{
	"id": "97333071-67bc-4859-8a36-ff5efb88a8bb",
	"created_at": "2026-04-10T03:21:03.142309Z",
	"updated_at": "2026-04-10T13:12:55.394107Z",
	"deleted_at": null,
	"sha1_hash": "220dceb94c34af41309caa145e8bf130e0224197",
	"title": "The new Domain Generation Algorithm of Nymaim",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 140574,
	"plain_text": "The new Domain Generation Algorithm of Nymaim\r\nArchived: 2026-04-10 03:05:47 UTC\r\nThe Nymaim malware first appeared in 2013. It is mainly used as a downloader for other malware such as\r\nransomware, but it later also started manipulating search results for click fraud.\r\nMany great articles have been published on Nymaim, including its DGA, maybe because the malware used an\r\neffective and interesting obfuscation. The obfuscation lead to many imaginative tools to aid analysis of the\r\nmalware, for example by the GovCERT.CH or the CERT Polska.\r\nApart from the obfuscation, Nymaim is interesting because it tries to protect itself against sinkholing by adding a\r\nchecksum to the A resource records, and by transforming the IP addresses before using them, see “Nymaim\r\nrevisited” by the CERT Polska, “Threat Spotlight: GozNym” by Talos and “Nymaim Origins, Revival and\r\nReversing Tales” by Alberto Ortega.\r\nThis month a new version of Nymaim appeared with a few modifications to the above mentioned features:\r\nThe obfuscation has been dropped entirely, apart from using a packer. On the contrary, the malware even\r\nuses helpful logging messages and a configuration with descriptive names.\r\nThe IP transformation has been slightly changed, using different constants, but otherwise sticking to the\r\nsame procedure as before.\r\nThe DGA has been completely rewritten. It is now based on wordlists, like the DGA of Matsnu, Suppobox,\r\nor the close relative to Nymaim, Gozi.\r\nApart from the DGA, Nymaim also has a list of hard-coded domains that follow the same pattern as the\r\nDGA domains, but which are tried before the time-dependent DGA domains.\r\nThis blog post focuses on the DGA and the IP transformation aspect of Nymaim. For example, these are the first\r\nten domains for April 27, 2018:\r\nvirginia-hood.top\r\nshelter-downloadable.ps\r\ntylerpreparation.sg\r\nzolofteffectiveness.ch\r\nstakeholders-looked.hn\r\nwilliampassword.sc\r\nthailandcool.re\r\nthoughtsjazz.ec\r\nrecovery-hairy.ac\r\nworkshopsforms.hn\r\nI analyzed the following sample from Virustotal:\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 1 of 16\n\nMD5\r\n30bce8f7ac249057809d3ff1894097e7\r\nSHA-256\r\n73f06bed13e22c2ab8b41bde5fc32b6d91680e87d0f57b3563c629ee3c479e73\r\nSHA-1\r\nb629c20b4ef0fd31c8d36292a48aa3a8fbfdf09c\r\nFilesize\r\n484 KB\r\nCompile Timestamp\r\n2010-06-13 18:50:03 (very likely faked)\r\nFirst Submission to Virustotal\r\n2018-04-17 21:49:18\r\nVirustotal Link\r\nlink\r\nI unpacked it to the following executable. All screenshots are taken from this sample loaded at address 0x400000:\r\nMD5\r\n379ba8e55498cb7a71ec4dcd371968af\r\nSHA-256\r\n3eb9bbe3ed251ec3fd1ff9dbcbe4dd1a2190294a84ee359d5e87804317bac895\r\nSHA-1\r\n5f522dda6b003b151ff60b83fe326400b9ed7716\r\nFilesize\r\n368 KB\r\nCompile Timestamp\r\n2018-03-02 23:12:20\r\nFirst Submission to Virustotal\r\n2018-04-26 12:19:41 (by me)\r\nVirustotal Link\r\nlink\r\nAnalysis\r\nThis Section describes the details of the DGA. If you are only interested in a Python reimplementation, please\r\nrefer to Section DGA.\r\nSeeding\r\nThe new DGA of Nymaim is seeded with three values:\r\n1. A hard-coded, 32 character upper-case hexadecimal string, presumably a MD5 hash\r\n( 3138C81ED54AD5F8E905555A6623C9C9 in the analyzed sample). Nymaim calls this string GenerationKey.\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 2 of 16\n\n2. The zero-based day of the year. For example, January 1st\r\n is 0. This value is lower by one than the ISO\r\ndefinition, which defines January 1st as day 1 of the year. From this value a counter is subtracted, which\r\nstarts at 0 and counts up to DayDelta (10 in the sample). This means the DGA will revisit domains from up\r\nto 10 days into the past if necessary (except at the turn of year, see Sliding Window).\r\n3. The last two digits of the current year.\r\nThese three values are concatenated into a string. This string is then MD5-hashed, with the result represented as a\r\nlower-case hexadecimal string. Please note that this is in contrast to the GenerationKey, which is all upper-case.\r\nThe resulting string is the seed and basis for the ensuing pseudo-random number generations.\r\nPseudo-Random Number Generator\r\nThe pseudo-random number generator (PRNG) uses the first 8 characters of the MD5 hash string and takes it as a\r\nbig-endian hexadecimal representation of a 32-bit integer, which is the random number. The first 7 characters of\r\nthe MD5 hash are discarded, and the rest is again hashed with MD5 and represented as a lower-case hexadecimal\r\nstring. The first 8 characters from this string represent the next pseudo-random value. See the following\r\nillustration for the seeding procedure and the PRNG:\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 3 of 16\n\nThe DGA\r\nThe DGA uses four random values to pick strings from four lists:\r\n1. A word from a first word list.\r\n2. A separator character.\r\n3. A word from a second word list.\r\n4. A top level domain.\r\nThe four strings are then concatenated to form the domain. The words are chosen by using the remainder of\r\ndividing the random value by the length of the list to be picked from as the index into the list:\r\nCString *__thiscall dga(_DWORD *config, CString *szDomainName)\r\n{\r\n dgaconfig *cfg; // esi@1\r\n int v3; // eax@2\r\n unsigned int nNumberOfFirstWords; // ecx@3\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 4 of 16\n\nrandnrs objRandNrs; // [esp+Ch] [ebp-2Ch]@1\r\n int dgb2; // [esp+20h] [ebp-18h]@1\r\n int nr_random_values; // [esp+24h] [ebp-14h]@1\r\n char cstrDomainName; // [esp+28h] [ebp-10h]@3\r\n int dbg; // [esp+34h] [ebp-4h]@1\r\n dgb2 = 0;\r\n cfg = config;\r\n init_random_nrs(\u0026objRandNrs);\r\n objRandNrs.self = \u0026GetRuntimeClass;\r\n nr_random_values = 4;\r\n dbg = 1;\r\n do\r\n {\r\n v3 = rand_0(\u0026cfg-\u003erandom_hash);\r\n store_rand(objRandNrs.field_8, v3);\r\n --nr_random_values;\r\n }\r\n while ( nr_random_values );\r\n CString::CString(\u0026cstrDomainName);\r\n nNumberOfFirstWords = cfg-\u003enNumberOfFirstWords;\r\n LOBYTE(dbg) = 2;\r\n CString::operator+=(\u0026cstrDomainName, cfg-\u003ergFirstWords + 4 * (*objRandNrs.r % nNumberOfFirstWords));\r\n CString::operator+=(\u0026cstrDomainName, cfg-\u003ergSeparators + 4 * (*(objRandNrs.r + 4) % cfg-\u003enNumberOfSeparators))\r\n CString::operator+=(\u0026cstrDomainName, cfg-\u003ergSecondWords + 4 * (*(objRandNrs.r + 8) % cfg-\u003enNumberOfSecondWords\r\n CString::operator+=(\u0026cstrDomainName, cfg-\u003ergTLDs + 4 * (*(objRandNrs.r + 12) % cfg-\u003enNumberOfTLDs));\r\n CString::CString(szDomainName, \u0026cstrDomainName);\r\n dgb2 = 1;\r\n LOBYTE(dbg) = 1;\r\n CString::~CString(\u0026cstrDomainName);\r\n LOBYTE(dbg) = 0;\r\n cleanup_0(\u0026objRandNrs);\r\n return szDomainName;\r\n}\r\nThe first word list contains 2450 words that start with letters R to Z. The shortest have four letters, the longest has\r\n18 (telecommunications):\r\n \"reaches\",\r\n \"reaching\",\r\n \"reaction\",\r\n \"reactions\",\r\n \"read\",\r\n \"reader\",\r\n \"readers\",\r\n \"readily\",\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 5 of 16\n\n\"reading\",\r\n \"readings\",\r\n \"reads\",\r\n \"ready\",\r\n \"real\",\r\n \"realistic\",\r\n ...\r\n \"zoom\",\r\n \"zoophilia\",\r\n \"zope\",\r\n \"zshops\"\r\nThere are only two separators: the zero length string and the hyphen - . The third word list contains 4387 words\r\nstarting with letters C to R. The last word is reached , which is probably the word just before the start of the first\r\nword list beginning with reaches . The shortest words have four letters, the longest have 18 (e.g.,\r\npharmaceuticals):\r\n \"contamination\",\r\n \"contemporary\",\r\n \"content\",\r\n \"contents\",\r\n \"contest\",\r\n \"contests\",\r\n \"context\",\r\n \"continent\",\r\n \"continental\",\r\n \"continually\",\r\n ...\r\n \"ratios\",\r\n \"rats\",\r\n \"raymond\",\r\n \"rays\",\r\n \"reach\",\r\n \"reached\"\r\nFinally, there are 74 top level domains. The tld .com appears four times and .net appears three times, which\r\nincreases the likelihood that .com or .net are picked. The full list of TLDs is: .com , .com , .com , .net ,\r\n.net , .net , .ac , .ad , .at , .am , .az , .be , .biz , .bt , .by , .cc , .ch , .cm , .cn , .co ,\r\n.com , .cx , .cz , .de , .dk , .ec , .eu , .gs , .hn , .ht , .id , .in , .info , .it , .jp , .ki ,\r\n.kr , .kz , .la , .li , .lk , .lv , .me , .mo , .mv , .mx , .name , .net , .nu , .org , .ph , .pk ,\r\n.pl , .pro , .ps , .re , .ru , .sc , .sg , .sh , .su , .tel , .tf , .tj , .tk , .tm , .top , .uz ,\r\n.vn , .win , .ws , .wtf , .xyz , .yt .\r\nSliding Window\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 6 of 16\n\nThe DGA generates MaxDomainsForTry domains per day, which for the analysed sample is 64. After those 64\r\ndomains, the PRNG is reseeded with the seed from the previous day, by subtracting 1 from the day of the year.\r\nThis way, up to 64*(10+1) = 704 domains are generated:\r\nAt the turn of the year, when the day of the year is smaller than the DayDelta, the offset day can become negative.\r\nFor example, on January 3rd the sliding window leads to day of year values of 2, 1, 0,-1, …, -8. The negative\r\nvalue lead to new set of domains.\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 7 of 16\n\nHard-Coded Domains\r\nNymaim has a list of 46 hard-coded domains that follow the DGA pattern of two words separated by an optional\r\nhyphen. These domains are all with the .com TLD. The hard-coded domains are always tested first, before any\r\nDGA domains are calculated. For the sample at hand, the hard-coded domains are:\r\nsustainabilityminolta.com\r\ntheories-prev.com\r\nstarringmarco.com\r\nseekerpostcards.com\r\nthreadsmath.com\r\nrecall-pioneer.com\r\nwaste-neighborhood.com\r\nusage-maternity.com\r\nstandings-descriptions.com\r\nvolumedatabase.com\r\nsummaries-heading.com\r\nstoppedmeaningful.com\r\nsingles-october.com\r\nscottish-fact.com\r\nweblogcourage.com\r\ntroycyber.com\r\nreply-phantom.com\r\nwagon-crime.com\r\nsharp-louisiana.com\r\nsuitedminerals.com\r\nsaskatchewan-funds.com\r\nsites-experts.com\r\ntechrepublicexemption.com\r\nserbia-harbor.com\r\nsuper-ideas.com\r\ntranslationdoor.com\r\nwildhelmet.com\r\nshoefalse.com\r\nremainedoxide.com\r\nwild-motels.com\r\nstaticlesbian.com\r\nvalentinequeensland.com\r\ntravelling-mechanics.com\r\nsolelypersonal.com\r\nresulting-museum.com\r\ntowndayton.com\r\nworkedforest.com\r\nyorkshire-engineer.com\r\nstockholm-effect.com\r\nreynoldshydrogen.com\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 8 of 16\n\nsluts-persistent.com\r\nsatisfaction-granted.com\r\nslut-hentai.com\r\nterritoriesprayers.com\r\nthumbnailsfragrance.com\r\nundergraduategraphical.com\r\nNameserver Test\r\nA distinctive feature of Nymaim is the DNS query for the name server record (NS). Nymaim checks if any of the\r\nanswers contains a word from a list it calls BlackNsWords. These words are related to sinkholing:\r\nsinkhole\r\namazonaws\r\nhoneybot\r\nhoney\r\nparking\r\ndomaincontrol\r\ndynadot\r\nIf Nymaim finds any of those word in the NS resource record, it will not use the domain.\r\nPreferred DNS Servers\r\nNymaim uses a list of dns servers called PreferredDnsServers, presumably because these are less likely to alter\r\nor block DNS requests.\r\nIP Company\r\n8.8.8.8 Google\r\n8.8.4.4 Google\r\n156.154.70.1 Neustar Security\r\n156.154.71.1 Neustar Security\r\n208.67.222.222 OpenDNS\r\n208.67.220.220 OpenDNS\r\nIP-Transformation\r\nLike the earlier version of Nymaim, the A resource records are not the C2 IPs. The real addresses are obtained by\r\ntransforming the IPs with a sequence of easily reversible XOR and substraction steps. Talos intelligence wrote a\r\ndetailed report in September 2017 that describes the algorithms.\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 9 of 16\n\nThe following graph view snippet shows the transformation of an IP:\r\nA Python script to perform the IP transformation in both directions can be found at the end of this blog post.\r\nChecksum Test\r\nNymaim also still uses the checksum test of A resource records. For example, here are the IPs for a C2 domain\r\nthat was operational at the time of writing:\r\n\u003e dig @8.8.8.8 +short -t A sustainabilityminolta.com\r\n127.33.12.14\r\n127.33.12.15\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 10 of 16\n\n192.202.176.55\r\n126.56.117.50\r\nThe following table lists these four IPs (first column) and the transformed, real IP (second column). The third\r\ncolumn shows the integer representation:\r\nIP IP' value\r\n127.33.12.14 127.0.0.0 0x0000007F\r\n127.33.12.15 127.0.0.1 0x0100007F\r\n192.202.176.55 192.42.116.41 0x29742AC0\r\n126.56.117.50 190.43.116.42 0x2A742BBE\r\nNymaim will check all integer values to see if they are the sum of the remaining values. In the above example, the\r\nbold “IP” 190.43.116.42 is the result of transforming the A RR 126.56.117.50. It has a little endian integer\r\nrepresentation of 0x2A742BBE. This corresponds to the checksum obtained by adding up the integer\r\nrepresentation of the remaining IPs, i.e.,0x2A742BBE = 0x0000007F + 0x0100007F + 0x29742AC0.\r\nThe IP that matches the checksum is removed from the list, it only serves as the checksum for the other IPs.\r\nNymaim will then one after another test the transformed IPs:\r\n1. A DNS request for the NS resource of sustainabilityminolta.com is made to check for signs of a\r\nsinkhole. The response dns100.ovh.net does not contain one of the BlackNsWords and Nymaim\r\nproceeds to query the A records.\r\n2. The DNS request for the A records returns four transformed IPs. Because the fourth IP is a checksum for\r\nthe remaining three IPs, Nymaim goes on to contact the IPs in order.\r\n3. The first non local IP address, 192.42.116.41, is contacted with an HTTP POST requests to\r\nhttp://192.42.116.41/index.php .\r\nRequest\r\nThe actual C2 requests are HTTP POSTs. The content is AES encrypted with a session key, which is protected\r\nwith asymmetric encryption. The first C2 requests are around 900 bytes. The URL filename is hard-coded to\r\nindex.php :\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 11 of 16\n\nhttp://192.42.116.41/index.php\r\nCharacteristics\r\nThe following tables summarizes the properties of the Nymaim DGA.\r\nproperty value\r\ntype TDD (time-dependent-deterministic)\r\ngeneration scheme MD5 based PRNG\r\nseed generation key + current date\r\ndomain change frequency daily, with a 11 day sliding window\r\ndomains per day 46 hardcoded domains + 64 new DGA domains + 640 old DGA domains\r\nsequence sequential\r\nwait time between domains None\r\ntop level domains 69 different domains, .com and .net favored\r\nsecond level characters two words from wordlists with optional hyphen as separator\r\nsecond level domain length 8 (e.g., realrays.kr) – 34 (e.g., telecommunications-pharmaceuticals.name)\r\nResults\r\nIn this section you find a Python reimplementation of the DGA, and a script for the IP transformation of Nymaim.\r\nPlease also refer to the Github page for current versions of the scripts.\r\nDGA\r\nThe DGA needs the large wordlists words.json, place it in the same directory as the DGA script. You can generate\r\nthe domains for a specific day with -d or --date , for example:\r\n\u003e python dga.py -d 2018-04-27\r\nimport json\r\nimport argparse\r\nfrom datetime import datetime\r\nimport hashlib\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 12 of 16\n\nclass Rand:\r\n def __init__(self, seed, year, yday, offset=0):\r\n m = self.md5(seed)\r\n s = \"{}{}{}\".format(m, year, yday + offset)\r\n self.hashstring = self.md5(s)\r\n @staticmethod\r\n def md5(s):\r\n return hashlib.md5(s.encode('ascii')).hexdigest()\r\n def getval(self):\r\n v = int(self.hashstring[:8], 16)\r\n self.hashstring = self.md5(self.hashstring[7:])\r\n return v\r\ndef dga(date):\r\n with open(\"words.json\", \"r\") as r:\r\n wt = json.load(r)\r\n seed = \"3138C81ED54AD5F8E905555A6623C9C9\"\r\n daydelta = 10\r\n maxdomainsfortry = 64\r\n year = date.year % 100\r\n yday = date.timetuple().tm_yday - 1\r\n for dayoffset in range(daydelta + 1):\r\n r = Rand(seed, year, yday - dayoffset)\r\n for _ in range(maxdomainsfortry):\r\n domain = \"\"\r\n for s in ['firstword', 'separator', 'secondword', 'tld']:\r\n ss = wt[s]\r\n domain += ss[r.getval() % len(ss)]\r\n print(domain)\r\nif __name__==\"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"-d\", \"--date\", help=\"as YYYY-mm-dd\")\r\n args = parser.parse_args()\r\n date_str = args.date\r\n if date_str:\r\n date = datetime.strptime(date_str, \"%Y-%m-%d\")\r\n else:\r\n date = datetime.now()\r\n dga(date)\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 13 of 16\n\nIP Transformation Script\r\nThe following Python script can be used to transform Nymaim IP addresses in both directions, and to see if a list\r\nof IP addresses fulfills the checksum requirement:\r\nimport argparse\r\ndef iptoval(ip):\r\n els = [int(_) for _ in ip.split(\".\")]\r\n v = 0\r\n for el in els[::-1]:\r\n v \u003c\u003c= 8\r\n v += el\r\n return v\r\ndef valtoip(v):\r\n els = []\r\n for i in range(4):\r\n els.append(str(v \u0026 0xFF))\r\n v \u003e\u003e= 8\r\n return \".\".join(els)\r\ndef step(ip, reverse=False):\r\n v = iptoval(ip)\r\n if reverse:\r\n v ^= 0x18482642\r\n v = (v + 0x78643587) \u0026 0xFFFFFFFF\r\n v ^= 0x87568289\r\n else:\r\n v ^= 0x87568289\r\n v = (v - 0x78643587) \u0026 0xFFFFFFFF\r\n v ^= 0x18482642\r\n return valtoip(v)\r\ndef transform(ip, iterations=16, reverse=False):\r\n for _ in range(iterations):\r\n ip = step(ip, reverse=reverse)\r\n return ip\r\ndef checksum(pairs, index):\r\n checksum = 0\r\n for i, p in enumerate(pairs):\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 14 of 16\n\nif i == index:\r\n continue\r\n checksum += iptoval(p[1])\r\n return checksum \u0026 0xFFFFFFFF\r\ndef findip(pairs):\r\n for i, p in enumerate(pairs):\r\n c = checksum(pairs, i)\r\n if c == iptoval(p[1]):\r\n return p[0]\r\nif __name__ == \"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"ip\", nargs=\"+\")\r\n parser.add_argument(\"-r\", \"--reverse\", help=\"reverse transformation\",\r\n action=\"store_true\")\r\n parser.add_argument(\"-c\", \"--checksum\", help=\"test checksum\",\r\n action=\"store_true\")\r\n args = parser.parse_args()\r\n pairs = []\r\n for ip_src in args.ip:\r\n ip_dst = transform(ip_src, reverse=args.reverse)\r\n pair = (ip_src, ip_dst)\r\n d = \"--\u003e\"\r\n if args.reverse:\r\n pair = pair[::-1]\r\n d = \"\u003c--\"\r\n pairs.append(pair)\r\n if not args.checksum:\r\n print(\"{} {} {}\".format(ip_src, d, ip_dst))\r\n fmt = \"| {:4} | {:15} | {:15} | {:10} |\"\r\n fmt2 = \"| {:4} | {:15} | {:15} | 0x{:08X} |\"\r\n if args.checksum:\r\n print(fmt.format(\"\", \"IP\", \"IP'\", \"value\"))\r\n print(fmt.format(*4 * [\"---\"]))\r\n ok_ip = findip(pairs)\r\n for ip, ipp in pairs:\r\n if ip == ok_ip:\r\n continue\r\n print(fmt2.format(\"\", ip, ipp, iptoval(ipp)))\r\n for ip, ipp in pairs:\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 15 of 16\n\nif ip != ok_ip:\r\n continue\r\n print(fmt2.format(\"x\", ip, ipp, iptoval(ipp)))\r\n if not ok_ip:\r\n print(\"No IP matches checksum\")\r\n else:\r\n print(\"The IP marked x matches the checksum of remaining IPs, \"\r\n \"it is removed.\")\r\nFor example, one of the A RR of sustainabilityminolta.com is 192.202.176.55. The real IP can be found with:\r\n\u003e python3 transform.py 192.202.176.55\r\n192.202.176.55 --\u003e 192.42.116.41\r\nTo reverse the transformation, use -r or --reverse :\r\n\u003e python3 transform.py 192.42.116.41 --reverse\r\n192.42.116.41 \u003c-- 192.202.176.55\r\nTo check if the A resource records satisfy the checksum, add all IPs as arguments and add -c or --checksum :\r\n\u003e python3 transform.py 127.33.12.14 127.33.12.15 192.202.176.55 126.56.117.50 --checksum\r\n| | IP | IP' | value |\r\n| --- | --- | --- | --- |\r\n| | 127.33.12.14 | 127.0.0.0 | 0x0000007F |\r\n| | 127.33.12.15 | 127.0.0.1 | 0x0100007F |\r\n| | 192.202.176.55 | 192.42.116.41 | 0x29742AC0 |\r\n| x | 126.56.117.50 | 190.43.116.42 | 0x2A742BBE |\r\nThe IP marked x matches the checksum of remaining IPs, it is removed.\r\nIf an IP matches the checksum, it is marked with an x .\r\nSource: https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nhttps://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/"
	],
	"report_names": [
		"the-new-domain-generation-algorithm-of-nymaim"
	],
	"threat_actors": [],
	"ts_created_at": 1775791263,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/220dceb94c34af41309caa145e8bf130e0224197.pdf",
		"text": "https://archive.orkl.eu/220dceb94c34af41309caa145e8bf130e0224197.txt",
		"img": "https://archive.orkl.eu/220dceb94c34af41309caa145e8bf130e0224197.jpg"
	}
}