domain_generation_algorithms
domain_generation_algorithms copied to clipboard
Published
20 hours ago •
baderj
baderj
Some results of my DGA reversing efforts
Domain Generation Algorithms
Domain Generation Algorithms (DGAs) of Malware reimplemented in Python.
Overview
banjori (aka MultiBanker 2, BankPatch(er))
Links
Example Domains
- earnestnessbiophysicalohax.com
- kwtoestnessbiophysicalohax.com
- rvcxestnessbiophysicalohax.com
- hjbtestnessbiophysicalohax.com
- txmoestnessbiophysicalohax.com
- agekestnessbiophysicalohax.com
- dbzwestnessbiophysicalohax.com
- sgjxestnessbiophysicalohax.com
- igjyestnessbiophysicalohax.com
- zxahestnessbiophysicalohax.com
bazarbackdoor (aka BazarLoader Team9Backdoor))
Links
- https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/
- https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/
- https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/
Example Domains
Real DGA:
- adegjkaiggjm.bazar
- eehhjmejjhjo.bazar
- dehiildjjiin.bazar
- ceeiklcjgikn.bazar
- dceikkdhgikm.bazar
- bfehjmbkghjo.bazar
- adegjmaiggjo.bazar
- dchiikdhjiim.bazar
- efehikekghim.bazar
- bdhhjkbijhjm.bazar
Buggy DGA: -_fdgimzkfgio.bazaar -e`bfkieedfkk.bazaar -efdgikekfgim.bazaar -]begimzgggio.bazaar -bbbfhlbgdfhn.bazaar -^ehikizjjikk.bazaar -aechimajehio.bazaar -]defiizigfik.bazaar -``geiizeieik.bazaar -degfjkdjifjm.bazaar
chinad
Links
Example Domains
- 8f6bacmw30xxv6sc.cn
- 486txu3yjly0xcmz.ru
- xmi6x8zg9rkanmyo.info
- spy1jhdbmvt2ueva.net
- evybt5gtf2tprvbi.info
- 7qbys97e3pcw262c.info
- kz89iy97c7n7vbur.biz
- zmkvvlsvkbffnuez.ru
- tr1yy6lxtry1gsts.biz
- mfq6uwq3p2hvc8zn.cn
corebot
Links
Example Domains
- lkhylm0mhyfuhg.ddns.net
- s63234wluv5v365bwp5.ddns.net
- afe6mfy23xcxgfa.ddns.net
- 7rsl1f34sfq0oj3jwvmfa6c.ddns.net
- ir7l3po0gjy8ypqjm8o.ddns.net
- 3lgrupwdivsfm2w4kng2iha.ddns.net
- i8a0q2wdu8otulkfylo2gdq.ddns.net
- kh1her76avy0qnelivijwd1.ddns.net
- ubgp1f1han7lu410eh5.ddns.net
- uliry8knadmpmdm4wti6oro.ddns.net
dircrypt
Links
Example Domains
- rauggyguyp.com
- llullzza.com
- mluztamhnngwgh.com
- mycojenxktsmozzthdv.com
- inbxvqkegoyapgv.com
- furiararji.com
- zrkdvzjhse.com
- wyuhdsdttczd.com
- hpaxgpkteomjaxywwelr.com
- mydojltbqjnwailyyoa.com
dnschanger (aka Alureon)
Links
Example Domains
- aktklyvbiu.com
- zgimjzlnrl.com
- tcfejerekw.com
- tfaunnjmxt.com
- ydvlfpkguw.com
fobber (aka Tinba v3)
Example Domains
- vhkintjtksyxgjrzz.net
- btpnxlsfdqbhzazyx.net
- ukfmknjdenthvktgc.net
- qupxsrhrmuoinqrit.net
- gjsbydmrpfzsmnfiu.net
- indpstqbetcpcqprx.net
- gwrdmhyjfcpcutmhp.net
- bwnzcyypcbmnlpfsw.net
- twkpwfuecvvzcincq.net
- pdwfuxgnahmgsxhit.net
fosniw
Example Domains
- app2.winsoft0.com
- app2.winsoft1.com
- app2.winsoft2.com
- app2.winsoft3.com
- app2.winsoft4.com
- app2.winsoft5.com
- app2.winsoft6.com
- app2.winsoft7.com
- app2.winsoft8.com
- app2.winsoft9.com
gozi (aka Ursnif, Snifula, Papras)
Links
Example Domains
- quodpresidentemaxsagit.com
- pertantumfitusu.com
- indulgentiarumlicet.com
- moriblasphemianegocii.com
- ptribueretnossetnonin.com
- nonsicordinario.com
- svivacpecunias.com
- inestimabiler.com
- ulpurgatoriopetrum.com
- papacricognitisipro.com
kraken/v1 (aka Bobax, Oderoor)
Links
Example Domains
- ibbwnhgh.mooo.com
- rbqdxflojkj.mooo.com
- smhburg.dyndns.org
- bltjhzqp.dyndns.org
- clwafrfuuxq.yi.org
- cffxugijxn.yi.org
- ivxcxbj.dynserv.com
- etllejr.dynserv.com
- otpxmk.mooo.com
- ejfjyd.mooo.com
kraken/v2 (aka Bobax, Oderoor)
Links
Example Domains
- xpdbwuimwag.com
- nwpegpjtx.com
- smmyuhxlt.net
- xjvyvnzivvt.net
- lvctmusxcyz.tv
- lvctmusxcyz.tv
- cjuszcfwo.cc
- egbmbdey.cc
- wjxaprgne.com
- vxbuggxhrgi.com
locky
Links
Example Domains
- gegjiimqmlgtdmk.tf
- pccibcjncnhjn.yt
- rddipikmrap.us
- mmhmkqfc.be
- vkcims.pm
- qtysmobytagnrv.it
- suhpqiumpjsv.ru
- cscffbwbhs.uk
m0yv
Links
Time independent version in dga.py, time-dependent version in dga-td.py.
Example Domains
- pywolwnvd.biz
- ssbzmoy.biz
- cvgrf.biz
- npukfztj.biz
- przvgke.biz
- zlenh.biz
- knjghuig.biz
- uhxqin.biz
- anpmnmxo.biz
- lpuegx.biz
monerodownloader
Example Domains
- 31b4bd31fg1x2.org
- 31b4bd31fg1x2.tickets
- 31b4bd31fg1x2.blackfriday
- 31b4bd31fg1x2.hosting
- 31b4bd31fg1x2.feedback
- 3f8c8079fd4c5.org
- 3f8c8079fd4c5.tickets
- 3f8c8079fd4c5.blackfriday
- 3f8c8079fd4c5.hosting
- 3f8c8079fd4c5.feedback
murofet/v1 (aka LICAT)
Links
Example Domains
- giywswshrgxcvoqgvrkthmfa.ru
- xaiqpbprgymbvrwmzgiyprgdsk.com
- amgqgularpzxeapztxenbx.net
- pfscijbmthyfiyjgergugtkbqyh.org
- xglfcmsgorvwfilhmzlcxxvkfege.info
- rcteqwkequojntibvfyfaluwh.biz
- mjfqylbiaunffuaeunzdqdwscu.ru
- qobeylpxgpfknlptukyddqvklztg.com
- rgwgizukficdgetwsxovtcknwkfm.info
- betgyaeswxorwcvsdezdupbmb.org
murofet/v2 (aka LICAT)
Links
Example Domains
- cmqvvxtppnibli.biz
- cmqvvxtppnibli.com
- rloqpoiongsuwyq.net
- rloqpoiongsuwyq.org
- zsophzovtfor.info
- zsophzovtfor.biz
- nlifthjnbgnfweq.org
- nlifthjnbgnfweq.com
- hykpttqsxsmvkoc.info
- hykpttqsxsmvkoc.org
murofet/v3 (aka LICAT)
Links
Example Domains
- nxlya47huo61czerb18o51e11d30i55gycwe31lx.ru
- jwdzptm69p62izcve41f22k37oyj16g63fqote11.com
- p42p52nvd50izkqazaqe21lvo21pycqotp22e61.net
- b28n40i25b68gte41o61dwc19htc29jwgxiqfzbr.org
- ktirhsn50kzc49b58cyf32fwh14h64dzgxiqcz.info
- bre41hvc29kri15ewpwdsazjyn40p52kwe21gw.biz
- n30mwhsoxfqe51j56lunsg13o11hyd60ewf52nu.ru
- hvcsjxd20mzm29d40nznunta27c29kyi55fun50.com
- nzosg13oymzg63ntpxaro51btkvfyoshrk27.info
- czfsn20exg53nzcqcrg43exf62b28p22pyd50lu.org
mydoom (aka Novarg, Mimail.R, Shimgapi)
Example Domains
- qehspqnmrn.info
- mmahaesqar.in
- pwprhhnqqn.in
- mrspmramrn.in
- arphansaqh.com
- hrhspsrenn.net
- aepaaemrmn.com
- wsaehwmnms.in
- arwrseqssh.com
- ewamspqwha.ws
necurs
Links
Example Domains
- nccojqvabqvkiwhj.mx
- hoedwwwywnmmbi.ac
- aeaeneaoinf.mu
- ccecggc.us
- mfffpmgtplxbyagbtegh.com
- thlxuwnadtdtsm.biz
- edkomqpeufjyafccj.in
- mxomklaqau.pw
- nvutiptwteltin.tv
- nhysbiomr.ir
newgoz (aka Gameover Zeus, Peer-to-Peer Zeus)
Links
Example Domains
- xzz3ug32bale1uo60y7xj6rge.com
- 1hyzmw3l2phycet88hzr2do34.net
- 2ppq821cfem5m1mdua46pxg7bj.biz
- unlm9w9l8upy1kdde0kba7ktf.org
- 1ixhw3p1ncr3cf1pjfrpz14n1u0e.com
- 1o460ktpdhna1k0lk3ecwujxn.net
- 183t0wjzlthe51wigptk4rl29.org
- 1i3ux5a1hj6ndqejmxone45g0v.net
- 5mcdp71mbutpb1tglu0s4p0lrf.com
- n3i5yn19w82vmmpxv1k1l4xrjg.org
nymaim
Example Domains
- oftbpec.com
- lotmpwyk.info
- seikpwq.info
- bcfatyltdvp.info
- rfwstgy.com
- hokybhnf.biz
- evlovrxuw.net
- mtzpbzbfvy.info
- hacckgiakhl.com
- mosmeuw.net
nymaim2
Links
Example Domains
- surfaces-drawing.com
- shaft-criterion.cc
- stops-hash.id
- unitsknowledge.com
- wiredgraph.tm
- timelydesignation.co
- stablelikely.ch
- stainless-loan.lk
- wagon-documents.sc
- trainerprocessors.tk
padcrypt
Links
Example Domains
- elkfcfnacacmofdf.com
- mkmeeefncfnfdmbm.de
- ffcdcnbmmnaeddcd.com
- ddkfodnaadmbmofo.co.uk
- efneboaodnmbecoa.co
- bafomkfalcfcdkom.info
- onlmcddadnacfclc.com
- dcfmddfbobkmafma.com
- lmmfdccmnnfnmfdl.co
- kcknconmceeemlnm.com
pitou
Links
Example Domains
- --------------+
- koohoavab.net |
- koohoavac.net |
- koohoavad.net |
- koohoavaf.net |
- koohoavag.net |
- koohoavah.net |
- koohoavaj.net |
- koohoavak.net |
- koohoaval.net |
pizd
Links
Example Domains
- difficultnearly.net
- dollarnearly.net
- difficultpossible.net
- dollarpossible.net
- eearlynation.net
- escapenation.net
- eearlypleasure.net
- escapepleasure.net
- eearlynearly.net
- escapenearly.net
proslikefan
Links
Example Domains
- flarvcpk.eu
- stjneohiod.biz
- vcevvkc.se
- qylptiin.info
- bsvisbttr.com
- hjiknr.net
- arpeiezki.org
- gobqca.ru
- tivqfahrmxdl.in
- smutloo.name
pushdo
Example Domains
- weafokuggeir.kz
- sictemuborug.kz
- cirpicficj.kz
- geijanmap.kz
- fuxhuxsabi.kz
- siclisozdokq.kz
- sozcoqnafrex.kz
- qeobifups.kz
- cokoqdeah.kz
- latqafbuxwic.kz
pykspa/improved
Links
Example Domains
- uammskmq.org
- jqplflktas.info
- rybwtr.net
- uyznvxlof.info
- gakcmqiw.com
- wewsvat.net
- owhadwkskevw.net
- nkndlzhjgrpc.info
- isypszqe.net
- joebbaamoyt.info
pykspa/precursor
Links
Example Domains
- llfwhgn.com
- guqqkaiq.biz
- wctymo.net
- lovfjsfox.com
- oruhbanansnan.cc
- mkncjk.biz
- yunonsuiwcymao.net
- yxpojufqbex.com
- qhxgzufqbex.cc
- yywiywiq.biz
qadars
Links
Example Domains
- jk9enwhansl2.org
- sdqfodmf81m7.net
- 5uro1uzspejk.net
- ub4hinsduf0p.net
- zs9ijo1er81u.com
- 0t67c5arw9yf.net
- lev41encha38.net
- 67k1q3c1mr8x.org
- 7w1yf49irk5m.net
- gdunwhq7s9qb.org
qakbot
Links
Example Domains
- bqkrtxgkmriwsiwcngtivpx.info
- jdtmfupdyueqeldvhsjzdvzob.net
- guhmpoxzivhba.com
- nqqxqhuacaqhzurde.org
- lgqsqgpqzijwid.info
- ykolyecdcyk.biz
- ztvflnxqzpxvpfobv.biz
- zqrmkpivrbxccawozqwqpfzh.org
- iqyqwhntrxfeq.org
- ftadkbomxlnsib.info
qsnatch
Links
Example Domains
- t2q2r.cf
- gc9nz.tk
- 07tvvc.com
- 7ubqo.ml
- 53bcm.de
- 6zltf.rocks
- hv7uv.mx
- nypno.biz
- qkzccy.net
- rassb.cn
ramnit
Links
Example Domains
- knpqxlxcwtlvgrdyhd.com
- nvlyffua.com
- hgyudheedieibxy.com
- anrylixwcbnjopdd.com
- vrndmdrdrjoff.com
- jhghrlufoh.com
- tqjhvylf.com
- hufqifjq.com
- itktxexjghvvxa.com
- ppyblaohb.com
ranbyus/may
Links
Example Domains
- ikwoqkwuajpbyx.com
- niukpdrluwlfox.pw
- rcnxisuibbadng.in
- wbqtidjvsdiwee.me
- jrdyumcieyipnv.cc
- yvyfwikedfxitk.su
- tviurcntxylxnj.tw
- lycyrvfcemepfm.net
- epddeukdimbpft.com
- trbhxhmbsikoaq.pw
ranbyus/september
Links
Example Domains
- jxbdxeyxttdmcjagi.me
- iqmadgybfhnrssadm.cc
- gdoldaognceaedkke.su
- jnbnyrmxmpblfgstk.tw
- ucjetnyaitygjidva.net
- jejocqwtcbtuymvao.com
- stuctjsqfxghcesyw.pw
- gfidctymbxiaqyuyk.in
- ojrqwrlhesfshawva.me
- bqjqvwwjirftwkjel.cc
reconyc
This DGA has unpredictable seeding, i.e., it uses GetTickCount as the seed. I still list the DGA as it might be useful for testing or training DGA detection algorithms.
Example Domains
- E5zHail0Mw.com
- gabbvK2o6s.com
- CumpP2A4d7.com
- 5eswmwNQyF.com
- lExfSzyuwP.com
- JZpESGsPFF.com
- UmIaRnijeT.com
- sHr0xE9Idm.com
- nYcEX7wlCF.com
- VCiZNQXwpO.com
sharkbot
Example Domains
- 64f30398ecda3bbf.xyz
- f008fc473fddedc4.live
- cfbadaf0cd7b0ac3.com
- b8d28386413029fe.store
- 99c485497c079a09.info
- 6d54b683fc2cc58f.top
- abb7547058fef9fb.net
shiotob (aka Urlzone, Bebloh)
Links
Example Domains
- wtipubctwiekhir.net
- rwmu35avqo12tqc.com
- rskb5bsfhm2fk5h.net
- rbp9pprrxgflut9.com
- zzxeyzgy45yy2a.net
- e3oa4wglvd21xa.com
- mqmq1hvmtxzjv.net
- pd4o4wu24vimn.com
- tlmrzvpbpsqsb.net
- pbmnz59uzndpo.com
simda (aka Shiz)
Links
Example Domains
- gatyfus.com
- lyvyxor.com
- vojyqem.com
- qetyfuv.com
- puvyxil.com
- gahyqah.com
- lyryfyd.com
- vocyzit.com
- qegyqaq.com
- purydyv.com
sisron (aka TOMB, Win32/Agent.WRQ, Trojan.Scar)
Links
Example Domains
- mdiwnjiwmtya.com
- mdewnjiwmtya.com
- mzewntiwmtya.com
- mzawntiwmtya.com
- mjkwntiwmtya.com
- mjgwntiwmtya.com
- mjcwntiwmtya.com
- mjywntiwmtya.com
- mjuwntiwmtya.com
- mjqwntiwmtya.com
suppobox
Links
Example Domains
- journey
- destroy
- against
- night
- within
- effort
- street
- better
- husband
- little
symmi
Links
Example Domains
- ogovugtuipawi.ddns.net
- afowkaupbabe.ddns.net
- ipkureleakm.ddns.net
- hegiruqo.ddns.net
- luimreim.ddns.net
- tiakqukoahuvu.ddns.net
- loelkuanduur.ddns.net
- agdehukoev.ddns.net
- giagkuekorla.ddns.net
- leufiroqipomu.ddns.net
tempedreve
Links
Example Domains
- dlbebsga.net
- enqbgrmt.com
- xjlwpfnk.info
- ebabkjcx.org
- hvisietg.net
- svyjglen.com
- glknxfgq.info
- adoduloh.org
- jgrxrxwh.net
- ctmrgbmz.com
tinba (aka TinyBanker, Zusy)
Links
Example Domains
- blackfreeqazyio.cc
- nvfowikhevmy.com
- nvfowikhevmy.net
- nvfowikhevmy.in
- nvfowikhevmy.ru
- sjhuqlwrqhqx.com
- sjhuqlwrqhqx.net
- sjhuqlwrqhqx.in
- sjhuqlwrqhqx.ru
- pxqgonyogeee.com
tufik
Example Domains
- dbqwpmpnruesywj.com
- qxxmubfleztlnkx.com
- rrnywowqgmjvnltg.com
- rqnjdvzpsmbuw.com
- utoiopxjrphvoiy.org
- ttoouemmimnxnmj.com
- nmjsoourllgveecj.org
- juprvzxqotonvvs.biz
- nmjsoourllgveecj.biz
- dotqwjmhqlushjlo.biz
unknown_malware
Example Domains
- albdfhln.com
- alcgkown.com
- aldjpvqt.com
- alemuown.com
- alfpmrnq.org
- algspvqt.org
- alhvrytw.org
- aliyuown.org
- aljnwpyo.org
- alkpmrnq.net
unnamed_downloader
Example Domains
- ddknt.github.io
- ddktn.github.io
- ddnkt.github.io
- ddntk.github.io
- ddtkn.github.io
- ddtnk.github.io
- dkdnt.github.io
- dkdtn.github.io
- dkndt.github.io
- dkntd.github.io
unnamed_javascript_dga
Links
Example Domains
- rxxeqcoy.cc
- kmymbyzd.co
- cfukbzbmg.eu
- sblwtafc.cc
- lqdoacat.co
- dplmjcjic.eu
- ttukaiwjdx.cc
- meimklqh.co
- enmxqcxhtl.eu
- unmias.cc
vawtrak
Links
Example Domains
- usahwutle.com
- folocnam.com
- awumsah.com
- edorwufli.com
- misocgutlah.com
- edarwotda.com
- melarwetdic.com
- usucnitdohg.com
- regomseh.com
- osicnumd.com
xmrig_genesis (a XMRig malware using the bitcoin genesis block as seed))
Example Domains
- 1d78e50d.com
- 1d78e50d.net
- 1d78e50d.org
- 1d78e50d.duckdns.org
- 2b04216f.com
- 2b04216f.net
- 2b04216f.org
- 2b04216f.duckdns.org
- 2e1d985c.com
- 2e1d985c.net
zloader
Links
Example Domains
- gdurfdsywubjaaqcqhrh.com
- vudktykcecigekhtwwqn.com
- jcaofaekffeojktmpdax.com
- iiphrhkculpnubvvxnbh.com
- bjdbpgbjdyredhfyvpie.com
- wramitvqeojecedajxoj.com
- ohyjybhogoeoabjqvpie.com
- fscqtelyeogmxudotlao.com
- nsdtxvnwtxjwphbuqffe.com
- bohchavtvhbejwcmekvo.com
baderj