# Kraken's two Domain Generation Algorithms

**[web.archive.org/web/20160324035554/https://www.johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms//](https://web.archive.org/web/20160324035554/https://www.johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms//)**

Kraken (also known as Oderoor or Bobax) was once a large, if not the largest, botnet. It was primarily used to send
spam messages. Kraken features a Domain Generation Algorithm (DGA) which appeared in July 2007 and was first
mentioned in 2008. This makes it [one of the first ever widely used DGA.](https://web.archive.org/web/20160324035554/https://www.botconf.eu/wp-content/uploads/2015/12/OK-P06-Plohmann-DGArchive.pdf)

The original DGA of Kraken is time-independent, i.e., a specific sample will at all times generate the same domains.
There are various reports on how to determine the domains. Michael Ligh and Greg Sinclair showed how to use
instrumented execution with Immunity debugger in their DEFCON 16 talk “Malware RCE: Debuggers and Decryptor
_[Development” (skip to 18:24). The same method is also described in The Malware Analyst’s Cookbook, recipe 12-11](https://web.archive.org/web/20160324035554/http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033/)_
[on page 476. This report by Damballa lists the domains for one parameterization of the DGA.](https://web.archive.org/web/20160324035554/https://www.damballa.com/downloads/r_pubs/KrakenWhitepaper.pdf)

Much later — the first samples on Malwr are from 2003 — Kraken’s DGA changed. Probably recognizing the problem
with generating the ever same domains, the authors added a time dependent input to the DGA. They also deviated
from dynamic DNS providers and used four regular top level domains instead. A few samples, maybe from the
transitional stage, still rely on the DDNS providers even with the new algorithm. Kraken infections with newer DGAs
[peaked in July 2014 (also see the list of samples in Section Samples).](https://web.archive.org/web/20160324035554/http://www.virusradar.com/en/Win32_Oderoor/detail)

The later version of Kraken’s DGA is much less reported on. [Here is a analysis of the malware with the new domains.](https://web.archive.org/web/20160324035554/http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_oderoor.ogj)
But neither the domains nor the domain generating algorithm are shown. For me, good enough grounds to look at
both DGA in this short blog post. I’m aware that the DGA is irrelevant today, as Kraken is currently dead or inactive,
but hopefully the post might still be interesting for the keen DGA historian.

## Reverse Engineering

This section shows some reverse engineering insights of the DGA. Skip to Python Implementations to see
reimplementations of the two algorithms.

Both the old and new version of the DGA have parameters that can change from sample to sample and cause
disjoint sets of domains. I therefore looked at multiple samples to identify the variable parts of the DGA. For the old
DGA I reversed two samples:

source [virusshare](https://web.archive.org/web/20160324035554/https://virusshare.com/download.4n6?sample=5f004bd36715225c22ddb27d109a2b5f1c5215a6ce2df2e111c5fb49bc7161f9)

uploaded 2012-09-04 03:44

SHA-256 5f004bd36715225c22ddb27d109a2b5f1c5215a6ce2df2e111c5fb49bc7161f9


-----

MD5 10fd78f9681d66d2dd39816b5f7f6ea6

source [malwr](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YWNjMjc3MDMxMTI0NGY5OWI1MzMzNDk1OGJkOGU3ZWY/)

uploaded 2014-12-08 15:04

SHA-256 4606a621922b28be1ff7f4621713aaafd988b8c5f1153720200c5e6dad0c5416

MD5 60838eeb3f8cd311de0faef80909632d

As far as the new version goes, I looked at these samples:

source [malwr](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/OTc5MDI4M2JiYzYxNGFjNWI0N2ZmN2Q0NjUwNWEyMTI/)

uploaded 2013-08-05 04:16

SHA-256 0fed48972c9b5c7fc6735db2b8764c45c95d45bde3764933b4a4909656c1ed47

MD5 f2ae73d866bb4edd14ee96cf74fbb423

source [virusshare](https://web.archive.org/web/20160324035554/https://virusshare.com/download.4n6?sample=e83bc2ec7975885424668171c2e106f7982bd409e01ce6281fb0e6e722e98810)

uploaded 2012-04-12

SHA-256 e83bc2ec7975885424668171c2e106f7982bd409e01ce6281fb0e6e722e98810

MD5 04966960f3f5ed32ae479079a1bcf6e9

All listed offsets are from the first sample respectively.

## Pseudo Random Number Generator

Both Kraken’s DGA use a linear congruential generator (LCG) as pseudo random number generator (PRNG). The
parameters are the same found in many `rand() implementations:`

The bits 23 to 8 are used, i.e., r/256 mod 32768.

## Seeding

The DGA of both versions first initializes the pseudo random number generator (PRNG). Two values are used to
determine the seed of the PRNG:

1. A running counter that starts at 0 and increases in steps of one (version 1) and one or two (version 2). In

version 2 the increment depends on the outcome of the DNS response for the domain. The details of the
counter are discussed in Section Domain Counter.
2. Whether or not a list of hardcoded IPs could be contacted. These network connections are performed by
```
   hardcoded_success at offsets 001BE832 and 0x408D6C respectively in the following images. The routine

```
returns `True if the attempts were successful.`

The following graph views are from the beginning of both DGAs. Both snippets initialize the random number — `ecx`
in version 1 and `ebx in version 2 — depending on the counter value and success of contact to hardcoded IPs. On`
left-hand side is the old version of the DGA, on the right-hand side the newer release (click to enlarge the images).

**version 1** **version 2**


-----

The hardcoded values -265273224 and 143803713 on the left, as well as -1FCFBF87h and 7924542h on the right
might change from sample to sample. These parameters can be used to generate different sets of domains.

For the first version of the DGA, the snippet above boils down to the following, rather elaborate, formula:

I found two different parameter sets. Notice that the changes are very subtle, only the first and last nibble vary:

**version 1** **cs** **cf**

Seed a -0x0FCFBF88 0x8924541

Seed b -0x1FCFBF87 0x7924542

The second version uses a much simpler formula to initialize the random number:

Again I found two parameter sets:


**version 2** **cs** **cf**

Seed a 24938314 24938315

Seed b 1600000 1600001

Notice that in both versions the counter input to the DGA is first divided by two. The Malware Analyst’s Cookbook
(page 480) considers this as a flaw of the DGA:


-----

There are two weaknesses in Kraken s DGA that are worth mentioning: (…) Odd numbers cause Kraken s
algorithm to generate the same domain names as the even numbers that precede them. This effectively cuts
the number of possible domains generated by the DGA in half.

Section Domain Counter explains why I think this is by design and not a flaw of the DGA.

## Discarding (only version 2)

Next follows code that is only present in the new version of Kraken’s DGA. The code incorporates a timestamp,
which is determined by making an HTTP request to a randomly picked, legitimate website. The date is extracted from
the http date header of the response and converted to unix timestamp format. For the analysed samples, the
domains used to determine the time are: yahoo.com, google.com, live.com, msn.com, aol.com, amazon.com,
_go.com, bbc.co.uk, cnn.com, news.com, download.com, weather.com, comcast.net, mozilla.com and hp.com. The_
timestamp sets the variable discards:

**version 1** **version 2**

_not present_

The divisor is the number of seconds in a week, so only every 7 days the value discard changes.

The discard value, along with the current domain number, determines how many of the PRNG cycles are discarded:

**version 1** **version 2**


-----

_not present_

In Pseudocode this is:
```
discards = timestamp / 604800 + 2
IF domain_nr % 9 < 8
  IF domain_nr % 9 >= 6
    discards -= 1
  REPEAT discards TIMES
    r = rand(r)/256 % 32768

```
Notice that for every ninth domain discarding is skipped. Since the discards are the only time-dependent part of the
DGA, those domains are invariants and prime targets for sinkholing.

## Length of Random Domain

After the PRNG is initialized, the length of the random part of the domain is randomly picked. The two versions use
almost the same algorithm:

**version 1** **version 2**


-----

Both versions first generate three random numbers (r is the random number after initialization and, for the secondi
version, discarding):

The first version uses the three random values to set the length as follows:

The second version works almost the same, apart from (a) the third random number being added rather than
subtracted and (b) the minimum length bein 7 instead of 6:

This gives lengths between 6 and 11 characters for the first version, and 7 and 12 characters for the second version.

## Building the Random Domain

Kraken uses straightforward calls to the random number generator to determine the characters of the random
domain. All characters a-z are about equally likely picked. Both version use the exact same algorithm:

**version 1** **version 2**


-----

In Pseudocode this is:
```
domain = ""
REPEAT domain_length TIMES
  r = rand(r)
  domain += (r/256 % 32768) % 26 + 'a'

## Base Domain

```
The final step of the domain generation algorithm is to append the base domain. For the first version, these base
domains are four dynamic DNS providers. A few of the samples with the second DGA version use the same DDNS
providers, for the most part the base domains are regular top level domains though. Domains are picked one after
another from a hard-coded list:

**version 1** **version 2**

The base domains are:


version 1, some version 2
samples


“dyndns.org” → “yi.org” → “dynserv.com” →
“mooo.com”


Free DDNS
Providers


version 2 “com” → “net” → “tv” → “cc” Top Level Domains

## Domain Counter

As seen above, both DGA take a running counter as input. The counter starts at zero. Instead of an upper bound, the
counter is reset after 30 minutes of trying to contact the C&C servers. There is some wait time between contacting
domains which I did not examine; the expected number of generated domains is therefore unknown to me.

**version 1** **version 2**


-----

The old DGA always increments the index by one, regardless of the call-home attempt for the generated domains.
For version 2 things are a little more complicated; the DGA can increment the counter by one or two:

**version 1** **version 2**

The counter in version 2 is incremented depending on the DNS response to the generated domain. The IP is
compared to various hard-coded domains. For example:
```
0040AFB9 cmp   eax, 127      ; eax first tuple of IP
0040AFBC jz   short private_ip        
0040AFBE
0040AFBE loc_40AFBE:               
0040AFBE cmp   eax, 192
0040AFC3 jnz   short loc_40AFCD
0040AFC5 cmp   ecx, 168
0040AFCB jz   short private_ip        
0040AFCD
0040AFCD loc_40AFCD:               
0040AFCD cmp   eax, 172
0040AFD2 jnz   short loc_40AFDE
0040AFD4 cmp   ecx, 16      ; ecx second tuple of IP
0040AFD7 jl   short loc_40AFEB
0040AFD9 cmp   ecx, 31
0040AFDC jle   short private_ip        
...

```
All IPs from the following list are treated specially (I do not know why 66.116.125.150 and 72.51.27.51 get special
treatments, maybe those were sinkholes in the past).

**range** **comment**

127.x.x.x reserved range

192.168.x.x reserved range

172.16.0.0 - 172.31.255.255 reserved range

0.x.x.x includes failed queries

1.1.1.1, 2.2.2.2, …, 255.255.255.255 unlikely answers? Sandbox detection?


-----

**range** **comment**

66.116.125.150 IP in US

72.51.27.51 IP in Canada

If the IP matches with one of above the subnets, the counter grows to the next multiple of two, i.e., even counters are
increased by two, and odd counters are increased one.

Since inside the DGA routine, odd counters are rounded down to the same number as their previous (even) counters,
every domain that returned an IP that was not in a “blacklisted” range will be checked twice. I, for one, don’t think
that’s a flaw of the DGA, but a — overly complicated — way to recheck domains.

## Algorithm and Samples

 Python Implementations

### Version 1

The following Python Code generates 1000 domains for a provided seed (either `a or` `b ). The code alternately`
generates domains for when the hardcoded IP callback failed and succeeded.


-----

```
 p
from ctypes import c_int, c_uint
import argparse
def rand(r):
  t = c_int(1103515245 * r + 12435).value
  return t
def crop(r):
  return (r // 256) % 32768 
def dga(index, seed_set, temp_file=True):
  seeds = {'a': {'ex': -0x0FCFBF88, 'nex': 0x8924541}, 
      'b': {'ex': -0x1FCFBF87, 'nex': 0x7924542}}
  tlds = ["dyndns.org", "yi.org", "dynserv.com", "mooo.com"]
  domain_nr = int(index/2) + 1000015
  if temp_file:
    x = int(c_int(domain_nr*(domain_nr + 7)*(domain_nr+12)).value /9.0) 
    y = domain_nr*(domain_nr+1)
    r = c_int(x + y + seeds[seed_set]['ex']).value 
  else:
    x = int(c_int((domain_nr + 2)*(domain_nr + 7)*domain_nr).value/9.0)
    y = (domain_nr*3 + 1)*domain_nr
    r = c_int(x + y + seeds[seed_set]['nex']).value
  rands = 3*[0]
  for i in range(3):
    r = rand(r)
    rands[i] = crop(r)
  domain_length = (rands[0]*rands[1] - rands[2]) % 6 + 6
  domain = ""
  for i in range(domain_length):
    r = rand(r)
    ch = crop(r) % 26 + ord('a')
    domain += chr(ch)
  domain += "." + tlds[domain_nr % 4]
  return domain
def get_domains(nr, seed_set):
  domains = []
  for i in range(nr):
    for temp_file in range(2):
      domains.append(dga(i*2, seed_set, temp_file))
  return domains
if __name__=="__main__":
  parser = argparse.ArgumentParser()
  parser.add_argument('-s', '--seed', choices=['a','b'], default='a')
  args = parser.parse_args()
  for domain in get_domains(1000, args.seed):
    print(domain)

```
For example:


-----

```
 py g _ py
hmhxnupkc.mooo.com
quowesuqbbb.mooo.com
rffcteo.dyndns.org
adrcgmzrm.dyndns.org
bdubefoeug.yi.org
bpdyttrlp.yi.org
hovdworcxd.dynserv.com
dljemwae.dynserv.com
nlnylxvrbel.mooo.com
dcdkfq.mooo.com
gyuzohut.dyndns.org
lfiavsbyntu.dyndns.org
waxmtzkqblh.yi.org
zvfctvkdng.yi.org
hshfmrobfjr.dynserv.com
uaqjtycx.dynserv.com
prifhjstv.mooo.com
csukibyyt.mooo.com
ghcxncadnj.dyndns.org
iskqszufrft.dyndns.org

```
These are also the domains from The Malware Analyst’s Cookbook.

### Version 2

The second DGA also takes the current date and top level set


-----

```
 p
import argparse
from datetime import datetime
def rand(r):
  t = (1103515245 * r + 12435) & 0xFFFFFFFF
  return t
def crop(r):
  return (r // 256) % 32768 
def dga(index, date, seed_set, temp_file=True, tld_set_nr=1):
  tld_sets = {1: ["com", "net", "tv", "cc"],
        2: ["dyndns.org", "yi.org", "dynserv.com", "mooo.com"]}
  seeds = {'a': {'ex': 24938314, 'nex': 24938315 }, 
      'b': {'ex': 1600000, 'nex': 1600001}}
  tlds = tld_sets[tld_set_nr] 
  domain_nr = int(index/2)
  if temp_file:
    r = 3*domain_nr + seeds[seed_set]['ex']
  else:
    r = 3*domain_nr + seeds[seed_set]['nex']
  discards = (int(time.mktime(date.timetuple())) - 1207000000) // 604800 + 2
  if domain_nr % 9 < 8:
    if domain_nr % 9 >= 6:
      discards -= 1
    for _ in range(discards):
      r = crop(rand(r))
  rands = 3*[0]
  for i in range(3):
    r = rand(r)
    rands[i] = crop(r)
  domain_length = (rands[0]*rands[1] + rands[2]) % 6 + 7
  domain = ""
  for i in range(domain_length):
    r = rand(r)
    ch = crop(r) % 26 + ord('a')
    domain += chr(ch)
  domain += "." + tlds[domain_nr % 4]
  return domain
def get_domains(nr, date, seed, tld_set):
  domains = []
  for i in range(nr):
    for temp_file in range(2):
      domains.append(dga(i*2, date, seed, temp_file, tld_set))
  return domains
if __name__=="__main__":
  parser = argparse.ArgumentParser()
  parser.add_argument("-d", "--date", 
      help="date for which to generate domains")
  parser.add_argument("-t", "--tld", choices=[1,2], type=int,
      help="tld set", default=1)
  parser.add_argument('-s', '--seed', choices=['a','b'], default='a')
  args = parser.parse_args()
  if args.date:
    d = datetime.strptime(args.date, "%Y-%m-%d")
  else:
    d = datetime.now()
  for domain in get_domains(1000, d, args.seed, args.tld):
    print(domain)

```

-----

For example:
```
$ python dga_v2.py -d 2013-12-12 -t 1 -s a
gwbgmsmhgsp.com
bizyssylscs.com
egbmbdey.net
ogoqxbevdeqm.net
iuhqhbmq.tv
iuhqhbmq.tv
wedlgyvplmt.cc
zoipmnwr.cc
gktdtghza.com
toogdpdiekwh.com
iuhqhbmq.net
oxfjukumll.net
vwmlcid.tv
glmvhcm.tv
pgmryukdb.cc
egbmbdey.cc
vsdvzwt.com
wixcaiktigew.com
xewokii.net
lvctmusxcyz.net

```
[You also find the code on my GitHub page.](https://web.archive.org/web/20160324035554/https://github.com/baderj/domain_generation_algorithms/tree/master/kraken)

## Properties of the DGA

The properties of the two DGAs are:

**version 1** **version 2**

time dependent no yes

granularity - 1 week


domains per seed and
day


variable, as many as can be generated in 30
minutes


see version 1


sequence sequential see version 1


wait time between
domains


unknown see version 1


top level domains .dyndns.org, yi.org, dynserv.com, mooo.com some as version 1, but mostly com, .net,
.tv, .cc


second level
characters

second level domain
length

## Samples


lower case a-z see version 1

6 to 11 7 to 12


The following table shows reports on malwr.com that contact at least one domain generated by the second version of
Kraken’s DGA. Many samples seem to be downloader, e.g., Vobfus, and the domains are actually generated by the
Kraken payload.


**md5**


**analysis**
**date** **tlds** **Microsoft** **Kaspersky** **Sophos**


-----

**md5**


**analysis**
**date** **tlds** **Microsoft** **Kaspersky** **Sophos**


[04966960f3f5ed32ae479079a1bcf6e9](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MjQwN2UxZDg2NTYxNDMzMWJhZDc3NDcyZWY3MGFiMWQ/) 16 Jul.
2013

[f2ae73d866bb4edd14ee96cf74fbb423](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/OTc5MDI4M2JiYzYxNGFjNWI0N2ZmN2Q0NjUwNWEyMTI/) 05 Aug.
2013

[c13abb6be8a1c7fc9b18c8fd0a9488b7](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/OWNiMWI1YTFhMmU0NDRkMDgyN2Q5NmEyODliOGJkNTI/) 09 Oct.
2013

[c13abb6be8a1c7fc9b18c8fd0a9488b7](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YWVkYzhlNWE5NzgxNDk1MThkNWZkMzQ1MTMzNDg3ZTM/) 10 Oct.
2013R

[1ec55311a564f8272d62ccb621a8b513](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/NTgwYzBjOTYzN2UwNGFhM2EyNzU4Y2NlNWFhNjA1MWQ/) 22 Oct.
2013

[1ec55311a564f8272d62ccb621a8b513](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YTVlMjliMGYzODY0NDk0YjlhOTkwYmIzNmVmYTZiMDg/) 28 Nov.
2013R

[1ec55311a564f8272d62ccb621a8b513](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YWVkOWYxODI4MDdhNGQwZThlMjllYzNhNDIzNjkyNGI/) 18 Dec.
2013R

[04966960f3f5ed32ae479079a1bcf6e9](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MDFjOTcwZDU5ZmU1NGM1ZmEzNWEyNGE2ZjlkMzIwNDM/) 24 Jan.
2014R

[1ec55311a564f8272d62ccb621a8b513](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/NmI1MzFiZGFmNmVkNDQwYWJkZmY1MDI3YTlhOWE2YTg/) 24 Jan.
2014R

[1ec55311a564f8272d62ccb621a8b513](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZjRkZmJmZWUxOWE4NDZjNTk4OTUwNWFkOWRhYTRiYjI/) 25 Jan.
2014R

[04966960f3f5ed32ae479079a1bcf6e9](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/OTcyZTY2MDI4YjI4NGQ2OWJkZmQ3ODRmYTU3MWNkM2I/) 27 Jan.
2014R

[1ec55311a564f8272d62ccb621a8b513](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/OTNkMmRkMDI1ZTFmNGVmOGE5YTEwYWJiYTZlYjVkMGU/) 05 Feb.
2014R

[1ec55311a564f8272d62ccb621a8b513](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/NDhhNTcwMDk1Zjk1NGI3OGE4M2RhYjdjZmI5NTQ5ZDU/) 13 Feb.
2014R

[1ec55311a564f8272d62ccb621a8b513](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YWFjODcyYjJjYWJiNGJiNTgwNmIxNmNiZWEzMGJkYjQ/) 21 Feb.
2014R

[c7ec51ac3b9d91a483f1860c3d965f16](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/NjE0MjI3ODE5M2I3NDQ2MTk3MmJiYTUzMTE5MTQ4MmE/) 03 Mar.
2014

[c7ec51ac3b9d91a483f1860c3d965f16](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZjE2YjI2Y2I5ZGEyNDg5MmJlYTMwMmM3NDAyNjcyYzQ/) 17 Mar.
2014R

[c7ec51ac3b9d91a483f1860c3d965f16](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZDkwMDBjZDhjMTkxNDBjMThiYmMxMTE1ZjFjZjJiNjE/) 19 Mar.
2014R

[c7ec51ac3b9d91a483f1860c3d965f16](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/OGQwZDE2NzYwOWExNDgyYjg3MWQzY2E2YmYwYjEwZGQ/) 25 Mar.
2014R

[c7ec51ac3b9d91a483f1860c3d965f16](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZjFkZDVhZjFiYWMzNDdhMjliMDY5YWY5N2FkODVmNGU/) 01 Apr.
2014R

[c7ec51ac3b9d91a483f1860c3d965f16](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/OWM4OTFhNmU5MTkxNGMzNjg4NTMyMWNlYjBkOGM0NDY/) 22 Apr.
2014R

[c413f1a0738a3b475db2ed44aecbf3ba](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YzQwMjc5NTUwMDMwNDk5ODlhNzQ1NGQyMGZiNzI1Njg/) 16 Jun.
2014


1A 1Oderoor.gen!C Email- 2EncPkWorm.Win32.Agent.fe DJ

1A Clean 3Generic 1GenericS


1A Clean 2Generic 1GenericS

1A 0Oderoor.M 2Generic 1GenericS

1A 0Oderoor.M 2Generic 1GenericS

1A 0Oderoor.M 2Generic 1GenericS

1A 0Oderoor.M 2Generic 4AgentAGLO

1A Clean 5Agent.hegf 4AgentAGLO

1A 0Oderoor.M 2Generic 1EncPkCK


1A 4Rimecud.A 2Generic 5RimecudDD

1A 3Rimecud.A 2Generic 4RimecudDD

1A 3Sisron 6Agent.hdqc 1EncPkCK

1A 3Sisron 5Agent.hdqc 1EncPkCK

1A 3Sisron 5Agent.hdqc 1EncPkCK

2B 0Oderoor.gen!C 2Generic 1EncPkDJ

1A 3Sisron 5Agent.hdqc 1EncPkCK

1A 3Sisron 5Agent.hdqc 1EncPkCK

2B 0Oderoor.gen!C 2Generic 1EncPkDJ

1A 3Sisron 5Agent.hdqc 1EncPkCK

1A 3Sisron 5Agent.hdqc 1EncPkCK

1A 3Sisron 5Agent.hdqc 1EncPkCK


-----

**md5**


**analysis**
**date** **tlds** **Microsoft** **Kaspersky** **Sophos**


[0bfd909d651a11e3d3cdf5b091ee12a1](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MTBjOTk4ZGI2NzRmNGI3MWI2NjgzYjVjNGVlMzNkOWQ/) 28 Jun.
2014

[15993254499407fd7cbe701be11106f1](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/M2ZiMzI4NzlhZmYwNDhjMDg0MmU5MjdiYjM5ZjE4MmI/) 01 Jul.
2014

[1598723f88c6432e8ceee68336a08b01](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MGZiN2VkMzNhNTg5NGE4OWFiMDhmYzRmOTBiZGE1ZTg/) 01 Jul.
2014

[17d4b6b618f7576023dd3b983416a180](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/OGM1ZmQ0MDZhN2VlNDI3Zjk3NjI3MDIwZDQyZmRkYTU/) 01 Jul.
2014

[1bfac857a733ec498fc1efc0ebb6a236](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/NjUxMTRiY2EyZThiNDQzZTgyN2ViZmQzYzYwYjk0YWM/) 02 Jul.
2014

[1cfb3882d79b42f2f881ea20cca0f780](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/Zjg5ZWMwMTI0OGRhNDE5NDgyN2MwZmMyMmQwMzg4MGQ/) 02 Jul.
2014

[1e291e57c007acd5aecbcddd156c46e6](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZDdiMDJkYzAxMjZjNDMzZjg5ZGU1MjUxZTAyMjFjYTY/) 02 Jul.
2014

[1fafa36c436af003b28fd9d7befddf01](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YjVhN2VlMDFhNTllNGI2Zjk1ZjAxOWM2MTNhZGZkZjE/) 02 Jul.
2014

[20ff4c7b6265bc2b7e9b66bbfe4c8ee6](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YzljZmIwZjAyMjY1NDdjYzljMTEwZDgxOTU4ZjY3OGY/) 02 Jul.
2014

[22a5ce2602e8a0f76e4ab1db713098c6](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MzBlMjBkYmVkYzUwNDNjOTk2YjA0YTA0ZGQwN2JkMTk/) 03 Jul.
2014

[26e7996626da3fbf66b78c0b5969efc1](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/NTZiNGQ2YzdlZWFhNDViNGFlNDBhNzZhYWQ2MWUzMWM/) 03 Jul.
2014

[272577cdcd11389a4b95d5eae8f3c5b1](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/NGU2ZmI3ZTI0NTA5NGUyNWE1ZWI5NzQyMjY2ZWZlZmM/) 04 Jul.
2014

[27549feb774b058fde65bc3936a0bf36](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YmNkYTQwMDc1Zjk2NDNkOThkNTI1ZmVjMzNiNGVlYTg/) 04 Jul.
2014

[2807aafab5a799ff261b3f614aecbf91](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MDI2MmE0YjM5MTI2NDU2N2JjNTdjMzQ3ZWQ0MzQ5ZGM/) 04 Jul.
2014

[2812ce13236087c1a5b30f63ae33c7a0](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ODY1MzQwNjVlYjliNDIxZTg1OGMxOGVmMjRjMmE1ODU/) 04 Jul.
2014

[2825b9e636ad7a9304ea97981b68bf20](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/Y2U4MThmMjY2NTliNDdkNDk4NWE2MjVlMTcyMjlhZjM/) 04 Jul.
2014

[292028779b7c4c2e525ccbad0e0f5161](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZTA3NmZmNzQyNDY2NGIyNDg1OGNjNzQzYzI1Yjc0MGQ/) 04 Jul.
2014

[2bc4df2819c8983b1511814809c2c641](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MzZlYTk2NjQwODA0NDFjNjhiMGIzOGU0MTQ0MDhjMmQ/) 04 Jul.
2014

[28d89ceb348459fd7d1468e130b1a706](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MmI3NmM5OTM4NTU2NGQxNzkzN2E5ZmE3Y2Y5NDgwYjY/) 04 Jul.
2014

[2c3b96ca3a18140dfcd42434f3e03020](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YmE4M2NjYTY1ODRkNGQxOGEyNzk2NmJkYWVhOTJhZTk/) 04 Jul.
2014

[2c931871fef3b50c0bd2b4961419a311](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/NDljZjdhNjE0MTk4NDFiN2FmMGQ3NGYyYzQ3MzhjYTU/) 04 Jul.
2014


1A 7Vobfus 8Win32.Agent.agdmx 1SillyFDCS

1A 6Vobfus.ZV 7Win32.Agent.ageop 1SillyFDCS

1A 6Vobfus 7Win32.Agent.agcvt 1VB-ALW


1A 6Vobfus Worm.Win32.Vobfus.escx 1VB-ALW

1A 6Vobfus.ZO 7Win32.Agent.agcnq 1VB-ALW


1A 6Vobfus Worm.Win32.Vobfus.esdv 1VB-ALW

1A 6Vobfus Worm.Win32.Vobfus.escj 1SillyFDCS

1A 6Vobfus 7Win32.Agent.agerc 1SillyFDCS


1A 6Vobfus.ZZ Worm.Win32.Vobfus.esdw 1VB-ALW

1A 6Vobfus Worm.Win32.Vobfus.esaj 1VB-ALW


1A 6Vobfus.ZM 7Win32.VBKrypt.urjq 1VB-ALW

1A 6Vobfus.ZW 7Win32.Agent.agexl 1SillyFDCS


1A 6Vobfus 7Win32.Agent.agcvt 1VB-ALW

1A 6Vobfus.ZC Worm.Win32.Vobfus.erwz 1SillyFDCAH

1A 6Vobfus.ZW 7Win32.Agent.agexl 1SillyFDCS

1A 6Vobfus.YS 7Win32.VBKrypt.uqif 1SillyFDCAH

1A 6Vobfus 7Win32.Agent.agere 1SillyFDCS


1A 6Vobfus Worm.Win32.Vobfus.esdv 1VB-ALW

1A 6Vobfus.ZD Worm.Win32.Vobfus.erxc 1SillyFDCAH


1A 6Vobfus.ZQ Worm.Win32.Vobfus.erzx 1VB-ALW

1A 6Vobfus Worm.Win32.Vobfus.esat 1VB-ALW


-----

**md5**


**analysis**
**date** **tlds** **Microsoft** **Kaspersky** **Sophos**


[2cae6bd4e939b318726eebb347db0a26](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YzRmM2NkZTljNzVkNDgxNmI4ZjVjOTlmMTlhZTg2NDg/) 04 Jul.
2014

[2cc5ad6770250338bd5844904fb18181](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZWE0MDg0MzdjNzdmNGQxOThiYjI1NmM3OTI4MWZkOTI/) 04 Jul.
2014

[2d07ba427df9cd2c4af815015a484391](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ODgxM2YwNjkyMzRkNDY1Mzk5ODFiZDcxNmJiZmViMjk/) 04 Jul.
2014

[2d321324e9a28c834a750860122233c6](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YWZjNjQzMDE5YWEzNGIyNGJmZDViM2ExNmIyYzY0Y2M/) 04 Jul.
2014

[2db1a991aea1664e3dcbc5e75e108131](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZDc5ODg0NjcwNDJiNDhlNjhjYTI2ZDM1Y2Y2NjZmZDQ/) 04 Jul.
2014

[2f2a752f96ecb251efdc275f0ec8ea80](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZTdlYzdhM2MwNjMzNDA5Y2E4MDJkMTk3YTcwMzk4N2I/) 04 Jul.
2014

[2fab042f7b482e8aa2c5ecd413f2eff1](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MjAwNTU0ZjJkZGJhNDNhMmJmZTNkM2NkNjE3MjkwMmI/) 05 Jul.
2014

[2fcae2e2a9ed2f36bd399c77da2470c6](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MjA5MmY0MTVlM2ZmNDJiOWJkMjJiMTRiYThjZmQwZjA/) 05 Jul.
2014

[30cc569d95b4401aa0681b8e01299981](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MTJiMjFmMDY2YWJlNDE4NmFiY2M3YmZiMWRiNDIzZTc/) 05 Jul.
2014

[30cf2bf448db73c75e153216d4cd4fc0](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YTQwM2E1YWYyMjczNGQ0ZmFjMWEwYmZiODJiMTNjZmI/) 05 Jul.
2014

[302471280652d2d1817757ef0f8ad656](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/Y2Y1MDQwNTU2MTBkNDQ3YmE3ODFmODZkNDlhYTVhNzQ/) 05 Jul.
2014

[3127e3127a2a206a8dc6bc21f4693386](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/M2E5YmY4YTVlNzAzNGVjZmE3MGNkNzljY2JiODJkYzM/) 05 Jul.
2014

[33bf61ebeb41d157b45d3180d1f71b76](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZGQ0YjkwOWE0ZmZlNDA0YjhlZjU4MmVhZDAxMGI1Y2Y/) 05 Jul.
2014

[33c739e7d6aa599c05ff9f94a5768921](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZWU4NGI1OTU1OTFlNDU4ODk5MmRiMmVhNmVhOTU2OTg/) 05 Jul.
2014

[32d5e945a82fb6fb511e7bdd32cf8c21](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/N2QyMmMyNWE4ODIzNDc5N2E2MjQ4Y2QyYjBlOTgyOTA/) 05 Jul.
2014

[34defe58f6d305960fff8c295bd9b851](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MTc0MDNkMGEzOTNlNGIxNjk4MGEzYjVjNWFiYjg0NzY/) 05 Jul.
2014

[383977446a2a42bd1427703974265606](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ODBkZmFkNmE4NDIwNDQ5Yjk1MDNjYTRjYzMxMGMzNjA/) 06 Jul.
2014

[39408e199dd996cbe915c5c32261c490](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/NWM4Y2NmM2M4Njg2NDJlNWEzNzg0Y2Q3N2U2ZWNkMzg/) 06 Jul.
2014

[395df008604e98e228ed41ce67f213b1](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/Yzg2ZmI5MDZjZDhlNDk4MmIzNzUyYzQ0YzAzZTgxNGE/) 06 Jul.
2014

[3d6d6bbe37b37be79c43dc6a7b052a46](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YzIyOWEwYWRjYzY2NDZlM2E1MzI4Y2EwYjdlNmNjYmU/) 06 Jul.
2014

[38ab4d2cda29c4ba1346da4b85c81800](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/YWQxNjA3MDNjNTg2NDIzNzk2OGFiM2QzNTk2YmI1MDY/) 06 Jul.
2014


1A 6Vobfus.ZW 7Win32.Agent.agexl 1SillyFDCS

1A 6Vobfus 7Win32.Agent.agcsv 1VB-ALW


1A 6Vobfus.ZN 7Win32.VBKrypt.urkc 1VB-ALW

1A 6Vobfus.ZV 7Win32.Agent.ageop 1SillyFDCS

1A 6Vobfus 7Win32.Agent.agere 1SillyFDCS

1A 6Vobfus.ZW 7Win32.Agent.agexl 1SillyFDCS


1A 6Vobfus.YY Worm.Win32.Vobfus.ervr 1SillyFDCS

1A 6Vobfus 7Win32.Agent.agcvt 1VB-ALW


1A 6Vobfus Worm.Win32.Vobfus.erwv 1GenericS

1A 6Vobfus.ZV ? 1SillyFDCS


1A 6Vobfus 7Win32.Agent.agcvt 1VB-ALW

1A 6Vobfus.ZW 7Win32.Agent.agexl 1SillyFDCS


1A 6Vobfus.YU ? ?

1A 6Vobfus 7Win32.VBKrypt.uron 1SillyFDCS


1A 6Vobfus Worm.Win32.Vobfus.esdv 1VB-ALW

1A 6Vobfus.ZW 7Win32.Agent.agexl 1SillyFDCS


1A 6Vobfus.ZN 7Win32.VBKrypt.urkc 1VB-ALW

1A 6Vobfus.ZR 7Win32.Agent.agcpv 1VB-ALW


1A 6Vobfus Worm.Win32.Vobfus.eseu 1GenericS

1A 6Vobfus.ZW ? 1SillyFDCS

1A 6Vobfus.ZW 7Win32.Agent.agexl 1SillyFDCS


-----

**md5**


**analysis**
**date** **tlds** **Microsoft** **Kaspersky** **Sophos**


[3ca13a5648d4f2573f28b37638333701](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ZWMxZTAzOWRmYjU3NDFkYWIzMmEyMzA4NWQyZGU5NWE/) 06 Jul.
2014

[3bc39b3af9f13317744fd0548503baa6](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/ODQwYTJiZTFhNmRjNGQzNTliNzliNTI4MmZmM2JmZTY/) 07 Jul.
2014

[c413f1a0738a3b475db2ed44aecbf3ba](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/NjNjOGRjMmE0NDc0NDhhM2EzMzJkNWFiZjAzY2ViMzE/) 30 Sep.
2014R

[675d97e5cdd3b7e07c7945fa5398e599](https://web.archive.org/web/20160324035554/https://malwr.com/analysis/MzJiMzQwNmNlMDA3NDFjN2I1YWE5ZGRjZGQ4ZTllNTU/) 21 May.
2015


1A 6Vobfus.YF 7Win32.VBKrypt.uprs 1SillyFDCAH

1A 6Vobfus.YU Worm.Win32.Vobfus.erwm 1VB-ALR


1A 0Oderoor.M Clean 1EncPkCK

1A ? ? ?


Prefixes: Backdoor:Win32/, Mal/, HEUR:Trojan.Win32., Trojan:Win32/, Troj/, Trojan-Downloader.Win32.,0 1 2 3 4 5

6Worm:Win32/, Trojan.7

TLDS: com, net, tv, cc. dyndns.org, yi.org, dynserv.com, mooo.comA B


**DGArchive**

[The DGA in this blog post has been implemented by the DGArchive project.](https://web.archive.org/web/20160324035554/https://dgarchive.caad.fkie.fraunhofer.de/)


-----