{
	"id": "eb765882-fd63-4a2b-ba15-6e99b742dc27",
	"created_at": "2026-04-06T15:52:18.965006Z",
	"updated_at": "2026-04-10T03:20:37.096224Z",
	"deleted_at": null,
	"sha1_hash": "88917fc4c98872349dbc7ad791855222ddeb9540",
	"title": "The DGA of Shiotob",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 122701,
	"plain_text": "The DGA of Shiotob\r\nArchived: 2026-04-06 15:47:51 UTC\r\nThe Shiotob malware family steals user credentials - most notably information related to banking. The malware\r\ninjects itself into legitimate processes, for instances explorer.exe . To contact its C\u0026C servers Shiotob uses a\r\nDomain Generation Algorithm (DGA), for example:\r\n02:31:53 HTTP connection, method: GET, URL: http://www.google.com/\r\n02:31:53 HTTPS connection, method: POST, URL: https://wtipubctwiekhir.net/gnu/\r\n02:31:53 HTTPS connection, method: POST, URL: https://rwmu35avqo12tqc.com/gnu/\r\n02:31:58 HTTPS connection, method: POST, URL: https://rskb5bsfhm2fk5h.net/gnu/\r\n02:32:03 HTTPS connection, method: POST, URL: https://rbp9pprrxgflut9.com/gnu/\r\n02:32:08 HTTPS connection, method: POST, URL: https://zzxeyzgy45yy2a.net/gnu/\r\n02:32:13 HTTPS connection, method: POST, URL: https://e3oa4wglvd21xa.com/gnu/\r\n02:36:12 HTTP connection, method: GET, URL: http://www.gstatic.com/generate_204\r\n02:36:12 HTTP connection, method: GET, URL: http://www.gstatic.com/generate_204\r\n02:37:18 HTTPS connection, method: POST, URL: https://mqmq1hvmtxzjv.net/gnu/\r\n02:37:23 HTTPS connection, method: POST, URL: https://pd4o4wu24vimn.com/gnu/\r\n02:37:28 HTTPS connection, method: POST, URL: https://tlmrzvpbpsqsb.net/gnu/\r\n02:37:33 HTTPS connection, method: POST, URL: https://pbmnz59uzndpo.com/gnu/\r\n02:37:38 HTTPS connection, method: POST, URL: https://x2lxslqz3wztw.net/gnu/\r\nShiotob uses some anti-sandbox techniques, e.g., a 10 minute wait time before contacting the first domain. For\r\nthis reason, most online sandbox reports don’t list the DGA domains. In this blog post I show how the domain\r\nnames are generated.\r\nSeed\r\nShiotob is seeded with a hardcoded url. The url is stored in a larger structure with other data. Apart from the\r\nseed url, this struct also contains a time stamp relevant to the DGA. I’m not entirely sure when the timestampis\r\ntaken, but it probably refers to when the malware is first run. The two values are at offset 9 and 0x164\r\nrespectively:\r\nglobal_struct\r\n+009h seed_domain\r\n...\r\n+164h install_time?\r\nFor example, this is the seed url inside one of the samples;\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 1 of 17\n\n001CF5D0 global_data dd 0D104D840h\r\n001CF5D0\r\n001CF5D4 byte_1CF5D4 db 132\r\n001CF5D4\r\n001CF5D5 db 88, 2, 0\r\n001CF5D8 db 0\r\n001CF5D9 seed_domain db 'wtipubctwiekhir.net/gnu/',0\r\nI looked a 8 different samples of Shiotob and found three different url seeds:\r\nwtipubctwiekhir.net/gnu/\r\n. Sample 1\r\nsha256 9a386b68c5548b7971b24b58d02abe33fbb4c96ea54b268db7f96a67c81b9c21\r\nmd5 1762a640449c489f5f4460898e5fea8e\r\n. Sample 2\r\nsha256 56d30a9aaf45e76d6f9e47ec118eedbddff70cce6f9c147f9f0f1efaf882c51c\r\nmd5 242ce522d7b0d26c408b875b5b6ce371\r\n. Sample 3\r\nsha256 f4a7ee8bdc46cc59029ed893899feb8e18a381d3bc6e9b450bf2cb49e15f0956\r\nmd5 9a5628f51621466fa0cc8483a4312e12\r\nThe first 10 domains for this seed are:\r\nwtipubctwiekhir.net\r\nrwmu35avqo12tqc.com\r\nrskb5bsfhm2fk5h.net\r\nrbp9pprrxgflut9.com\r\nzzxeyzgy45yy2a.net\r\ne3oa4wglvd21xa.com\r\nmqmq1hvmtxzjv.net\r\npd4o4wu24vimn.com\r\ntlmrzvpbpsqsb.net\r\npbmnz59uzndpo.com\r\nn9oonpgabxe31.net/gnu/\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 2 of 17\n\n. Sample 4\r\nsha256 5bac5fa46973b75acc51f0706303d8ac4e1ee7f829d0e3f8cd7e31a3bb28d9a1\r\nmd5 8d360a487c32c7e47d989b061942bf40\r\n. Sample 5\r\nsha256 cc5006de8daaa10d28e75c39bdc5228cf8494b4d6e4b968c10d3d499b90c59ce\r\nmd5 d0fcc2f1bfe8b0d5d2433cb4598b00fb\r\nThe first 10 domains for this seed are:\r\nn9oonpgabxe31.net\r\nq9mqi2au2d5sv.com\r\ne4zm4yxpnikf2.net\r\nsen4i12uzyixx.com\r\nlr1eve4qog1m2.net\r\n2oidwapmv2cwp.com\r\n5ge4f3gzlywq1.net\r\nskwskzyp2ktoc.com\r\nqtiixgafexkgze1.net\r\nxtjqjmjt344l22w.com\r\ndogcurbctw.com/gnu/\r\n. Sample 6\r\nsha256 fb8f084cc84b6a6abb98228717f10381c74ed55c75f812d5220bec8ad8bc2181\r\nmd5 072cce981cecdc97239b30a8479ac067\r\n. Sample 7\r\nsha256 0853c0615e0e486df96c85bf21957411f5fcf6d863b7753fede9774fc5faa5fc\r\nmd5 0d846cd79ff72c4e74391baa1b181fae\r\n. Sample 8\r\nsha256 b765e11bd9d44364b284c8420babb400b9140303885e66aca89864efe04ffa34\r\nmd5 329b2157a7a0b956a2949a29d152a82a\r\nThe first 10 domains for this seed are:\r\ndogcurbctw.com\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 3 of 17\n\n9g2rdi9uga.net\r\nvhklwvvon1.com\r\nbevgfijycd.net\r\n5g1xxzjvohrb5.com\r\nxg5mmhrtbog5b.net\r\ns2i9eecchnsvh.com\r\nka9rik1aqu5li.net\r\n5hx2xw4yb52kr.com\r\nuvwpywhvji3.net\r\nCallback Routine\r\nThe seed domain and the timestamp are passed to the dga_callback routine that will try to contact one of its\r\nC\u0026C servers:\r\n001C4103 mov edi, offset global_data\r\n...\r\n001C456A lea edx, [edi+global_struct.seed_domain]\r\n001C456D mov eax, [edi+168h]\r\n001C4573 and eax, ds:c_128\r\n001C4579 mov ecx, dword ptr [edi+global_struct.install_time]\r\n001C457F call dga_callback\r\nThe callback routine consists of an infinite loop that tries to POST data to algorithmically generated domains. The\r\nloop terminates only when a successful POST is made, including a valid response from the C\u0026C peer.\r\nInitialization\r\nThe start of dga_callback looks like that:\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 4 of 17\n\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 5 of 17\n\nThese lines extract the domain part from the seed url and safe the result as the current_domain and\r\nseed_domain_copy .\r\nFirst Connectivity Check\r\nAfter the initialization follows the start of the callback loop:\r\nclick to enlarge\r\nThe routine uses a loop counter in register ebx that starts at 1. If the loop counter is at 1 or if it reaches a\r\nmultiple of 50, then the callback routine performs a connectivity check by contacting www.google.com. If Google\r\nis unreachable Shiotob sleeps for 10 minutes and retries. Once Google can be reached, Shiotob also tries to\r\ncontact the seed domain; if it can successfully POST to the seed domain and if the response is as expected, the\r\nroutine returns:\r\nIF ebx == 1 OR ebx % 50 == 0 DO % do for 1, 50, 100, ...\r\n WHILE check_connectivity('www.google.com') fails DO\r\n sleep(10 Minutes)\r\n contact(seed_domain) % seed domain\r\n IF \"POST\" was succesful THEN\r\n RETURN\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 6 of 17\n\nIf contacting the seed domain fails, or if the connectivity check is skipped, then Shiotob calls the DGA routine\r\nthe_dga to generate a new domain. I discuss this routine later in the blog post.\r\nFrequency\r\nBack at the outer callback routine, the domain generated by the_dga is turned into an url\r\nhttps://{domain}/gnu/ , which is then contacted. If the POST is successful, the callback returns. Otherwise, the\r\nroutine sleeps for 5 seconds less the time it took for the POST:\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 7 of 17\n\nSecond Connectivity Check\r\nNext, if the loop counter is 5 then Shiotob pauses for 5 minutes and enters another connectivity check loop:\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 8 of 17\n\nNumber of Generated Domains\r\nThe number of generated domains is time dependent. After every loop, the current time is taken:\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 9 of 17\n\nThe time passed since the start of the malware is then compared to different time spans. For instance, if the uptime\r\nis between 3 and 6 days, then the loop counter is reset to 1 after 500 iterations:\r\nWhen the loop counter is reset to 1, the current domain is also reset to the seed domain. This way the callback\r\nroutine will generate domains forever - always resetting to the seed domain.\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 10 of 17\n\nThe number of domains increases with time. In total there are four different time spans:\r\ntime since malware start nr of domains\r\nup to 3 days 251\r\n= 3 days, \u003c 6 days | 501 = 6 days, \u003c 10 days | 1001 more than 10 days | 2001\r\nSummary of the Callback Loop\r\nTo summarize, this is how the callback routine iterates over the domains:\r\ndomain = seed_domain % initialize with seed domain\r\nebx = 1\r\nWHILE TRUE:\r\n IF ebx == 1 OR ebx % 50 == 0 DO % do for 1, 50, 100, ...\r\n WHILE check_connectivity('www.google.com') fails DO\r\n sleep(10 minutes)\r\n contact(seed_domain)\r\n IF \"POST\" was succesful THEN\r\n RETURN\r\n \r\n domain = the_dga(domain) % get next domain\r\n contact(domain)\r\n IF \"POST\" was succesful THEN\r\n RETURN\r\n sleep(5 seconds)\r\n IF ebx == 5 and less than 10 minutes passed DO\r\n sleep(5 minutes)\r\n WHILE check_connectivity('www.google.com') fails DO\r\n sleep(10 minutes)\r\n IF time_passed \u003c 3 days THEN\r\n iterations = 250\r\n ELSE IF time_passed \u003c 6 days THEN\r\n iterations = 500\r\n ELSE IF time_passed \u003c 6 days THEN\r\n iterations = 1000\r\n ELSE\r\n iterations = 2000\r\n \r\n IF ebx == iterations THEN\r\n ebx = 1\r\n domain = seed_domain\r\nFor example, this is the traffic at the beginning:\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 11 of 17\n\n1. 02:31:53 HTTP connection, method: GET, URL: http://www.google.com/ : This is part of the\r\nconnectivity check, since ebx = 1\r\n2. 02:31:53 HTTPS connection, method: POST, URL: https://wtipubctwiekhir.net/gnu/ : This is the call\r\nto the seed domain, since ebx = 1\r\n3. 02:31:53 HTTPS connection, method: POST, URL: https://rwmu35avqo12tqc.com/gnu/ : This is the call\r\nafter the_dga , ebx = 1. After this call, the routine sleeps 5 seconds.\r\n4. 02:31:58 HTTPS connection, method: POST, URL: https://rskb5bsfhm2fk5h.net/gnu/ : This is the call\r\nafter the_dga for ebx = 2. After this call, the routine sleeps 5 seconds.\r\n5. 02:32:03 HTTPS connection, method: POST, URL: https://rbp9pprrxgflut9.com/gnu/ : This is the call\r\nafter the_dga for ebx = 3. After this call, the routine sleeps 5 seconds.\r\n6. 02:32:08 HTTPS connection, method: POST, URL: https://zzxeyzgy45yy2a.net/gnu/: This is the call\r\nafter the_dga for ebx = 4. After this call, the routine sleeps 5 seconds.\r\n7. 02:32:13 HTTPS connection, method: POST, URL: https://e3oa4wglvd21xa.com/gnu/ : This is the call\r\nafter the_dga for ebx = 5. After this call, the routine sleeps 5 seconds, and another 5 minutes because\r\nebx = 5.\r\n8. 02:36:12 HTTP connection, method: GET, URL: http://www.gstatic.com/generate_204 : This is the\r\nconnectivity check call for ebx = 5.\r\nNext, I’ll analyse the heart of the DGA in the_dga . This routine is responsible for generating new domains.\r\nThe DGA: Fresh Domains by Recurrence Relation\r\nThe subroutine the_dga gets the current domain passed to in eax . Based on the current domain, the algorithm\r\nthen generates a new domain and returns it.\r\nDisassembly\r\nThis is the disassembly of the entire the_dga routine:\r\nCODE:001BB508 ; =============== S U B R O U T I N E =======================================\r\nCODE:001BB508\r\nCODE:001BB508 ; Attributes: bp-based frame\r\nCODE:001BB508\r\nCODE:001BB508 the_dga proc near ; CODE XREF: sub_40B744+E4p\r\nCODE:001BB508\r\nCODE:001BB508 next_domain = byte ptr -4Dh\r\nCODE:001BB508 domain[2] = byte ptr -4Bh\r\nCODE:001BB508 sum_of_chars = dword ptr -0Ch\r\nCODE:001BB508 var_6 = byte ptr -6\r\nCODE:001BB508 strlen_prev_domain= byte ptr -5\r\nCODE:001BB508 curr_domain = byte ptr -4\r\nCODE:001BB508\r\nCODE:001BB508 push ebp\r\nCODE:001BB509 mov ebp, esp\r\nCODE:001BB50B add esp, 0FFFFFFB0h\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 12 of 17\n\nCODE:001BB50E push ebx\r\nCODE:001BB50F push esi\r\nCODE:001BB510 push edi\r\nCODE:001BB511 mov [ebp+prev_domain], eax\r\nCODE:001BB514 lea eax, [ebp+next_domain]\r\nCODE:001BB517 mov edx, 65\r\nCODE:001BB51C call zero_out_ecx_bytes_of_eax ; clean 65 characters of domain\r\nCODE:001BB521 lea eax, [ebp+next_domain]\r\nCODE:001BB524 mov edx, dword ptr [ebp+curr_domain]\r\nCODE:001BB527 call copy_edx_to_eax\r\nCODE:001BB52C lea eax, [ebp+next_domain]\r\nCODE:001BB52F call strlen\r\nCODE:001BB534 sub al, 4 ; strlen(tld + .)\r\nCODE:001BB536 mov [ebp+strlen_prev_domain], al\r\nCODE:001BB539 xor eax, eax\r\nCODE:001BB53B mov [ebp+sum_of_chars], eax\r\nCODE:001BB53E xor edx, edx\r\nCODE:001BB540 mov dl, [ebp+strlen_prev_domain]\r\nCODE:001BB543 test edx, edx\r\nCODE:001BB545 jl short loc_40B556\r\nCODE:001BB547 inc edx\r\nCODE:001BB548 lea eax, [ebp+next_domain]\r\nCODE:001BB54B\r\nCODE:001BB54B loc_40B54B: ; CODE XREF: dga+4Cj\r\nCODE:001BB54B xor ecx, ecx\r\nCODE:001BB54D mov cl, [eax]\r\nCODE:001BB54F add [ebp+sum_of_chars], ecx\r\nCODE:001BB552 inc eax\r\nCODE:001BB553 dec edx\r\nCODE:001BB554 jnz short loc_40B54B\r\nCODE:001BB556\r\nCODE:001BB556 loc_40B556: ; CODE XREF: dga+3Dj\r\nCODE:001BB556 xor edx, edx\r\nCODE:001BB558\r\nCODE:001BB558 loc_40B558: ; CODE XREF: dga+7Aj\r\nCODE:001BB558 xor eax, eax\r\nCODE:001BB55A lea esi, [ebp+next_domain]\r\nCODE:001BB55D\r\nCODE:001BB55D loc_40B55D: ; CODE XREF: dga+74j\r\nCODE:001BB55D lea edi, [eax+edx]\r\nCODE:001BB560 cmp edi, 41h\r\nCODE:001BB563 jge short loc_40B577\r\nCODE:001BB565 mov cl, [ebp+strlen_prev_domain]\r\nCODE:001BB568 imul cx, [esi]\r\nCODE:001BB56C xor cl, [ebp+edi+next_domain]\r\nCODE:001BB570 xor cl, byte ptr [ebp+sum_of_chars]\r\nCODE:001BB573 mov [ebp+edi+next_domain], cl\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 13 of 17\n\nCODE:001BB577\r\nCODE:001BB577 loc_40B577: ; CODE XREF: dga+5Bj\r\nCODE:001BB577 inc eax\r\nCODE:001BB578 inc esi\r\nCODE:001BB579 cmp eax, 66\r\nCODE:001BB57C jnz short loc_40B55D\r\nCODE:001BB57E inc edx\r\nCODE:001BB57F cmp edx, 66\r\nCODE:001BB582 jnz short loc_40B558\r\nCODE:001BB584 mov cl, [ebp+domain[2]]\r\nCODE:001BB587 imul cx, word ptr [ebp+strlen_prev_domain]\r\nCODE:001BB58C xor cl, [ebp+next_domain]\r\nCODE:001BB58F xor eax, eax\r\nCODE:001BB591 mov al, cl\r\nCODE:001BB593 shr eax, 4\r\nCODE:001BB596 mov ecx, eax\r\nCODE:001BB598 cmp cl, 10\r\nCODE:001BB59B jnb short loc_40B5A0\r\nCODE:001BB59D mov cl, [ebp+strlen_prev_domain]\r\nCODE:001BB5A0\r\nCODE:001BB5A0 loc_40B5A0: ; CODE XREF: dga+93j\r\nCODE:001BB5A0 xor edx, edx\r\nCODE:001BB5A2 mov dl, cl\r\nCODE:001BB5A4 test edx, edx\r\nCODE:001BB5A6 jl short loc_40B5BF\r\nCODE:001BB5A8 inc edx\r\nCODE:001BB5A9 lea eax, [ebp+next_domain]\r\nCODE:001BB5AC\r\nCODE:001BB5AC loc_40B5AC: ; CODE XREF: dga+B5j\r\nCODE:001BB5AC xor ebx, ebx\r\nCODE:001BB5AE mov bl, [eax]\r\nCODE:001BB5B0 shr ebx, 3\r\nCODE:001BB5B3 mov bl, byte ptr ds:aQwertyuiopasdfghjklzxcvb[ebx]\r\nCODE:001BB5B9 mov [eax], bl\r\nCODE:001BB5BB inc eax\r\nCODE:001BB5BC dec edx\r\nCODE:001BB5BD jnz short loc_40B5AC\r\nCODE:001BB5BF\r\nCODE:001BB5BF loc_40B5BF: ; CODE XREF: dga+9Ej\r\nCODE:001BB5BF xor eax, eax\r\nCODE:001BB5C1 mov al, cl\r\nCODE:001BB5C3 mov [ebp+eax+next_domain], 0\r\nCODE:001BB5C8 mov edx, offset a_net ; \".net\"\r\nCODE:001BB5CD mov eax, dword ptr [ebp+curr_domain]\r\nCODE:001BB5D0 call sub_401198\r\nCODE:001BB5D5 test eax, eax\r\nCODE:001BB5D7 jz short loc_40B5EC\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 14 of 17\n\nCODE:001BB5D9 push offset a_com ; \".com\"\r\nCODE:001BB5DE lea eax, [ebp+next_domain]\r\nCODE:001BB5E1 push eax\r\nCODE:001BB5E2 call concat\r\nCODE:001BB5E7 add esp, 8\r\nCODE:001BB5EA jmp short loc_40B5FD\r\nCODE:001BB5EC ; ---------------------------------------------------------------------------\r\nCODE:001BB5EC\r\nCODE:001BB5EC loc_40B5EC: ; CODE XREF: dga+CFj\r\nCODE:001BB5EC push offset a_net ; \".net\"\r\nCODE:001BB5F1 lea eax, [ebp+next_domain]\r\nCODE:001BB5F4 push eax\r\nCODE:001BB5F5 call concat\r\nCODE:001BB5FA add esp, 8\r\nCODE:001BB5FD\r\nCODE:001BB5FD loc_40B5FD: ; CODE XREF: dga+E2j\r\nCODE:001BB5FD lea edx, [ebp+next_domain]\r\nCODE:001BB600 mov eax, dword ptr [ebp+curr_domain]\r\nCODE:001BB603 call copy_edx_to_eax\r\nCODE:001BB608 pop edi\r\nCODE:001BB609 pop esi\r\nCODE:001BB60A pop ebx\r\nCODE:001BB60B mov esp, ebp\r\nCODE:001BB60D pop ebp\r\nCODE:001BB60E retn\r\nCODE:001BB60E the_dga endp\r\nCODE:001BB60E\r\nCODE:001BB60E ; ---------------------------------------------------------------------------\r\nThe string aQwertyuiopasdfghjklzxcvb has the value “qwertyuiopasdfghjklzxcvbnm123945678”.\r\nDecompilation to Python\r\nDecompiled to Python, the DGA still look rather messy:\r\ndef get_next_domain(domain):\r\n qwerty = 'qwertyuiopasdfghjklzxcvbnm123945678'\r\n def sum_of_characters(domain):\r\n return sum([ord(d) for d in domain[:-3]])\r\n sof = sum_of_characters(domain)\r\n ascii_codes = [ord(d) for d in domain] + 100*[0]\r\n old_hostname_length = len(domain) - 4\r\n for i in range(0, 66):\r\n for j in range(0, 66):\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 15 of 17\n\nedi = j + i\r\n if edi \u003c 65:\r\n p = (old_hostname_length * ascii_codes[j])\r\n cl = p ^ ascii_codes[edi] ^ sof\r\n ascii_codes[edi] = cl \u0026 0xFF\r\n \"\"\"\r\n calculate the new hostname length\r\n max: 255/16 = 15\r\n min: 10\r\n \"\"\"\r\n cx = ((ascii_codes[2]*old_hostname_length) ^ ascii_codes[0]) \u0026 0xFF\r\n hostname_length = int(cx/16) # at most 15\r\n if hostname_length \u003c 10:\r\n hostname_length = old_hostname_length\r\n \"\"\"\r\n generate hostname\r\n \"\"\"\r\n for i in range(hostname_length):\r\n index = int(ascii_codes[i]/8) # max 31 --\u003e last 3 chars of qwerty unreachable\r\n bl = ord(qwerty[index])\r\n ascii_codes[i] = bl\r\n hostname = ''.join([chr(a) for a in ascii_codes[:hostname_length]])\r\n \"\"\"\r\n append .net or .com (alternating)\r\n \"\"\"\r\n tld = '.com' if domain.endswith('.net') else '.net'\r\n domain = hostname + tld\r\n return domain\r\nThe recurrence relation generates a pseudo random array of 66 chars seeded with the previous domain (nested\r\nfor -loop). Next, the DGA determines the length of the new hostname based on the random data. The determined\r\nlength will be between 0 and 15 characters; if the picked length is smaller than 10 though, Shiotob will use the\r\nlength of the previous hostname instead. This means that the domain length will only changes 37.5% of the time.\r\nThe DGA then determines the new hostname based on the random array using 32 characters from a hard coded\r\nstring. Finally, the top level domain is picked, alternating between .net and .com .\r\nFrom this we can see the following properties of the DGA:\r\nthe top level domains alternate between .net and .com\r\nthe length of the domain is 10 to 15 characters (excluding the tld), with succeeding domains likely (62.5%)\r\nto be of same length.\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 16 of 17\n\nthe domain consists of all lower case letters and the digits 123459\r\nthe length of the domain and the letters are approximately uniformly distributed.\r\nSummary\r\nThe following table summarizes the properties of the DGA\r\nproperty value\r\nseed static url, for example: wtipubctwiekhir.net/gnu/\r\ndomains per seed unlimited\r\ndomain order static: seed, 1, 2, 3, …, 50, seed, 51, …\r\nused domains 251, 501, 1001 or 2001, depends on passed time\r\nwait time between\r\ndomains\r\nnormally 5 seconds, 0 seconds after connectivity check, 5:05 after the first 6\r\nDGA domains.\r\ntop level domains .net and .com, alternating\r\nsecond level characters all letters and the digits 123459 (uniformly distributed)\r\nsecond level domain\r\nlength\r\n10 to 15 (approx. uniformly distributed)\r\nYou find a script to generate the domains on GitHub Gist.\r\nSource: https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nhttps://www.johannesbader.ch/2015/01/the-dga-of-shiotob/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/"
	],
	"report_names": [
		"the-dga-of-shiotob"
	],
	"threat_actors": [],
	"ts_created_at": 1775490738,
	"ts_updated_at": 1775791237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88917fc4c98872349dbc7ad791855222ddeb9540.pdf",
		"text": "https://archive.orkl.eu/88917fc4c98872349dbc7ad791855222ddeb9540.txt",
		"img": "https://archive.orkl.eu/88917fc4c98872349dbc7ad791855222ddeb9540.jpg"
	}
}