-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
From PDNS: Another fix length of 7, a-z. tlds: [ru, com] #36
Comments
|
some new waves are observed recently with
meanwhile, the |
There is a DGA in the binary. It generates a new domain every 10 seconds
The PRNG is seeded with GetTickCount and the domains are therefore not predictable. The domains look like the hardcoded domains though, and I think they are used as decoys. |
Hi Bader, thanks for pointing this out, also thanks for sharing so many DGA implementation at GitHub :) |
@baderj thanks for sharing this DGA. We see many of them are resolved in our DNS traffic, which may not look like decoys. Do you have further analysis of this malware? Thanks. |
Hello @baderj Could you please share the hash or even sample from which this DGA is? |
I looked at this sample
It unpacks to
Sorry I wasn't clear in my first comment: There is a large list of hardcoded domains with ports that the malware contact. But in addition to that, there is a DGA that generates domains that look exactly like the hardcoded domains. The seeding of the DGA is done with GetTickCount and therefore unpredictable. Those DGA domains are generated every 10 seconds. |
Finding an analysis article on this issue, unfortunately, is in Chinese.
|
The text was updated successfully, but these errors were encountered: