DGA of Reconyc. Uses unpredictable seeding, but might still be intere…

…sting for testing DGA detection algorithms.
baderj · Jul 19, 2019 · c1169fe · c1169fe
1 parent a8463a3
commit c1169fe
Show file tree

Hide file tree

Showing 4 changed files with 194 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@ Johannes Bacher's reversing efforts
 
 ## Overview
 
-Subfolder | Malware Family | Alias | Write-Up
+Subfolder | Malware Family | Alias / Notes | Write-Up
 --------- | -------------- | ----- | ----------
 pizd      |   ??           |       | [link] (https://blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured/)
 newgoz    | newGOZ         | Gameover Zeus, Peer-to-Peer Zeus |   [link](https://johannesbader.ch/2014/12/the-dga-of-newgoz/)
@@ -43,5 +43,6 @@ unnamed_downloader | Unnamed Downloader | |
 chinad | Chinad | | [link](https://github.com/360netlab/DGA/issues/1)
 tempedreve | Tempedreve | | [link](https://github.com/baderj/domain_generation_algorithms/tree/master/tempedreve/images)
 unknown_malware | ? | | 
-pitou | Pitou | | [link](https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf) 
+pitou | Pitou | | [link](https://johannesbader.ch/2019/07/the-dga-of-pitou/)  |
 mydoom | MyDoom | Novarg, Mimail.R, Shimgapi| 
+reconyc | Reconyc | **has unpredictable seeding**  |  
diff --git a/ramnit/dga.py b/ramnit/dga.py
@@ -54,6 +54,7 @@ def get_domains(seed, nr, tlds):
             0C5787AE2
             0FCFFD9E9
             75EA95C2
+            8A0AEC7D
     """
     parser = argparse.ArgumentParser(description="generate Ramnit domains")
     parser.add_argument("seed", help="seed as hex")

diff --git a/reconyc/dga.py b/reconyc/dga.py
@@ -0,0 +1,90 @@
+"""
+    UNPREDICTABLE DGA OF RECONYC
+
+    from sample: d7e3bbdc38aa18b214fed3518798b86b
+    unpacks to:  db0820a974dbea22d981bd39ddb19518
+"""
+
+
+import random
+
+class Mersenne:
+
+    def __init__(self, seed):
+        self.n = 624
+        self.w = 32
+        self.wm = (2**32) - 1
+        self.r = 31
+        self.f = 1812433253
+        self.a = 0x9908B0DF
+        self.u = 11
+        self.s = 7
+        self.t = 15
+        self.d = 0xFFFFFFFF
+        self.b = 0x9D2C5680
+        self.c = 0xEFC60000
+        self.l = 18
+        self.m = 397
+        self.seed = seed
+        self.seed_b = ~seed
+        self.mt = self.n*[0]
+        self.lower_mask = (1 << self.r) - 1
+        self.upper_mask = (1 << self.r)
+
+    def seed_mt(self):
+        self.mt[0] = self.seed
+        for i in range(self.n-1):
+            self.mt[i+1] = (self.f * ((self.mt[i] >> 30) ^ self.mt[i]) + i+1) & self.wm
+
+
+    def extract_number(self):
+        if self.seed != self.seed_b:
+            self.index = self.n + 1
+        if self.index >= self.n:
+            if self.index == self.n + 1:
+                self.seed_mt()
+                self.seed = ~self.seed
+                self.seed_b = self.seed
+            self.twist()
+            self.index = 0
+
+        y = self.mt[self.index]
+        y ^= (y >> self.u) & self.d
+        y ^= (y << self.s) & self.b
+        y ^= (y << self.t) & self.c
+        y ^= (y >> self.l)
+        self.index += 1
+        return y
+
+    def twist(self):
+        for i in range(self.n-1):
+            a = (self.mt[i] & self.upper_mask)
+            b = (self.mt[(i+1) % self.n]) & self.lower_mask
+            x = a + b
+            x = x & self.wm
+            xA = (x >> 1)
+            if x % 2:
+                xA = (xA ^ self.a)
+            self.mt[i] = self.mt[(i+self.m) % self.n] ^ xA
+
+        self.index = 0
+
+
+def randint(mersenne, nr):
+    x = mersenne.extract_number()
+    return (nr*x) >> 32
+
+charset = "iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf"
+seed = random.randint(0, 1000*3600*24) 
+
+if __name__ == "__main__":
+    mersenne = Mersenne(seed)
+    for nr in range(100):
+        domain = ""
+        for i in range(10):
+            c = charset[randint(mersenne, len(charset))]
+            domain += c
+        domain += ".com"
+        print(domain)
+
+
diff --git a/reconyc/example_domains.txt b/reconyc/example_domains.txt
@@ -0,0 +1,100 @@
+E5zHail0Mw.com
+gabbvK2o6s.com
+CumpP2A4d7.com
+5eswmwNQyF.com
+lExfSzyuwP.com
+JZpESGsPFF.com
+UmIaRnijeT.com
+sHr0xE9Idm.com
+nYcEX7wlCF.com
+VCiZNQXwpO.com
+jrabA0uADi.com
+2CHRDMJCn8.com
+8Fy9HrI6L0.com
+4iJrMaTQGq.com
+MgejR2qk1Z.com
+5tLcnUK0Fl.com
+8mlV0fuiZe.com
+oDlxd5WMQ6.com
+jPehlf2DZ0.com
+cEo0IpTw3V.com
+dfyYXZFMOF.com
+F7VIjoWcBW.com
+gkS1SKBpsT.com
+OXX1YBqRS2.com
+QMWSaNkfjH.com
+AP6sVH4NjR.com
+TJ8HvEvIHe.com
+Txn7eurrUO.com
+qGBmOt66wl.com
+1n7Qt95D9P.com
+wBDnz3JrUi.com
+AjPVfofkEe.com
+EOCt4xKLAe.com
+cOmD4SwNhr.com
+Sffl6HYLwo.com
+Fd9SWliuje.com
+tV0IB0oumC.com
+it9ig4o1I5.com
+pcrPSf5foc.com
+XbyGBRLUvb.com
+dS5IDfsn3Y.com
+XHCDKw3v1c.com
+oZpxsSC3i9.com
+45VkkHTj80.com
+AVCSmyrWlV.com
+b5PXe4V1NU.com
+bnPuhN9bXi.com
+7emSZAWjNQ.com
+EqSIqS9Xsa.com
+p8MBqpYvkQ.com
+chh8HyJr2d.com
+TIn43nNqTT.com
+yqbR72lnZu.com
+3CR2klxkzV.com
+wNp1bcWoop.com
+gbXGpS0Cns.com
+7BPX12raoE.com
+b2lMenGDo5.com
+zMK6T9EmBs.com
+McLlG9MNQs.com
+DMmch7VFsY.com
+9dIgslL9HG.com
+H1jIWxLxea.com
+4ZrNPi04zF.com
+Gtm7OUmHCL.com
+1r4obCrAyF.com
+2W4LKG1PTZ.com
+xwQDxruNrC.com
+eq9RdwY3vB.com
+zXENFCujRp.com
+qPbLvqM4B1.com
+Zy1NHHGpmh.com
+rWFR5CMMgz.com
+u82VxEPDbw.com
+FbLWj8otmq.com
+GppI6jjFCx.com
+qagdIUTh85.com
+Mc7F9L6ba6.com
+wLIv2cJSDB.com
+4mSUff3NZu.com
+08aj1n4Q3p.com
+dhYUAtqo7S.com
+kbgKJEkMJ8.com
+YD40k2CYJr.com
+CNssgcTcye.com
+8p1do0X3QC.com
+QM7X1Jn1cz.com
+q5GJ8RcOkB.com
+hJ6RiyqdjU.com
+HWksG9v9B5.com
+XoQbJGsWA4.com
+Yje4DGRkxX.com
+2iIk00nDVX.com
+l9Fr9pEwQH.com
+JP7VCIc646.com
+4zjiKxEAkd.com
+KifUbqb7AB.com
+VqimhZ25be.com
+jzBQqH2cxl.com
+2eP8Mh320n.com