Skip to content

Instantly share code, notes, and snippets.

View baderj's full-sized avatar

Johannes Bader baderj

View GitHub Profile
import argparse
import sqlite3 as lite
import os
from collections import defaultdict
def _open_db(db):
try:
con = lite.connect(db)
cur = con.cursor()
return (cur,con)
wtipubctwiekhir.net
rwmu35avqo12tqc.com
rskb5bsfhm2fk5h.net
rbp9pprrxgflut9.com
zzxeyzgy45yy2a.net
e3oa4wglvd21xa.com
mqmq1hvmtxzjv.net
pd4o4wu24vimn.com
tlmrzvpbpsqsb.net
pbmnz59uzndpo.com
import argparse
"""
Shiotob DGA
Generates domains for the Shiotob malware
- top level domains alternate between '.net' and '.com'
- domains are between 14 and 19 characters long
- domains consist of all letters and digits 123945
@baderj
baderj / dga_symmi.asm
Created January 21, 2015 16:22
The DGA of Symmi sample b75f00d7ae2857a3e1cc8f5eb4dc11b9
10006520 ; =============== S U B R O U T I N E =======================================
10006520
10006520 ; Attributes: bp-based frame
10006520
10006520 ; int __cdecl create_domain(int third_lvl_len, int second_and_top_lvl, size_t type)
10006520 create_domain proc near ; CODE XREF: calls_create_next_url+A30p
10006520 ; sub_1000B530+1A6p ...
10006520
10006520 first_letters = dword ptr -0Ch
10006520 second_letters = dword ptr -8

Keybase proof

I hereby claim:

  • I am baderj on github.
  • I am baderj (https://keybase.io/baderj) on keybase.
  • I have a public key whose fingerprint is 7530 7937 A795 95FD AB48 22BB AC3C 4431 B7A7 41E6

To claim this, I am signing this object:

@baderj
baderj / dga.py
Last active August 29, 2015 14:22
Domain Generation Algorithm (DGA) of DirCrypt
# see http://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/
import argparse
class RandInt:
def __init__(self, seed):
self.seed = seed
def rand_int_modulus(self, modulus):
ix = self.seed
@baderj
baderj / murofet_dga.py
Created July 22, 2015 12:34
DGA of Murofet (with support of key)
import hashlib
from datetime import datetime, timedelta
import argparse
def dga(date, key):
for min17 in range(1020):
seed = 8*[0]
seed[0] = (date.year & 0xFF + 0x30) & 0xFF
seed[1] = date.month & 0xFF
@baderj
baderj / dga_shiz.py
Last active September 9, 2015 02:20
DGA of Simda / Shiz
import argparse
def get_domains(nr, how_many):
bases = {
1: {
'length': 7,
'tld': 'com',
'key': '1676d5775e05c50b46baa5579d4fc7',
'base': 0x45AE94B2
},
@baderj
baderj / tinba_seeds
Last active September 9, 2015 02:26
Some new seeds for the Tinba (TinyBanker) Domain Generation Algorithm
Tinba Seeds
===========
DGA described here: http://garage4hackers.com/entry.php?b=3086
## Sample 241182633670431857e068736088c737
harddomain: blackfreeqazyio.cc
seed: jc74FlUna852Ji9o
malwr link: https://malwr.com/analysis/OTQ3NjYzNmUyZDQ2NGY2YTk1NDNjNmYxYTdlMmQ1MjM/
import argparse
import sqlite3 as lite
import os
def _open_db(db):
try:
con = lite.connect(db)
cur = con.cursor()
return (cur,con)
except lite.Error as e: