new DGA from unnamed downloader

README.md

@@ -36,3 +36,4 @@ gozi | Gozi | Ursnif, Snifula, Papras | [link](http://www.govcert.admin.ch/blog/
 qadars | Qadars | | [link](https://www.johannesbader.ch/2016/04/the-dga-of-qadars/)
 sisron | Sisron | TOMB, Win32/Agent.WRQ, Trojan.Scar |  [link](https://www.johannesbader.ch/2016/06/the-dga-of-sisron/)
 proslikefan | Proslikefan | | [link](https://johannesbader.ch/2016/06/proslikefan/) 
+unnamed_downloader | Unnamed Downloader | | 

unnamed_downloader/dga.py

@@ -0,0 +1,22 @@
+"""
+    DGA of sample:
+    md5:         e66e3879700f88182bd92c7d3a00e9e4
+    sha256:      0f3af9d2d7ca113704f4411185518ab41a63e8003b7e06ff21f805f11af50ab7
+    malwr:       https://malwr.com/analysis/OThiMWQ1ZTE2OThkNDU4MmI2Y2U0YzE0MjdjOWVmNDk/
+    virustotal:  https://virustotal.com/en/file/0f3af9d2d7ca113704f4411185518ab41a63e8003b7e06ff21f805f11af50ab7/analysis/1471447632/
+"""
+
+from itertools import permutations
+
+"""
+    hardcoded seed in binary
+    seed in sample is already sorted, but malware will sort the seed
+    to get all permutations in lexicographical order
+"""
+seed = "ddktn"
+
+for p in permutations(''.join(sorted(seed))):
+    print("{}.github.io".format(''.join(p)))
+    """ malware tries to download the file at:
+        <subdomain>.github.io/c2/config.dat
+    """

unnamed_downloader/example_domains.txt

@@ -0,0 +1,120 @@
+ddknt.github.io
+ddktn.github.io
+ddnkt.github.io
+ddntk.github.io
+ddtkn.github.io
+ddtnk.github.io
+dkdnt.github.io
+dkdtn.github.io
+dkndt.github.io
+dkntd.github.io
+dktdn.github.io
+dktnd.github.io
+dndkt.github.io
+dndtk.github.io
+dnkdt.github.io
+dnktd.github.io
+dntdk.github.io
+dntkd.github.io
+dtdkn.github.io
+dtdnk.github.io
+dtkdn.github.io
+dtknd.github.io
+dtndk.github.io
+dtnkd.github.io
+ddknt.github.io
+ddktn.github.io
+ddnkt.github.io
+ddntk.github.io
+ddtkn.github.io
+ddtnk.github.io
+dkdnt.github.io
+dkdtn.github.io
+dkndt.github.io
+dkntd.github.io
+dktdn.github.io
+dktnd.github.io
+dndkt.github.io
+dndtk.github.io
+dnkdt.github.io
+dnktd.github.io
+dntdk.github.io
+dntkd.github.io
+dtdkn.github.io
+dtdnk.github.io
+dtkdn.github.io
+dtknd.github.io
+dtndk.github.io
+dtnkd.github.io
+kddnt.github.io
+kddtn.github.io
+kdndt.github.io
+kdntd.github.io
+kdtdn.github.io
+kdtnd.github.io
+kddnt.github.io
+kddtn.github.io
+kdndt.github.io
+kdntd.github.io
+kdtdn.github.io
+kdtnd.github.io
+knddt.github.io
+kndtd.github.io
+knddt.github.io
+kndtd.github.io
+kntdd.github.io
+kntdd.github.io
+ktddn.github.io
+ktdnd.github.io
+ktddn.github.io
+ktdnd.github.io
+ktndd.github.io
+ktndd.github.io
+nddkt.github.io
+nddtk.github.io
+ndkdt.github.io
+ndktd.github.io
+ndtdk.github.io
+ndtkd.github.io
+nddkt.github.io
+nddtk.github.io
+ndkdt.github.io
+ndktd.github.io
+ndtdk.github.io
+ndtkd.github.io
+nkddt.github.io
+nkdtd.github.io
+nkddt.github.io
+nkdtd.github.io
+nktdd.github.io
+nktdd.github.io
+ntddk.github.io
+ntdkd.github.io
+ntddk.github.io
+ntdkd.github.io
+ntkdd.github.io
+ntkdd.github.io
+tddkn.github.io
+tddnk.github.io
+tdkdn.github.io
+tdknd.github.io
+tdndk.github.io
+tdnkd.github.io
+tddkn.github.io
+tddnk.github.io
+tdkdn.github.io
+tdknd.github.io
+tdndk.github.io
+tdnkd.github.io
+tkddn.github.io
+tkdnd.github.io
+tkddn.github.io
+tkdnd.github.io
+tkndd.github.io
+tkndd.github.io
+tnddk.github.io
+tndkd.github.io
+tnddk.github.io
+tndkd.github.io
+tnkdd.github.io
+tnkdd.github.io