Skip to content

Commit 2f8e988

Browse files
baderjbaderj
committed
New DGA of the Ranbyus family
1 parent a2ef2b0 commit 2f8e988

File tree

6 files changed

+106
-1
lines changed

6 files changed

+106
-1
lines changed

README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,8 @@ pykspa/precursor | Precursor of Pykspa | | [link](http://johannesbader.ch/201
1616
pkyspa/improved | Improved Pykspa | | [link](http://johannesbader.ch/2015/03/the-dga-of-pykspa/)
1717
simda | Simda | Shiz | [link](http://johannesbader.ch/2015/03/the-dga-of-simda-shiz/)
1818
tinba | Tinba | TinyBanker, Zusy | [link](http://johannesbader.ch/2015/04/new-top-level-domains-for-tinbas-dga/)
19-
ranbyus | Ranbyus | | [link](http://johannesbader.ch/2015/05/the-dga-of-ranbyus/)
19+
ranbyus/may | Ranbyus Version 1 | | [link](http://johannesbader.ch/2015/05/the-dga-of-ranbyus/)
20+
ranbyus/september | Ranbyus Version 2| | [link](http://johannesbader.ch/2015/09/ranbyuss-dga-revisited/)
2021
nymaim | Nymaim ||
2122
murofet/v1 | Murofet Variant 1 | LICAT | [link](https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/)
2223
murofet/v2 | Murofet Variant 2 | LICAT | [link](https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/)

corebot/dga.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
from datetime import datetime
33

44
r = 0x1DB98930
5+
r = 0x1DBA8930
56
len_l = 0xC
67
len_u = 0x18
78

ranbyus/dga.c renamed to ranbyus/may/dga.c

File renamed without changes.

ranbyus/example_domains.txt renamed to ranbyus/may/example_domains.txt

File renamed without changes.

ranbyus/september/example_domains.txt

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
jxbdxeyxttdmcjagi.me
2+
iqmadgybfhnrssadm.cc
3+
gdoldaognceaedkke.su
4+
jnbnyrmxmpblfgstk.tw
5+
ucjetnyaitygjidva.net
6+
jejocqwtcbtuymvao.com
7+
stuctjsqfxghcesyw.pw
8+
gfidctymbxiaqyuyk.in
9+
ojrqwrlhesfshawva.me
10+
bqjqvwwjirftwkjel.cc
11+
geaokbyhbipwobgbs.su
12+
lwdxpevnnuywesula.tw
13+
gtbsqbmprvomrqfxk.net
14+
puoxisqhqujojtyiv.com
15+
hywjcxaqyeuwxkgxb.pw
16+
sirafunoeqhbdgplq.in
17+
yrwkhluupptibecuc.me
18+
eguyyqmedxceevjac.cc
19+
idbpxcmgepddjmyqi.su
20+
ncjivathpoitlfkcr.tw
21+
kwobkvkcjsaovhyun.net
22+
gumqftsnxhmtkpnxb.com
23+
erphmciyejfcxjmxp.pw
24+
ctrkfsehysyqwicdp.in
25+
xfwpalpigniuoysyc.me
26+
euxjtulljmitkqafy.cc
27+
viplfswveevnokpwb.su
28+
bmhcdqdxnffqnhjyt.tw
29+
nxmkxdxmmhgfydqto.net
30+
gcrgrwnspktuxqnfs.com
31+
bwuercxgoofjtuetg.pw
32+
kyfscrqqmxyfjhnlj.in
33+
khygvhpwmsnmmekep.me
34+
oygtjnnakklguansa.cc
35+
bflnbgysenbifhkmb.su
36+
nydtahuylrfdjokyc.tw
37+
ucfpxrqcjrivyydwo.net
38+
qvhrubcrjrappaxle.com
39+
tuusskblufagqnjan.pw
40+
bcfuvigfodpidtlmq.in

ranbyus/september/ranbyus_reloaded.py

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
import argparse
2+
from datetime import datetime
3+
4+
def to_little_array(val):
5+
a = 4*[0]
6+
for i in range(4):
7+
a[i] = (val & 0xFF)
8+
val >>= 8
9+
return a
10+
11+
def pcg_random(r):
12+
alpha = 0x5851F42D4C957F2D
13+
inc = 0x14057B7EF767814F
14+
15+
step1 = alpha*r + inc
16+
step2 = alpha*step1 + inc
17+
step3 = alpha*step2 + inc
18+
19+
tmp = (step3 >> 24) & 0xFFFFFF00 | (step3 & 0xFFFFFFFF) >> 24
20+
a = (tmp ^ step2) & 0x000FFFFF ^ step2
21+
b = (step2 >> 32)
22+
c = (step1 & 0xFFF00000) | ((step3 >> 32) & 0xFFFFFFFF) >> 12
23+
d = (step1 >> 32) & 0xFFFFFFFF
24+
25+
data = 32*[None]
26+
data[0:4] = to_little_array(a)
27+
data[4:8] = to_little_array(b)
28+
data[8:12] = to_little_array(c)
29+
data[12:16] = to_little_array(d)
30+
return step3 & 0xFFFFFFFFFFFFFFFF, data
31+
32+
def dga(year, month, day, seed):
33+
x = (day*month*year) ^ seed
34+
tld_index = day
35+
for _ in range(40):
36+
random = 32*[None]
37+
x, random[0:16] = pcg_random(x)
38+
x, random[16:32] = pcg_random(x)
39+
40+
domain = ""
41+
for i in range(17):
42+
domain += chr(random[i] % 25 + ord('a'))
43+
tlds = ["in", "me", "cc", "su", "tw", "net", "com", "pw", "org"]
44+
domain += '.' + tlds[tld_index % (len(tlds) - 1)]
45+
tld_index += 1
46+
yield domain
47+
48+
if __name__=="__main__":
49+
"""
50+
known seeds are:
51+
- 0F0D5BFA
52+
- F2C72B14
53+
"""
54+
parser = argparse.ArgumentParser()
55+
parser.add_argument("-d", "--date", help="date for which to generate domains")
56+
parser.add_argument("-s", "--seed", help="seed as hex string", default="0F0D5BFA")
57+
args = parser.parse_args()
58+
if args.date:
59+
d = datetime.strptime(args.date, "%Y-%m-%d")
60+
else:
61+
d = datetime.now()
62+
for domain in dga(d.year, d.month, d.day, int(args.seed, 16)):
63+
print(domain)

0 commit comments

Comments
 (0)