Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Benign DGA of TeleRU #50

Open
suqitian opened this issue Feb 27, 2019 · 1 comment
Open

Benign DGA of TeleRU #50

suqitian opened this issue Feb 27, 2019 · 1 comment

Comments

@suqitian
Copy link
Member

  • MD5
    b24b8cf072c778a4133db02716a82466
    6aca8624257a0d24be706a8ab31e8aa5

  • Domains from our mobile sandbox on 2019-02-08 11:23:53

93b375dd6cd9f2704d613d1016dbe0f2.info
93b375dd6cd9f2704d613d1016dbe0f2.tk
afcc0c1f4b9fd590a61ba1c24b49b525.ga
afcc0c1f4b9fd590a61ba1c24b49b525.info
afcc0c1f4b9fd590a61ba1c24b49b525.ml
afcc0c1f4b9fd590a61ba1c24b49b525.online
bbc16e2659b9b9b5128c2f7e5877d29b.cf
bbc16e2659b9b9b5128c2f7e5877d29b.ga
bbc16e2659b9b9b5128c2f7e5877d29b.gq
bbc16e2659b9b9b5128c2f7e5877d29b.info
bbc16e2659b9b9b5128c2f7e5877d29b.ml
bbc16e2659b9b9b5128c2f7e5877d29b.tk
bbc16e2659b9b9b5128c2f7e5877d29b.top
f62b550a0e5e4f234fdd30c927665c91.ga
f62b550a0e5e4f234fdd30c927665c91.gq
f62b550a0e5e4f234fdd30c927665c91.ml
f62b550a0e5e4f234fdd30c927665c91.online
f62b550a0e5e4f234fdd30c927665c91.tk
f62b550a0e5e4f234fdd30c927665c91.xyz
@suqitian
Copy link
Member Author

  • Our first observed Android APK related DGA. Thanks to my colleague LiangJinjin for reversing and implementing the DGA
  • TLDs
    cf, tk, xyz, top, online, info, gq, ga, ml
  • The number of Domains
    36
  • DGA in Python
import hashlib
from datetime import datetime 
from math import ceil
import argparse

def week_of_month(ts):
    offset = ts.replace(day=1).weekday()
    return int(ceil((ts.day+offset)/7.0))

def dga(date, nr, length):
    domains = list()
    tlds = ["cf", "tk", "xyz", "top", "online", "info", "gq", "ga", "ml"]
    name = "org.teleru"

    year  = date.year
    month = date.month
    day   = date.day
    wom   = week_of_month(date)

    param = [year, month, wom, day]

    idx = 0
    for i in range(len(param)):
        s = (i+1) * ".%02d"
        s = s % tuple(param[:i+1])
        s = name + s
        s = hashlib.md5(s).hexdigest()
        for j in tlds:
            domains.append("%s.%s" % (s, j))
            idx += 1
            if idx >= nr:
                return domains
    return domains

if __name__=="__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--time', help="Seconds since January 1, 1970 UTC")
    parser.add_argument("-n", "--nr", help="nr of domains to generate")
    parser.add_argument("-l", "--len", help="Length of SLD")
    args = parser.parse_args()

    d = datetime.utcfromtimestamp(int(args.time))

    domains = dga(d, int(args.nr), int(args.len))
    for dn in domains:
        print dn

@suqitian suqitian changed the title Benign DGA from Telegram Benign DGA ofTelegram Feb 27, 2019
@suqitian suqitian changed the title Benign DGA ofTelegram Benign DGA of Telegram Feb 27, 2019
@suqitian suqitian changed the title Benign DGA of Telegram Benign DGA of Teleru Feb 27, 2019
@suqitian suqitian changed the title Benign DGA of Teleru Benign DGA of TeleRU Feb 27, 2019
@suqitian suqitian mentioned this issue Oct 10, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@suqitian