herrcore/dromedan_dga.py

## dromedan_dga.py
#!/usr/bin/env python
__AUTHOR__ = '@herrcore'
###############################################################################################
##
##  Script to reproduce the DGA for #Dromedan dropper
##  Sample SHA256: f88bc84fea3695cd1da1a315eb09c65f21cfc6b764defc3c8efd94d6c6396e0c
##
##  Another @herrcore production
##
##  And so me put in work work work work work work!
##
#################################################################################################

import argparse
import sys
import os
import json
import re
import uuid
import csv
import datetime
import numpy


class SRand:
    def __init__(self, seed):
        self.ptd = seed

    def rand(self):
        p1 = self.ptd * 214013 + 2531011
        self.ptd = p1
        p2 = p1 >> 16
        return p2 & 0x7fff


#thanks to: http://math.stackexchange.com/questions/536847/how-often-in-years-do-calendars-repeat-with-the-same-day-date-combinations-juli
def get_julian_day_number(J):
    d4 = (J+31741 - (J % 7)) % 146097 % 36524 % 1461
    L = d4/1460
    d1 = ((d4-L) % 365) + L
    WeekNumber = d1/7+1
    return WeekNumber


#thanks to: http://code-highlights.blogspot.ca/2013/01/julian-date-in-python.html
def date_to_julian_day(my_date):
    a = (14 - my_date.month)//12
    y = my_date.year + 4800 - a
    m = my_date.month + 12*a - 3
    return my_date.day + ((153*m + 2)//5) + 365*y + y//4 - y//100 + y//400 - 32045


def get_dga_seed(day, month, year):
    dt = datetime.datetime(year=year, month=month, day=day)
    jd = date_to_julian_day(dt)
    return get_julian_day_number(jd)

def get_domain(dga_seed):
    #generator is just srand with jd as the seed
    srand = SRand(dga_seed)
    domain = ""
    i = 0
    while i < (srand.rand() % 4 + 8):
        v4 = srand.rand() % 0x4B + 0x30
        if (v4 < ord('0') or v4 > ord('9')) and ((v4 - ord('a'))&0xffffffff > 0x19):
            i -= 1
        else:
            domain += chr(v4)
        i +=1
    return domain+ ".ru"


def main():
    parser = argparse.ArgumentParser(description='Generate Dromedan domain for today.')
    subparsers = parser.add_subparsers(help='', dest='subparser_name')

    # create the parser for today
    parser_today = subparsers.add_parser('today', help="Generate domain for today's date.")

    # create the parser for custom
    parser_custom = subparsers.add_parser('custom', help='Generate domain for custom date: dd mm yyy.')
    parser_custom.add_argument("day", type=int, help="Day; format 00")
    parser_custom.add_argument("month", type=int, help="Month; format 00")
    parser_custom.add_argument("year", type=int, help="Year; format 0000")

    args = parser.parse_args()

    if args.subparser_name == "today":
        dt = datetime.datetime.now()
        dga_seed = get_dga_seed(dt.day, dt.month, dt.year)
        print get_domain(dga_seed)

    elif args.subparser_name == "custom":
        dga_seed = get_dga_seed(int(args.day), int(args.month), int(args.year))
        print get_domain(dga_seed)


if __name__ == '__main__':
    main()
	#!/usr/bin/env python
	__AUTHOR__ = '@herrcore'
	###############################################################################################
	##
	## Script to reproduce the DGA for #Dromedan dropper
	## Sample SHA256: f88bc84fea3695cd1da1a315eb09c65f21cfc6b764defc3c8efd94d6c6396e0c
	##
	## Another @herrcore production
	##
	## And so me put in work work work work work work!
	##
	#################################################################################################

	import argparse
	import sys
	import os
	import json
	import re
	import uuid
	import csv
	import datetime
	import numpy



	class SRand:
	def __init__(self, seed):
	self.ptd = seed

	def rand(self):
	p1 = self.ptd * 214013 + 2531011
	self.ptd = p1
	p2 = p1 >> 16
	return p2 & 0x7fff


	#thanks to: http://math.stackexchange.com/questions/536847/how-often-in-years-do-calendars-repeat-with-the-same-day-date-combinations-juli
	def get_julian_day_number(J):
	d4 = (J+31741 - (J % 7)) % 146097 % 36524 % 1461
	L = d4/1460
	d1 = ((d4-L) % 365) + L
	WeekNumber = d1/7+1
	return WeekNumber


	#thanks to: http://code-highlights.blogspot.ca/2013/01/julian-date-in-python.html
	def date_to_julian_day(my_date):
	a = (14 - my_date.month)//12
	y = my_date.year + 4800 - a
	m = my_date.month + 12*a - 3
	return my_date.day + ((153m + 2)//5) + 365y + y//4 - y//100 + y//400 - 32045


	def get_dga_seed(day, month, year):
	dt = datetime.datetime(year=year, month=month, day=day)
	jd = date_to_julian_day(dt)
	return get_julian_day_number(jd)

	def get_domain(dga_seed):
	#generator is just srand with jd as the seed
	srand = SRand(dga_seed)
	domain = ""
	i = 0
	while i < (srand.rand() % 4 + 8):
	v4 = srand.rand() % 0x4B + 0x30
	if (v4 < ord('0') or v4 > ord('9')) and ((v4 - ord('a'))&0xffffffff > 0x19):
	i -= 1
	else:
	domain += chr(v4)
	i +=1
	return domain+ ".ru"


	def main():
	parser = argparse.ArgumentParser(description='Generate Dromedan domain for today.')
	subparsers = parser.add_subparsers(help='', dest='subparser_name')

	# create the parser for today
	parser_today = subparsers.add_parser('today', help="Generate domain for today's date.")

	# create the parser for custom
	parser_custom = subparsers.add_parser('custom', help='Generate domain for custom date: dd mm yyy.')
	parser_custom.add_argument("day", type=int, help="Day; format 00")
	parser_custom.add_argument("month", type=int, help="Month; format 00")
	parser_custom.add_argument("year", type=int, help="Year; format 0000")

	args = parser.parse_args()

	if args.subparser_name == "today":
	dt = datetime.datetime.now()
	dga_seed = get_dga_seed(dt.day, dt.month, dt.year)
	print get_domain(dga_seed)

	elif args.subparser_name == "custom":
	dga_seed = get_dga_seed(int(args.day), int(args.month), int(args.year))
	print get_domain(dga_seed)



	if __name__ == '__main__':
	main()