{
	"id": "be3143b3-92ac-4839-be6c-34392206b5eb",
	"created_at": "2026-04-10T03:21:09.711328Z",
	"updated_at": "2026-04-10T03:22:16.611405Z",
	"deleted_at": null,
	"sha1_hash": "0da2b9dedc8d9fc39efbbea3a1cbd495e2b3ec8d",
	"title": "The DGA of DirCrypt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 91339,
	"plain_text": "The DGA of DirCrypt\r\nArchived: 2026-04-10 02:41:04 UTC\r\nThe DGA\r\nDirCrypt is an inactive Ransomware that uses a Domain Generation Algorithm (DGA) for its callback call.\r\nBecause I couldn`t find the DGA algorithm online, I decided to reverse engineer this sample from malwr.com. I\r\nlist more samples that use the DGA in section Sample on malwr.com.\r\nThe DGA of DirCrypt uses a hardcoded seed located in the resource section of the executable. For the examined\r\nsample, the seed is labeled with the integer identifier 0x7D :\r\nFor my sample, the value of resource identifier 0x7D was 0xF2113C2A :\r\nThe malware passes the seed and the number of distinct domains it wants to generate to a subroutine I called\r\nspawn_6_callback_threads :\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 1 of 11\n\nThe subroutine creates six callback threads - all getting a pointer to the same structure with seed and number of\r\ndomains. The routine will wait for all six threads to finish before it returns:\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 2 of 11\n\nThe callback routine callback_loop creates new domains with the following routine “ the_dga ”. The counter\r\ndga_nr_of_domains (initialized to 30) is decreased after a new domain is generated. The thread returns when a\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 3 of 11\n\ncommand-and-control callback is successful or the counter reaches zero. Here is the disassembly of the DGA:\r\nUPX0:0040183B the_dga proc near\r\nUPX0:0040183B\r\nUPX0:0040183B seed = dword ptr 4\r\nUPX0:0040183B domain = dword ptr 8\r\nUPX0:0040183B\r\nUPX0:0040183B push ebx\r\nUPX0:0040183C push esi\r\nUPX0:0040183D push edi\r\nUPX0:0040183E push 20\r\nUPX0:00401840 push 8\r\nUPX0:00401842 lea eax, [esp+14h+seed]\r\nUPX0:00401846 push eax\r\nUPX0:00401847 call rand_int\r\nUPX0:0040184C mov ebx, [esp+0Ch+domain]\r\nUPX0:00401850 mov edi, eax\r\nUPX0:00401852 xor esi, esi\r\nUPX0:00401854 test edi, edi\r\nUPX0:00401856 jbe short loc_40186E\r\nUPX0:00401858\r\nUPX0:00401858 loc_401858:\r\nUPX0:00401858 push 'z'\r\nUPX0:0040185A push 'a'\r\nUPX0:0040185C lea eax, [esp+14h+seed]\r\nUPX0:00401860 push eax\r\nUPX0:00401861 call rand_int\r\nUPX0:00401866 mov [esi+ebx], al\r\nUPX0:00401869 inc esi\r\nUPX0:0040186A cmp esi, edi\r\nUPX0:0040186C jb short loc_401858\r\nUPX0:0040186E\r\nUPX0:0040186E loc_40186E:\r\nUPX0:0040186E push offset a_com ; \".com\"\r\nUPX0:00401873 add edi, ebx\r\nUPX0:00401875 push edi\r\nUPX0:00401876 call strcpy\r\nUPX0:0040187B mov eax, [esp+0Ch+seed]\r\nUPX0:0040187F pop edi\r\nUPX0:00401880 pop esi\r\nUPX0:00401881 pop ebx\r\nUPX0:00401882 retn 8\r\nUPX0:00401882 the_dga endp\r\nUPX0:00401882\r\nwith rand_int being:\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 4 of 11\n\nUPX0:00404E9E rand_int proc near\r\nUPX0:00404E9E\r\nUPX0:00404E9E\r\nUPX0:00404E9E seed = dword ptr 4\r\nUPX0:00404E9E lower = dword ptr 8\r\nUPX0:00404E9E upper = dword ptr 0Ch\r\nUPX0:00404E9E\r\nUPX0:00404E9E mov eax, [esp+upper]\r\nUPX0:00404EA2 sub eax, [esp+lower]\r\nUPX0:00404EA6 push eax ; span\r\nUPX0:00404EA7 push [esp+4+seed]\r\nUPX0:00404EAB call rand_mod\r\nUPX0:00404EB0 add eax, [esp+lower]\r\nUPX0:00404EB4 retn 0Ch\r\nUPX0:00404EB4 rand_int endp\r\nand rand_mod being a standard linear congruential generator:\r\nUPX0:00404E6B rand_mod proc near\r\nUPX0:00404E6B\r\nUPX0:00404E6B\r\nUPX0:00404E6B seed = dword ptr 4\r\nUPX0:00404E6B span = dword ptr 8\r\nUPX0:00404E6B\r\nUPX0:00404E6B mov ecx, [esp+seed]\r\nUPX0:00404E6F mov eax, [ecx]\r\nUPX0:00404E71 xor edx, edx\r\nUPX0:00404E73 push esi\r\nUPX0:00404E74 mov esi, 127773\r\nUPX0:00404E79 div esi\r\nUPX0:00404E7B pop esi\r\nUPX0:00404E7C imul eax, 2836\r\nUPX0:00404E82 imul edx, 16807\r\nUPX0:00404E88 sub edx, eax\r\nUPX0:00404E8A mov eax, [esp+span]\r\nUPX0:00404E8E mov [ecx], edx\r\nUPX0:00404E90 lea ecx, [eax+1]\r\nUPX0:00404E93 mov eax, edx\r\nUPX0:00404E95 xor edx, edx\r\nUPX0:00404E97 div ecx\r\nUPX0:00404E99 mov eax, edx\r\nUPX0:00404E9B retn 8\r\nUPX0:00404E9B rand_mod endp\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 5 of 11\n\nAs mentioned above, all six threads access — inside a critical section — the same seed and\r\ndga_nr_of_domains . Therefore, at most 30 different domains are created. The following Python code generates\r\nthe 30 domains of the DGA for a given seed:\r\nimport argparse\r\nclass RandInt:\r\n def __init__(self, seed):\r\n self.seed = seed\r\n def rand_int_modulus(self, modulus):\r\n ix = self.seed\r\n ix = 16807*(ix % 127773) - 2836*(ix / 127773) \u0026 0xFFFFFFFF\r\n self.seed = ix\r\n return ix % modulus\r\ndef get_domains(seed, nr):\r\n r = RandInt(seed)\r\n for i in range(nr):\r\n domain_len = r.rand_int_modulus(12+1) + 8\r\n domain = \"\"\r\n for i in range(domain_len):\r\n char = chr(ord('a') + r.rand_int_modulus(25+1))\r\n domain += char\r\n domain += \".com\"\r\n yield domain\r\nif __name__==\"__main__\":\r\n parser = argparse.ArgumentParser(description=\"generate Dircrypt domains\")\r\n parser.add_argument(\"seed\", help=\"seed as hex\")\r\n args = parser.parse_args()\r\n for domain in get_domains(int(args.seed, 16), 30):\r\n print(domain)\r\nFor example:\r\n$ python dga.py f2113c2a\r\nrauggyguyp.com\r\nllullzza.com\r\nmluztamhnngwgh.com\r\nmycojenxktsmozzthdv.com\r\ninbxvqkegoyapgv.com\r\nfuriararji.com\r\nzrkdvzjhse.com\r\nwyuhdsdttczd.com\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 6 of 11\n\nhpaxgpkteomjaxywwelr.com\r\nmydojltbqjnwailyyoa.com\r\nwbgzpjfxlxlcvbth.com\r\npibqzedhzwt.com\r\nvlbqryjd.com\r\nnsxdczggybtkdukmyf.com\r\njarjvddjzqrmnepeqwd.com\r\nplxeyaja.com\r\nlfehajeex.com\r\nswtjyuhuefvl.com\r\nftdkuoulfhfudds.com\r\neblgaosyeszzjkbhhdyh.com\r\nafececrkycbeyqm.com\r\nxnloppwhfamkcltuxkif.com\r\nxjjcditjfkgkihfe.com\r\nmblmvrla.com\r\nvxlkofoazme.com\r\nktqyrmiyvnidd.com\r\njsntwyjcv.com\r\nwvquldqwwsttp.com\r\npivzovznpssx.com\r\nggspyfmreouxnhqi.com\r\nThe following table summarizes the properties of the DGA:\r\nproperty value\r\nseed hardcoded in resource section of executable\r\ndomains per seed 30\r\ntested domains all\r\nsequence\r\none after another, but DNS queries can occur out of order because six concurrent\r\nthreads make callback calls\r\nwait time between\r\ndomains\r\nnone\r\ntop level domain .com for all observed seeds\r\nsecond level\r\ncharacters\r\nlower case letters, picked uniformly at random\r\nsecond level domain\r\nlength\r\n8 to 20 characters\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 7 of 11\n\nSamples on malwr.com\r\nI sifted through all samples on malwr.com where at least one of the virus scanners identified the sample as\r\n“DirCrypt”. I then brute forced the seed that leads to the observed domains. Because the callbacks run in six\r\nconcurrent threads, the domains sometimes appear out of order. Also, some of the DirCrypt samples use an\r\nadditional hardcoded domain: pdstriker.com, oktendentaries.com or jwuiygpnslht.com (this domain is generated by\r\nthe DGA, just not with the hardcoded seed).\r\nThe following table lists the md5 hash of the sample (linked to the analysis on malwr.com), the submission date to\r\nmalwr.com, the used seed, and any additional domains that are not covered by the DGA’s seed. The periodicity of\r\nthe pseudo random number generator is 232/2 or half the number range; therefore, there are two seeds for each\r\nsequence of domains.\r\nseed md5 date not covered\r\n18a62b7a,\r\n98a62b79\r\n4bb6c6c3f1ad7c2fb6096f6156c1df9b\r\n10. Jul.\r\n2013\r\npdstriker.com\r\n18a62b7a,\r\n98a62b79\r\n3c03f0478ed6b0e81397b8e93cd4be90\r\n29. Jul.\r\n2013\r\n1fcbef63,\r\n9fcbef62\r\n339901b416c580d4d6c7fae4a088d2e4\r\n28. Aug.\r\n2013\r\noktedentaries.com\r\n18a62b7a,\r\n98a62b79\r\nd224637a6b6e3001753d9922e749d00d\r\n06. Sep.\r\n2013\r\n1a11b7cd,\r\n9a11b7cc\r\nc1c117a8fbcd87b1c52a7c1c8e4bd2c9\r\n30. Sep.\r\n2013\r\n72113c2b,\r\nf2113c2a\r\ndd69a49ab475dafc7246dee9f0f4c877\r\n06. Oct.\r\n2013\r\n72113c2b,\r\nf2113c2a\r\n42b77df04c7c34294c0e9459550cde9b\r\n06. Oct.\r\n2013\r\n72113c2b,\r\nf2113c2a\r\nfa126a680351484beb450053e7ccccd0\r\n06. Oct.\r\n2013\r\n72113c2b,\r\nf2113c2a\r\ne53d4e64930a40a12cd994f2779a11e9\r\n07. Oct.\r\n2013\r\n1a11b7cd,\r\n9a11b7cc\r\n7d978608d8fbaf3b756d692fff243450\r\n15. Oct.\r\n2013\r\n741fd6e2,\r\nf41fd6e1\r\n70b86fdf69b8059ed4bf12e2a7707ae6\r\n23. Oct.\r\n2013\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 8 of 11\n\nseed md5 date not covered\r\n72113c2b,\r\nf2113c2a\r\n70d0a1b577dde513a0dfae09722d3ddd\r\n25. Oct.\r\n2013\r\n6c75a989,\r\nec75a988\r\n0a807e0a2d29f19c95b313d018e1c2bd\r\n16. Nov.\r\n2013\r\n72113c2b,\r\nf2113c2a\r\na88cfaa2e408df1245d74d0b50531976\r\n02. Dec.\r\n2013\r\n72113c2b,\r\nf2113c2a\r\n1186590b731d17206c63aadbe5a0484a\r\n02. Dec.\r\n2013\r\n78731d07,\r\nf8731d06\r\n0e5e8f6edd2c1496614bb6a71ba3f256\r\n10. Dec.\r\n2013\r\njwuiygpnslht.com 6522e630,\r\ne522e62f\r\n6c75a989,\r\nec75a988\r\nb2752b6151b6fd8342e68b9bd5aa632b\r\n11. Dec.\r\n2013\r\n6e46566,\r\n86e46565\r\nf99f10c3a02eff983e99216cd5f54ce9\r\n31. Dec.\r\n2013\r\n6c75a989,\r\nec75a988\r\nf7b0ae2f4d669e3705b60fe20a5bbf7a\r\n08. Jan.\r\n2014\r\n1fcbef63,\r\n9fcbef62\r\nee3c8b0bbea638e10eda11fa042069e0\r\n11. Jan.\r\n2014\r\noktedentaries.com\r\n52ce8a67,\r\nd2ce8a66\r\n80b356b9203d7e494ccc795d15999133\r\n19. Apr.\r\n2014\r\n22a47ee8,\r\na2a47ee7\r\n83f94b0697e3d69c3b219191984620d6\r\n22. Apr.\r\n2014\r\n52ce8a67,\r\nd2ce8a66\r\nbbc1d7261ee18363aa2677708abeb5a0\r\n25. Apr.\r\n2014\r\n52ce8a67,\r\nd2ce8a66\r\n08956c46e09c2375a6ee64313adc9d4a\r\n26. Apr.\r\n2014\r\n52ce8a67,\r\nd2ce8a66\r\nec92487de0c66ceac950daff102c5576\r\n03. May.\r\n2014\r\n52ce8a67,\r\nd2ce8a66\r\nb9e7b880bd095d11c16d6adc40eaff3d\r\n05. May.\r\n2014\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 9 of 11\n\nseed md5 date not covered\r\n4caa1fc5,\r\nccaa1fc4\r\n1451cf7b82c70be7ea6744b69acc9960\r\n29. May.\r\n2014\r\n4caa1fc5,\r\nccaa1fc4\r\nbc918d15033b2f97bc0ba745949577d2\r\n29. May.\r\n2014\r\n52ce8a67,\r\nd2ce8a66\r\n0d24562e7e2ae008b757c471976bd2f6\r\n29. May.\r\n2014\r\n52ce8a67,\r\nd2ce8a66\r\n245d39fad0e9c31dfac810ae413e4a96\r\n30. May.\r\n2014\r\n52ce8a67,\r\nd2ce8a66\r\n44bc29f11d907a33eca52cb1c872f9d6\r\n30. May.\r\n2014\r\n52ce8a67,\r\nd2ce8a66\r\n5af46d0edfffb0089dd1c1c9945e1170\r\n30. May.\r\n2014\r\n52ce8a67,\r\nd2ce8a66\r\nba682f257c4acf0d706e4ed29cabf476\r\n20. Jul.\r\n2014\r\nMost samples use the seed 52ce8a67 / d2ce8a66 (10 samples) and 72113c2b / f2113c2a (7 samples). The\r\nfollowing table summarizes the seeds that I was able to identify, the first five generated domains, and the number\r\nof samples on malwr.com:\r\nseed first 5 domains\r\nfound\r\nhashes\r\n6e46566,\r\n86e46565\r\nwejcqzbosbczzlnikyvt.com, muiccxbvkvjb.com, tqwpmpwckhidiss.com,\r\ngzredieexn.com, ghhcwldtj.com\r\n1\r\n72113c2b,\r\nf2113c2a\r\nrauggyguyp.com, llullzza.com, mluztamhnngwgh.com,\r\nmycojenxktsmozzthdv.com, inbxvqkegoyapgv.com\r\n7\r\n741fd6e2,\r\nf41fd6e1\r\ncbhytcvyxzzj.com, ervqveknzq.com, jxuynwdac.com,\r\nbucelslmpwyajzlguis.com, zhszoxeavbhmtkbju.com\r\n1\r\n1a11b7cd,\r\n9a11b7cc\r\nlldpoyrzfi.com, chbqrhunxg.com, iqhbyacfnea.com,\r\nlgsfbhyyrrnalpcbqkob.com, fktihyjhkomdxqkucg.com\r\n2\r\n18a62b7a,\r\n98a62b79\r\nviweabkkfe.com, lscyqrjofqmtn.com, ltcfpuctidqqqxxzpikz.com,\r\nwowsfhnnvlwhlotryvh.com, linbzxpkmdtngnbdg.com\r\n3\r\n4caa1fc5,\r\nccaa1fc4\r\nqjdygsnoiqaudcq.com, iwqvktutvmptevjbnzy.com, vcgietkhdgvjhhsbdu.com,\r\nmkhjbvxvuqznmcjmy.com, jgtkrjdnqeyrjpbnqxym.com\r\n2\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 10 of 11\n\nseed first 5 domains\r\nfound\r\nhashes\r\n1fcbef63,\r\n9fcbef62\r\nfzfqphobttefkhbvkzs.com, pmyddiicql.com, pihxsxitdfzpvpgeusf.com,\r\nglurejnjtdbj.com, oomxzlhazpiz.com\r\n2\r\n78731d07,\r\nf8731d06\r\nttaebamktjdbizrnqxp.com, znpszzwstgzzyk.com, jsngvficglxttjwg.com,\r\nfrwwkrpnkvig.com, egdbvrhtcptgoqorompj.com\r\n1\r\n52ce8a67,\r\nd2ce8a66\r\naexluxmagbyg.com, izllzixotympqqr.com, pwxqjnhsocyln.com,\r\npmzlyoesekeqytc.com, ypveltysbgcpm.com\r\n10\r\n22a47ee8,\r\na2a47ee7\r\nmhrmhuxlcvkxay.com, lvphxfvpsigghujpdm.com, ctskthnhq.com,\r\nsafkylboxhb.com, gcifbxymnmmdfay.com\r\n1\r\n6c75a989,\r\nec75a988\r\nhiuctidthkvwowhvo.com, fcnjgeiicc.com, jpryjfvwlf.com, mlavvgdzq.com,\r\nrvcysvtrdqvfeoxpkgay.com\r\n3\r\nSource: https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nhttps://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/"
	],
	"report_names": [
		"the-dga-of-dircrypt"
	],
	"threat_actors": [],
	"ts_created_at": 1775791269,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0da2b9dedc8d9fc39efbbea3a1cbd495e2b3ec8d.pdf",
		"text": "https://archive.orkl.eu/0da2b9dedc8d9fc39efbbea3a1cbd495e2b3ec8d.txt",
		"img": "https://archive.orkl.eu/0da2b9dedc8d9fc39efbbea3a1cbd495e2b3ec8d.jpg"
	}
}