{
	"id": "4c028f51-a8d3-442a-bfb8-82fe6f10dca5",
	"created_at": "2026-04-06T00:12:42.811582Z",
	"updated_at": "2026-04-10T03:22:03.944768Z",
	"deleted_at": null,
	"sha1_hash": "14d2a3e5269dae906395d11ffc697252bf36b815",
	"title": "Now Mirai Has DGA Feature Built in",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 203909,
	"plain_text": "Now Mirai Has DGA Feature Built in\r\nBy LIU Ya\r\nPublished: 2016-12-09 · Archived: 2026-04-05 16:00:14 UTC\r\nUpdate History\r\n2016-12-09 first version\r\n2016-12-12 fig-0 update, fix a TLD choosing error in our DGA implement\r\nSummary\r\nNearly 2 weeks ago, 2 new infection vectors (aka TCP ports of 7547 and 5555) were found being used to spread\r\nMIRAI malwares\r\n\u003cA Few Observations of The New Mirai Variant on Port 7547\u003e\r\nMy colleague Genshen quickly set up some honeypots for that sort of vectors and soon had his harvests: 11\r\nsamples were captured on Nov 28th. Twill now 53 unique samples have been captured by our honeypots from 6\r\nhosting servers.\r\nWhen analyzing one of the new samples, my colleague Wenji found some DGA like code and doubted there was\r\nDGA feature there. The doubt was soon verified by evidences collected from our sandboxes. Detailed RE work\r\nshows there does exist a DGA feature in the newly distributed MIRAI samples spread through TCP ports 7547 and\r\n5555. In this blog I would like to introduce our findings. For a quick information, the attributes of the found DGA\r\nare summarized as follow:\r\n1. 3 TLDs are used: online/tech/support.\r\n2. the L2 domain has a fixed length of 12-byte, with each char randomly chosen from ‘a’~’z’ ‘a’~'y'.\r\n3. the generated domain is only determined by month, day and hardcoded seed string.\r\nthe generated domain is determined by year , month, day and hardcoded seed string.\r\n4. only one domain is generated in one single day, so the maxium DGA domain number is 365.\r\n5. the DGA domains are only used when the hardcoded C2 domains fail to resolve.\r\nWith the learned knowledge, we re-implemented the DGA in our program, and used it to predict all 365 possible\r\nDGA domains. When looking up their registration information, we found some of them have been registered by\r\nthe MIRAI author. They are:\r\nhttps://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nPage 1 of 10\n\nFig-0, registered DGA domains\r\nAnd it is worth noticing that the author dlinchkravitz@gmail.com has already registered other mirai C2 domain:\r\nzugzwang.me email dlinchkravitz@gmail.com\r\nSample and Analysis\r\nThe sample used as illustration in this blog is as follows:\r\nMD5: bf136fb3b350a96fd1003b8557bb758a\r\nSHA256: 971156ec3dca4fa5c53723863966ed165d546a184f3c8ded008b029fd59d6a5a\r\nFile type: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped\r\nThe sample is stripped but not packed. According to the experience learned from previously found samples, we\r\nsoon identified its main modules. The code comparison showed that its resolv_cnc_addr function has a very\r\nhttps://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nPage 2 of 10\n\ndifferent CFG (control flow graph) from the previously found samples. The new version of CFG is shown Fig-1.\r\nFig-1, resolv_cnc_addr CFG\r\nAt the function beginning, since there are as much as 3 C2 controllers are hardcoded in the sample, a random\r\nnumber is generated to randomly select a C2 server from the first and second ones, as shown in Fig-2.\r\nhttps://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nPage 3 of 10\n\nFig-2, resolv_cnc_addr block 1\r\nIf the selected C2 domain fails to resolve, the bot will neither resolve the unselected nor the 3rd one, but will take\r\na judge to decide whether to take the DGA branch or to resolve the 3rd C2 domain according to current date, as\r\nhttps://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nPage 4 of 10\n\nshown in Fig-3.\r\nFig-3, DGA determination\r\nFrom the code snippets we can see that if current date is between Nov 1st and Dec 3rd, the 3rd CNC domain will\r\nbe used. Otherwise the DGA branch will be executed. It indicates that the author doesn’t want their DGA domains\r\nbeing used before Dec 4th, which is verified by the fact that the firstly registered MIRAI DGA domain just\r\ncorresponds to Dec 4th.\r\nThe DGA main funcition is named dga_gen_domain. The domain is generated based on a seed number and current\r\ndate. The seed is converted from a hardcoded hex-format string by calling strtol(). It seems a wrong string of\r\n“\\x90\\x91\\x80\\x90\\x90\\x91\\x80\\x90” was configured, which leads to the strtol() always returning 0.\r\nThe local date is got by calling C library functions of time() and localtime(). Only month and day are used here, as\r\nhttps://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nPage 5 of 10\n\nshown in Fig-4.\r\nFig-4, dga_gen_domain entry\r\nhttps://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nPage 6 of 10\n\nThe L2 domain is generated by repeatedly executing the code block shown in Fig-5. Its length is determined by\r\n$t5 and $t2. They are set in Fig-4, from which we can tell that the L2 domain length is 12.\r\nFig-5, L2 domain generation loop\r\nThe TLD is determined by the residual value in register $S0 as shown in Fig-6. We can see that 3 TLDs are used\r\nhere.\r\nhttps://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nPage 7 of 10\n\nhttps://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nPage 8 of 10\n\nFig-6, TLD determination\r\nIoC\r\nCurrently the DGA feature is found in the following samples.\r\n005241cf76d31673a752a76bb0ba7118\r\n05891dbabc42a36f33c30535f0931555\r\n0eb51d584712485300ad8e8126773941\r\n15b35cfff4129b26c0f07bd4be462ba0\r\n2da64ae2f8b1e8b75063760abfc94ecf\r\n41ba9f3d13ce33526da52407e2f0589d\r\n4a8145ae760385c1c000113a9ea00a3a\r\n551380681560849cee3de36329ba4ed3\r\n72bbfc1ff6621a278e16cfc91906109f\r\n73f4312cc6f5067e505bc54c3b02b569\r\n7d490eedc5b46aff00ffaaec7004e2a8\r\n863dcf82883c885b0686dce747dcf502\r\nbf136fb3b350a96fd1003b8557bb758a\r\nbf650d39eb603d92973052ca80a4fdda\r\nd89b1be09de36e326611a2abbedb8751\r\ndbd92b08cbff8455ff76c453ff704dc6\r\neba670256b816e2d11f107f629d08494\r\nThey all share the same DGA in terms of seed string and algorithm.\r\nThe hardcoded C2 domains in the samples are as follow:\r\nzugzwang.me\r\ntr069.online\r\ntr069.tech\r\ntr069.support\r\nhttps://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nPage 9 of 10\n\nWe will keep an eye on the progress of this DGA variant, stay tuned for future update.\r\nSource: https://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nhttps://blog.netlab.360.com/new-mirai-variant-with-dga/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/new-mirai-variant-with-dga/"
	],
	"report_names": [
		"new-mirai-variant-with-dga"
	],
	"threat_actors": [],
	"ts_created_at": 1775434362,
	"ts_updated_at": 1775791323,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14d2a3e5269dae906395d11ffc697252bf36b815.pdf",
		"text": "https://archive.orkl.eu/14d2a3e5269dae906395d11ffc697252bf36b815.txt",
		"img": "https://archive.orkl.eu/14d2a3e5269dae906395d11ffc697252bf36b815.jpg"
	}
}