Skip to content

Instantly share code, notes, and snippets.

@baderj

baderj/murofet_dga.py

Created July 22, 2015 12:34
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save baderj/3934a19159cff9f5fe89 to your computer and use it in GitHub Desktop.
Save baderj/3934a19159cff9f5fe89 to your computer and use it in GitHub Desktop.
Download ZIP
DGA of Murofet (with support of key)
Raw
murofet_dga.py
import hashlib
from datetime import datetime, timedelta
import argparse
def dga(date, key):
for min17 in range(1020):
seed = 8*[0]
seed[0] = (date.year & 0xFF + 0x30) & 0xFF
seed[1] = date.month & 0xFF
seed[2] = date.day & 0xFF
seed[3] = 0
r = (min17) & 0xFFFFFFFE
for i in range(4):
seed[4+i] = r & 0xFF
r >>= 8
seed_str = ""
for i in range(8):
k = (key >> (8*(i%4))) & 0xFF if key else 0
seed_str += chr((seed[i] ^ k))
m = hashlib.md5()
m.update(seed_str)
md5 = m.digest()
domain = ""
for m in md5:
tmp = (ord(m) & 0xF) + (ord(m) >> 4) + ord('a')
if tmp <= ord('z'):
domain += chr(tmp)
tlds = [".biz", ".info", ".org", ".net", ".com"]
for i, tld in enumerate(tlds):
m = len(tlds) - i
if m == 1 or not min17 % m:
domain += tld
break
print(domain)
if __name__=="__main__":
# known keys 0xD6d7A4BE, 0xDEADC2DE
parser = argparse.ArgumentParser()
parser.add_argument("-d", "--date", help="date for which to generate domains")
parser.add_argument("-k", "--key", help="key", default=None)
args = parser.parse_args()
if args.key:
key = int(args.key, 16)
else:
key = None
if args.date:
d = datetime.strptime(args.date, "%Y-%m-%d")
else:
d = datetime.now()
dga(d, key)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment