian
Copy link
Member Author

  • RDTSC instruction in PRNG leading to unpredictable domain.
syshost:004071AE PRNG proc near
syshost:004071AE rdtsc
syshost:004071B0 mov     ecx, eax
syshost:004071B2 mov     eax, off_410018
syshost:004071B7 push    esi
syshost:004071B8 mov     esi, edx
syshost:004071BA mov     edx, offset unk_36A6E006
syshost:004071BF mul     edx
syshost:004071C1 add     ecx, eax
syshost:004071C3 mov     eax, off_410014
syshost:004071C8 adc     esi, edx
syshost:004071CA xor     edx, edx
syshost:004071CC add     ecx, dword ptr qword_41000C+4
syshost:004071D2 mov     off_410018, eax
syshost:004071D7 mov     eax, dword ptr qword_41000C
syshost:004071DC adc     esi, edx
syshost:004071DE mov     off_410014, eax
syshost:004071E3 mov     dword ptr qword_41000C+4, esi
syshost:004071E9 mov     dword ptr qword_41000C, ecx
syshost:004071EF mov     eax, ecx
syshost:004071F1 pop     esi
syshost:004071F2 retn

unsigned int __cdecl range(unsigned int a1, unsigned int a2)
{
  unsigned int result; // eax@2

  if ( a1 <= a2 )
    result = a1 + ((int (*)(void))PRNG)() % (a2 - a1 + 1);
  else
    result = 0;
  return result;
}

int __stdcall DGA(int a1)
{
  unsigned int v1; // esi@1
  int domain_len; // edi@1
  int v3; // eax@3
  int v4; // ST18_4@4
  __int16 domain; // [sp+8h] [bp-84h]@2
  __int16 v7; // [sp+Ah] [bp-82h]@3
  __int16 v8[62]; // [sp+Ch] [bp-80h]@3
  int v9; // [sp+88h] [bp-4h]@3

  v1 = 0;
  domain_len = ((int (__cdecl *)(signed int, signed int))range)(10, 15);
  if ( domain_len )
  {
    do
      *(&domain + v1++) = ((int (__cdecl *)(signed int, signed int))range)('a', 'z');
    while ( v1 < domain_len );
  }
  *(&domain + v1) = '.';
  *(&v7 + v1) = 'c';
  v8[v1] = 'o';
  v3 = 2 * v1 + 6;
  *(__int16 *)((char *)&domain + v3) = 'm';
  *(__int16 *)((char *)&v7 + v3) = 0;
  if ( !sub_40C258(&domain, 1, 192, 0, &v9, 0) )
  {
    v4 = v9;
    dword_410AD0[a1] = *(_DWORD *)(v9 + 24);
    sub_40C252(v4, 1);
  }
  return 0;
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@suqitian