new DGA of unknown malware

baderj · baderj · commit 1fb30b98a869 · 2017-09-27T13:29:47.000+02:00
diff --git a/README.md b/README.md
@@ -40,3 +40,4 @@ vawtrak | Vawtrak | | [link](http://www.threatgeek.com/2016/11/vawtrak-dga-round
 unnamed_downloader | Unnamed Downloader | | 
 chinad | Chinad | | [link](https://github.com/360netlab/DGA/issues/1)
 tempedreve | Tempedreve | | [link](https://github.com/baderj/domain_generation_algorithms/tree/master/tempedreve/images)
+unknown_malware | ? | | 
diff --git a/unknown_malware/dga.py b/unknown_malware/dga.py
@@ -0,0 +1,50 @@
+"""
+    Unknown Malware generating 50 DGA domains
+
+    Variant with Prefix "sn":
+
+    md5:    af650c822feea20ed0b2c99d28007fa3
+    sha1:   5adfd2e014a58e1798131ff7644d8df6aa2ecaa5
+    sha256: f21f30279ab4b3d4cf090dc51f199f454d3d42df71223eb67b7481efeef8715f
+
+    Variant with Prefix "al":
+
+    md5:    c05c4c97be77270bd0ea916fbb9e9d6d
+    sha1:   ed6339ff829e54cd813b81c952ce2970b08819d1
+    sha256: 92fd43ee62c1551500e4b604d55dcab88424954776d9a1a6074d5084782a486a
+"""
+
+import argparse
+
+def half_until_smaller_equal_24(nr):
+    while nr > 24:
+        nr = nr >> 1
+    return nr
+
+def getchar(nr):
+    return chr(half_until_smaller_equal_24(nr) + ord('a'))
+
+def gettld(nr):
+    index = half_until_smaller_equal_24(nr)  // 5
+    return [".com", ".org", ".net", ".ru", ".in"][index]
+
+def dga(prefix):
+    if prefix == "sn":
+        primes = [1,7,3,5,11,13]
+    else:
+        primes = [1,3,5,7,11,13]
+    for nr in range(1,51):
+        domain = prefix 
+        for prime in primes: 
+            domain += getchar(prime*nr)
+        domain += gettld(nr)
+        nr += 1
+        yield domain
+
+
+if __name__=="__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("prefix", choices=["sn", "al"])
+    args = parser.parse_args()
+    for domain in dga(args.prefix):
+        print(domain)
diff --git a/unknown_malware/domains_al.txt b/unknown_malware/domains_al.txt
@@ -0,0 +1,50 @@
+albdfhln.com
+alcgkown.com
+aldjpvqt.com
+alemuown.com
+alfpmrnq.org
+algspvqt.org
+alhvrytw.org
+aliyuown.org
+aljnwpyo.org
+alkpmrnq.net
+allqntpr.net
+almspvqt.net
+alntqwrv.net
+alovrytw.net
+alpwsnuy.ru
+alqyuown.ru
+alrmvoxn.ru
+alsnwpyo.ru
+altoxqnp.ru
+alupmrnq.in
+alvpnsor.in
+alwqntpr.in
+alxroups.in
+alyspvqt.in
+almspvru.net
+alntqwrv.net
+alnuqxsv.net
+alovrytw.net
+alovsmtx.net
+alpwsnuy.ru
+alpxtnvm.ru
+alqyuown.ru
+alqyuown.ru
+alrmvoxn.ru
+alrnvpyo.ru
+alsnwpyo.ru
+alsnxqmp.ru
+altoxqnp.ru
+altoyrnp.ru
+alupmrnq.in
+alupmroq.in
+alvpnsor.in
+alvqnsor.in
+alwqntpr.in
+alwqotps.in
+alxroups.in
+alxrouqt.in
+alyspvqt.in
+alyspvqt.in
+almspvru.net
diff --git a/unknown_malware/domains_sn.txt b/unknown_malware/domains_sn.txt
@@ -0,0 +1,50 @@
+snbhdfln.com
+sncogkwn.com
+sndvjpqt.com
+sneomuwn.com
+snfrpmnq.org
+sngvspqt.org
+snhyvrtw.org
+snioyuwn.org
+snjpnwyo.org
+snkrpmnq.net
+snltqnpr.net
+snmvspqt.net
+snnwtqrv.net
+snoyvrtw.net
+snpnwsuy.ru
+snqoyuwn.ru
+snromvxn.ru
+snspnwyo.ru
+sntqoxnp.ru
+snurpmnq.in
+snvspnor.in
+snwtqnpr.in
+snxurops.in
+snyvspqt.in
+snmvspru.net
+snnwtqrv.net
+snnxuqsv.net
+snoyvrtw.net
+snomvstx.net
+snpnwsuy.ru
+snpnxtvm.ru
+snqoyuwn.ru
+snqoyuwn.ru
+snromvxn.ru
+snrpnvyo.ru
+snspnwyo.ru
+snsqnxmp.ru
+sntqoxnp.ru
+sntroynp.ru
+snurpmnq.in
+snurpmoq.in
+snvspnor.in
+snvsqnor.in
+snwtqnpr.in
+snwtqops.in
+snxurops.in
+snxuroqt.in
+snyvspqt.in
+snyvspqt.in
+snmvspru.net
