From sandbox: some APK samples that may have DGA

Question

From sandbox: some APK samples that may have DGA

suqitian opened this issue 5 years ago · comments

MD5
84ca6d8095782351a4063f2efdd35f05
Domains generated on 2019-08-16

523fcc89ff.xyz
d2ab93202c.xyz
022680d291.xyz
327abbdbfb.xyz
b1b7d4c028.xyz
240aa2d6cb.xyz
684f04340c.xyz
ae46c8b0d4.xyz
47f7193ade.xyz
jkq.jkq22.xyz:92
6453146fcc.xyz
0e17bd878e.xyz
0cc51f192e.xyz
82386a7c76.xyz
34b26a1da4.xyz
905d671704.xyz
4112c828d7.xyz
2578fc20d8.xyz
c83c2fea1b.xyz
36258eb458.xyz
7887fa84a3.xyz
adb63ddf45.xyz

suqitian · Answer 1 · Fri Sep 06 2019 15:28:47 GMT+0800 (China Standard Time)

MD5
f6c3168631bc38808cd1efcc7fd6dcda
Domains generated on 2019-08-14

79e30895bd.xyz
846c37f5cc.xyz
e7a1164d45.xyz
3407fd8e7c.xyz
e76895ac4e.xyz
18622cdaa8.xyz
f07dec053e.xyz
91ffdb979f.xyz
641f1e1373.xyz
71256853e7.xyz
c800d3cb6f.xyz
15e9b0c1d4.xyz
139a091804.xyz

suqitian · Answer 2 · Fri Sep 06 2019 15:30:32 GMT+0800 (China Standard Time)

MD5
dfe11de8953b5b3be67b399aa4add742
Domains generated on 2019-08-18

fw0lxa7ti7gvbz2dikry5gc0cfzdnrpba9ut5eqxy859v7q8lnji3.com
mfhw3dmu1ob3sjj62ih6oheh1ja193hoxo7jbs7lxi5l1x97li94q.com
ifyouwantthanhcongyoumusttryhard8andkhongbaogiobocuoc.com
5b4lz0djzei4n44dtacl17n0uep98b8b72n80wd27gzvgpnqyb197.com
ykljfjv3dhh35bmq0rgcln1j2exv7nuodx56sv0tosn28hblney6n.com
w4swwhuepvjfrtndukw2fcjdfjhky7anlx3gh3w91wbiccivmaelw.com
tmb4e0xf92o4rqcpasrqv749r8sh6j0ps1df9fymjqd5y2o0h6fxz.com
xsjk90w3e7zali4l4qshr2np0g98d61zpgjqfqubzixt6ox9az56v.com
vnxg07gepdaag1p0e22zrfo9f52sl9d1jj0g6l8d8lamwk5mrgae5.com
3dfo6a3osveldb7ez3kofypjyd1a4hb10r0emme18vi8j1c3d5j7l.com
b3b9kqwb07xp6448z71d0eag1g1ppmkm4cdytac8huugpiyo26zrx.com
ea4rhiwbw0vun7tnas4cmo0mtp47qevt60x0usixq58jmvsd8b1o0.com
lyz0oyz7nb16mbro33vl3w7cvnmca1b5ana23zzltg3ibycz62usr.com
u7i3xcdn0maabbge0e51hg86mn9pcmbdnlyqlg30d70zpmvpfgpni.com
i7zt2a6snc3zye0ba0u1zirw7kqj05c87h4zdwptl5d5stfuqhhtx.com
u9l276j2rxaob3pjn7tx3kfx98qz41oi5cws001fmccax6yanh3fz.com
z136bdd56nsarn53vfmvreex7tlyvo2o23wzgamnr5k4p8b087fpt.com
7ht7j9geapewfhgbwhxbz1tdeu8o6s3mc7ay397tyg3ov8ioo1pd4.com
wyvtk0l4dujmbfimnc90tca20ahybzseyfy2w5pmmg5a04lzrqt0l.com
axh6a6tyhq2mmg91h5cmo69msbat7impk6dke2kfpw4ja8nw22din.com

Mingkai-Tong · Answer 3 · Thu Oct 10 2019 10:59:28 GMT+0800 (China Standard Time)

how do you confirm whether it's a dga or not? It seems that you confirm dga domains from the network behavior produced by the related sample.

suqitian · Answer 4 · Thu Oct 10 2019 12:32:28 GMT+0800 (China Standard Time)

The samples listed above are not confirmed to has a DGA.
For confirm the sample has a DGA, we need to reverse engineer that sample and implement the DGA in python, such as issue#50.