Skip to content

Instantly share code, notes, and snippets.

@baderj

baderj/dga_symmi.asm

Created Jan 21, 2015
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
The DGA of Symmi sample b75f00d7ae2857a3e1cc8f5eb4dc11b9
Raw
dga_symmi.asm
10006520 ; =============== S U B R O U T I N E =======================================
10006520
10006520 ; Attributes: bp-based frame
10006520
10006520 ; int __cdecl create_domain(int third_lvl_len, int second_and_top_lvl, size_t type)
10006520 create_domain proc near ; CODE XREF: calls_create_next_url+A30p
10006520 ; sub_1000B530+1A6p ...
10006520
10006520 first_letters = dword ptr -0Ch
10006520 second_letters = dword ptr -8
10006520 var_4 = dword ptr -4
10006520 third_lvl_len = dword ptr 8
10006520 second_and_top_lvl= dword ptr 0Ch
10006520 type = dword ptr 10h
10006520
10006520 set_nr = edi
10006520 push ebp
10006521 mov ebp, esp
10006523 sub esp, 0Ch
10006526 push ebx
10006527 mov ebx, [ebp+third_lvl_len]
1000652A push esi
1000652B mov esi, eax
1000652D xor eax, eax
1000652F test byte ptr [ebp+type], 2
10006533 push set_nr
10006534 jz loc_10006691
1000653A mov set_nr, [ebp+second_and_top_lvl]
1000653D test set_nr, set_nr
1000653F jz short loc_1000654F
10006541 mov eax, set_nr
10006543 lea edx, [eax+1]
10006546
10006546 loc_10006546: ; CODE XREF: create_domain+2Bj
10006546 mov cl, [eax]
10006548 inc eax
10006549 test cl, cl
1000654B jnz short loc_10006546
1000654D sub eax, edx
1000654F
1000654F loc_1000654F: ; CODE XREF: create_domain+1Fj
1000654F add eax, 10h
10006552 mov [ebp+type], eax
10006555
10006555 loc_10006555: ; CODE XREF: create_domain+51j
10006555 mov eax, [ebp+type]
10006558 push eax ; size_t
10006559 call _malloc_1
1000655E mov ebx, eax
10006560 add esp, 4
10006563 test ebx, ebx
10006565 jnz short loc_10006573
10006567 push 1 ; unsigned __int32
10006569 call __sleep_1
1000656E add esp, 4
10006571 jmp short loc_10006555
10006573 ; ---------------------------------------------------------------------------
10006573
10006573 loc_10006573: ; CODE XREF: create_domain+45j
10006573 mov eax, [esi]
10006575 imul eax, 343FDh
1000657B add eax, 269EC3h
10006580 mov [esi], eax
10006582 shr eax, 10h
10006585 and eax, 7FFFh
1000658A xor edx, edx
1000658C mov ecx, 13h
10006591 div ecx
10006593 movzx edx, byte ptr ds:consonants[edx] ; "bcdfghklmnpqrstvwxz"
1000659A sub dl, 20h
1000659D mov [ebx], dl
1000659F mov eax, [esi]
100065A1 imul eax, 343FDh
100065A7 add eax, 269EC3h
100065AC mov [esi], eax
100065AE shr eax, 10h
100065B1 and eax, 7FFFh
100065B6 xor edx, edx
100065B8 div ecx
100065BA mov ecx, 0Ah
100065BF movzx edx, byte ptr ds:consonants[edx] ; "bcdfghklmnpqrstvwxz"
100065C6 sub dl, 20h
100065C9 mov [ebx+1], dl
100065CC mov eax, [esi]
100065CE imul eax, 343FDh
100065D4 add eax, 269EC3h
100065D9 mov [esi], eax
100065DB shr eax, 10h
100065DE and eax, 7FFFh
100065E3 xor edx, edx
100065E5 div ecx
100065E7 add dl, 30h
100065EA mov [ebx+2], dl
100065ED mov eax, [esi]
100065EF imul eax, 343FDh
100065F5 add eax, 269EC3h
100065FA mov [esi], eax
100065FC shr eax, 10h
100065FF and eax, 7FFFh
10006604 xor edx, edx
10006606 div ecx
10006608 add dl, 30h
1000660B mov [ebx+3], dl
1000660E mov eax, [esi]
10006610 imul eax, 343FDh
10006616 add eax, 269EC3h
1000661B mov [esi], eax
1000661D shr eax, 10h
10006620 and eax, 7FFFh
10006625 xor edx, edx
10006627 div ecx
10006629 add dl, 30h
1000662C mov [ebx+4], dl
1000662F mov eax, [esi]
10006631 imul eax, 343FDh
10006637 add eax, 269EC3h
1000663C mov [esi], eax
1000663E shr eax, 10h
10006641 xor edx, edx
10006643 and eax, 7FFFh
10006648 div ecx
1000664A add dl, 30h
1000664D mov [ebx+5], dl
10006650 mov byte ptr [ebx+6], 0
10006654 test set_nr, set_nr
10006656 jz short loc_10006688
10006658 mov eax, set_nr
1000665A mov edx, set_nr
1000665C lea esp, [esp+0]
10006660
10006660 loc_10006660: ; CODE XREF: create_domain+145j
10006660 mov cl, [eax]
10006662 inc eax
10006663 test cl, cl
10006665 jnz short loc_10006660
10006667 sub eax, edx
10006669 lea set_nr, [ebx-1]
1000666C lea esp, [esp+0]
10006670
10006670 loc_10006670: ; CODE XREF: create_domain+156j
10006670 mov cl, [set_nr+1]
10006673 inc set_nr
10006674 test cl, cl
10006676 jnz short loc_10006670
10006678 mov ecx, eax
1000667A shr ecx, 2
1000667D mov esi, edx
1000667F rep movsd
10006681 mov ecx, eax
10006683 and ecx, 3
10006686 rep movsb
10006688
10006688 loc_10006688: ; CODE XREF: create_domain+136j
10006688 pop set_nr
10006689 pop esi
1000668A mov eax, ebx
1000668C pop ebx
1000668D mov esp, ebp
1000668F pop ebp
10006690 retn
10006691 ; ---------------------------------------------------------------------------
10006691
10006691 loc_10006691: ; CODE XREF: create_domain+14j
10006691 mov ecx, [ebp+second_and_top_lvl]
10006694 test ecx, ecx
10006696 jz short loc_100066A9
10006698 mov eax, ecx
1000669A lea edx, [eax+1]
1000669D lea ecx, [ecx+0]
100066A0
100066A0 loc_100066A0: ; CODE XREF: create_domain+185j
100066A0 mov cl, [eax]
100066A2 inc eax
100066A3 test cl, cl
100066A5 jnz short loc_100066A0
100066A7 sub eax, edx
100066A9
100066A9 loc_100066A9: ; CODE XREF: create_domain+176j
100066A9 lea set_nr, [eax+ebx+4]
100066AD lea ecx, [ecx+0]
100066B0
100066B0 loc_100066B0: ; CODE XREF: create_domain+1AAj
100066B0 push set_nr ; size_t
100066B1 call _malloc_1
100066B6 add esp, 4
100066B9 mov [ebp+var_4], eax
100066BC test eax, eax
100066BE jnz short loc_100066CC
100066C0 push 1 ; unsigned __int32
100066C2 call __sleep_1
100066C7 add esp, 4
100066CA jmp short loc_100066B0
100066CC ; ---------------------------------------------------------------------------
100066CC
100066CC loc_100066CC: ; CODE XREF: create_domain+19Ej
100066CC mov ecx, [esi]
100066CE imul ecx, 343FDh
100066D4 add ecx, 269EC3h
100066DA mov [esi], ecx
100066DC mov edx, offset consonants ; "bcdfghklmnpqrstvwxz"
100066E1 test ecx, 1000000h
100066E7 jz short loc_100066F5
100066E9 mov [ebp+first_letters], edx
100066EC mov [ebp+second_letters], offset vowels ; "aeiouy"
100066F3 jmp short loc_100066FF
100066F5 ; ---------------------------------------------------------------------------
100066F5
100066F5 loc_100066F5: ; CODE XREF: create_domain+1C7j
100066F5 mov [ebp+first_letters], offset vowels ; "aeiouy"
100066FC mov [ebp+second_letters], edx
100066FF
100066FF loc_100066FF: ; CODE XREF: create_domain+1D3j
100066FF xor ecx, ecx
10006701 xor set_nr, set_nr
10006703 test ebx, ebx
10006705 jz loc_10006795
1000670B jmp short loc_10006715
1000670B ; ---------------------------------------------------------------------------
1000670D align 10h
10006710
10006710 loc_10006710: ; CODE XREF: create_domain+26Fj
10006710 mov edx, offset consonants ; "bcdfghklmnpqrstvwxz"
10006715
10006715 loc_10006715: ; CODE XREF: create_domain+1EBj
10006715 cmp set_nr, 2
10006718 jnz short loc_10006748
1000671A mov eax, [esi]
1000671C imul eax, 343FDh
10006722 add eax, 269EC3h
10006727 mov [esi], eax
10006729 test eax, 1000000h
1000672E jz short loc_1000673C
10006730 mov [ebp+first_letters], edx
10006733 mov [ebp+second_letters], offset vowels ; "aeiouy"
1000673A jmp short loc_10006746
1000673C ; ---------------------------------------------------------------------------
1000673C
1000673C loc_1000673C: ; CODE XREF: create_domain+20Ej
1000673C mov [ebp+first_letters], offset vowels ; "aeiouy"
10006743 mov [ebp+second_letters], edx
10006746
10006746 loc_10006746: ; CODE XREF: create_domain+21Aj
10006746 xor set_nr, set_nr
10006748
10006748 loc_10006748: ; CODE XREF: create_domain+1F8j
10006748 cmp [ebp+set_nr*4+first_letters], offset vowels ; "aeiouy"
10006750 mov edx, 13h
10006755 jnz short loc_1000675C
10006757 mov edx, 6
1000675C
1000675C loc_1000675C: ; CODE XREF: create_domain+235j
1000675C mov eax, [esi]
1000675E imul eax, 343FDh
10006764 add eax, 269EC3h
10006769 mov [esi], eax
1000676B shr eax, 10h
1000676E lea ebx, [edx-1]
10006771 and eax, 7FFFh
10006776 xor edx, edx
10006778 div ebx
1000677A mov eax, [ebp+set_nr*4+first_letters]
1000677E mov ebx, [ebp+third_lvl_len]
10006781 inc ecx
10006782 inc set_nr
10006783 mov dl, [edx+eax]
10006786 mov eax, [ebp+var_4]
10006789 mov [eax+ecx-1], dl
1000678D cmp ecx, ebx
1000678F jb loc_10006710
10006795
10006795 loc_10006795: ; CODE XREF: create_domain+1E5j
10006795 test byte ptr [ebp+type], 1
10006799 jnz short loc_100067D7
1000679B add byte ptr [eax], 0E0h
1000679E mov ecx, 1
100067A3 xor set_nr, set_nr
100067A5 cmp ebx, ecx
100067A7 jbe short loc_100067D7
100067A9 lea esp, [esp+0]
100067B0
100067B0 loc_100067B0: ; CODE XREF: create_domain+2B5j
100067B0 cmp set_nr, 3
100067B3 jnz short loc_100067D1
100067B5 mov edx, [esi]
100067B7 imul edx, 343FDh
100067BD add edx, 269EC3h
100067C3 mov [esi], edx
100067C5 test edx, 1000000h
100067CB jz short loc_100067D1
100067CD add byte ptr [eax+ecx], 0E0h
100067D1
100067D1 loc_100067D1: ; CODE XREF: create_domain+293j
100067D1 ; create_domain+2ABj
100067D1 inc ecx
100067D2 inc set_nr
100067D3 cmp ecx, ebx
100067D5 jb short loc_100067B0
100067D7
100067D7 loc_100067D7: ; CODE XREF: create_domain+279j
100067D7 ; create_domain+287j
100067D7 mov ecx, [ebp+second_and_top_lvl]
100067DA mov byte ptr [eax+ebx], 0
100067DE test ecx, ecx
100067E0 jz short loc_10006808
100067E2 mov esi, ecx
100067E4
100067E4 loc_100067E4: ; CODE XREF: create_domain+2C9j
100067E4 mov dl, [ecx]
100067E6 inc ecx
100067E7 test dl, dl
100067E9 jnz short loc_100067E4
100067EB sub ecx, esi
100067ED mov edx, ecx
100067EF lea set_nr, [eax-1]
100067F2
100067F2 loc_100067F2: ; CODE XREF: create_domain+2D8j
100067F2 mov cl, [set_nr+1]
100067F5 inc set_nr
100067F6 test cl, cl
100067F8 jnz short loc_100067F2
100067FA mov ecx, edx
100067FC shr ecx, 2
100067FF rep movsd
10006801 mov ecx, edx
10006803 and ecx, 3
10006806 rep movsb
10006808
10006808 loc_10006808: ; CODE XREF: create_domain+2C0j
10006808 pop set_nr
10006809 pop esi
1000680A pop ebx
1000680B mov esp, ebp
1000680D pop ebp
1000680E retn
1000680E create_domain endp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment