{
	"id": "0b05b6d4-340b-46e4-aff4-22bc5e6c8248",
	"created_at": "2026-04-06T00:19:28.316693Z",
	"updated_at": "2026-04-10T03:20:59.168843Z",
	"deleted_at": null,
	"sha1_hash": "e614ba803069125717948902e4068a9b5843016b",
	"title": "Kraken's two Domain Generation Algorithms - A side by side comparison of the DGAs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 160054,
	"plain_text": "Kraken's two Domain Generation Algorithms - A side by side\r\ncomparison of the DGAs\r\nArchived: 2026-04-05 21:36:41 UTC\r\nKraken (also known as Oderoor or Bobax) was once a large, if not the largest, botnet. It was primarily used to send spam\r\nmessages. Kraken features a Domain Generation Algorithm (DGA) which appeared in July 2007 and was first mentioned in\r\n2008. This makes it one of the first ever widely used DGA.\r\nThe original DGA of Kraken is time-independent, i.e., a specific sample will at all times generate the same domains. There\r\nare various reports on how to determine the domains. Michael Ligh and Greg Sinclair showed how to use instrumented\r\nexecution with Immunity debugger in their DEFCON 16 talk “Malware RCE: Debuggers and Decryptor Development”\r\n(skip to 18:24). The same method is also described in The Malware Analyst’s Cookbook, recipe 12-11 on page 476. This\r\nreport by Damballa lists the domains for one parameterization of the DGA.\r\nMuch later — the first samples on Malwr are from 2003 — Kraken’s DGA changed. Probably recognizing the problem with\r\ngenerating the ever same domains, the authors added a time dependent input to the DGA. They also deviated from dynamic\r\nDNS providers and used four regular top level domains instead. A few samples, maybe from the transitional stage, still rely\r\non the DDNS providers even with the new algorithm. Kraken infections with newer DGAs peaked in July 2014 (also see the\r\nlist of samples in Section Samples).\r\nThe later version of Kraken’s DGA is much less reported on. Here is a analysis of the malware with the new domains. But\r\nneither the domains nor the domain generating algorithm are shown. For me, good enough grounds to look at both DGA in\r\nthis short blog post. I’m aware that the DGA is irrelevant today, as Kraken is currently dead or inactive, but hopefully the\r\npost might still be interesting for the keen DGA historian.\r\nReverse Engineering\r\nThis section shows some reverse engineering insights of the DGA. Skip to Python Implementations to see\r\nreimplementations of the two algorithms.\r\nBoth the old and new version of the DGA have parameters that can change from sample to sample and cause disjoint sets of\r\ndomains. I therefore looked at multiple samples to identify the variable parts of the DGA. For the old DGA I reversed two\r\nsamples:\r\nsource\r\nvirusshare\r\nuploaded\r\n2012-09-04 03:44\r\nSHA-256\r\n5f004bd36715225c22ddb27d109a2b5f1c5215a6ce2df2e111c5fb49bc7161f9\r\nMD5\r\n10fd78f9681d66d2dd39816b5f7f6ea6\r\nand\r\nsource\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 1 of 19\n\nmalwr\r\nuploaded\r\n2014-12-08 15:04\r\nSHA-256\r\n4606a621922b28be1ff7f4621713aaafd988b8c5f1153720200c5e6dad0c5416\r\nMD5;\r\n60838eeb3f8cd311de0faef80909632d\r\nAs far as the new version goes, I looked at these samples:\r\nsource\r\nmalwr\r\nuploaded\r\n2013-08-05 04:16\r\nSHA-256\r\n0fed48972c9b5c7fc6735db2b8764c45c95d45bde3764933b4a4909656c1ed47\r\nMD5\r\nf2ae73d866bb4edd14ee96cf74fbb423\r\nand\r\nsource\r\nvirusshare\r\nuploaded\r\n2012-04-12\r\nSHA-256\r\ne83bc2ec7975885424668171c2e106f7982bd409e01ce6281fb0e6e722e98810\r\nMD5\r\n04966960f3f5ed32ae479079a1bcf6e9\r\nAll listed offsets are from the first sample respectively.\r\nPseudo Random Number Generator\r\nBoth Kraken’s DGA use a linear congruential generator (LCG) as pseudo random number generator (PRNG). The\r\nparameters are the same found in many rand() implementations:\r\n𝑟𝑛 + 1 = 1103515245 ⋅𝑟𝑛 + 12435 mod2\r\n31\r\nThe bits 23 to 8 are used, i.e., r/256 mod 32768.\r\nSeeding\r\nThe DGA of both versions first initializes the pseudo random number generator (PRNG). Two values are used to determine\r\nthe seed of the PRNG:\r\n1. A running counter that starts at 0 and increases in steps of one (version 1) and one or two (version 2). In version 2 the\r\nincrement depends on the outcome of the DNS response for the domain. The details of the counter are discussed in\r\nSection Domain Counter.\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 2 of 19\n\n2. Whether or not a list of hardcoded IPs could be contacted. These network connections are performed by\r\nhardcoded_success at offsets 001BE832 and 0x408D6C respectively in the following images. The routine returns\r\nTrue if the attempts were successful.\r\nThe following graph views are from the beginning of both DGAs. Both snippets initialize the random number — ecx in\r\nversion 1 and ebx in version 2 — depending on the counter value and success of contact to hardcoded IPs. On left-hand\r\nside is the old version of the DGA, on the right-hand side the newer release (click to enlarge the images).\r\nversion 1 version 2\r\nThe hardcoded values -265273224 and 143803713 on the left, as well as -1FCFBF87h and 7924542h on the right might\r\nchange from sample to sample. These parameters can be used to generate different sets of domains.\r\nFor the first version of the DGA, the snippet above boils down to the following, rather elaborate, formula:\r\n𝑑 = ⌊\r\ncounter\r\n2\r\n⌋ + 1000015\r\n𝑟 = {\r\n𝑑 ⋅(𝑑 + 7) ⋅(𝑑 + 12) / 9 + 𝑑 ⋅(𝑑 + 1) + 𝑐𝑠if success with hardcoded IPs\r\n𝑑 ⋅(𝑑 + 2) ⋅(𝑑 + 7) / 9 + 𝑑 ⋅(3𝑑 + 1) + 𝑐𝑓 otherwise\r\nI found two different parameter sets. Notice that the changes are very subtle, only the first and last nibble vary:\r\nversion 1 cs cf\r\nSeed a -0x0FCFBF88 0x8924541\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 3 of 19\n\nversion 1 cs cf\r\nSeed b -0x1FCFBF87 0x7924542\r\nThe second version uses a much simpler formula to initialize the random number:\r\n𝑑 = ⌊\r\ncounter\r\n2\r\n⌋\r\n𝑟 = 3𝑑 + {\r\n𝑐𝑠if success with hardcoded IPs\r\n𝑐𝑓 otherwise\r\nAgain I found two parameter sets:\r\nversion 2 cs cf\r\nSeed a 24938314 24938315\r\nSeed b 1600000 1600001\r\nNotice that in both versions the counter input to the DGA is first divided by two. The Malware Analyst’s Cookbook (page\r\n480) considers this as a flaw of the DGA:\r\nThere are two weaknesses in Kraken’s DGA that are worth mentioning: (…) Odd numbers cause Kraken’s\r\nalgorithm to generate the same domain names as the even numbers that precede them. This effectively cuts the\r\nnumber of possible domains generated by the DGA in half.\r\nSection Domain Counter explains why I think this is by design and not a flaw of the DGA.\r\nDiscarding (only version 2)\r\nNext follows code that is only present in the new version of Kraken’s DGA. The code incorporates a timestamp, which is\r\ndetermined by making an HTTP request to a randomly picked, legitimate website. The date is extracted from the http date\r\nheader of the response and converted to unix timestamp format. For the analysed samples, the domains used to determine\r\nthe time are: yahoo.com, google.com, live.com, msn.com, aol.com, amazon.com, go.com, bbc.co.uk, cnn.com, news.com,\r\ndownload.com, weather.com, comcast.net, mozilla.com and hp.com. The timestamp sets the variable discards:\r\nversion 1 version 2\r\nnot present\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 4 of 19\n\nThe divisor is the number of seconds in a week, so only every 7 days the value discard changes.\r\ndiscards = ⌊\r\ntimestamp\r\nunix\r\n− 1207000000\r\n24 ⋅ 7 ⋅ 3600 ⌋ + 2\r\nThe discard value, along with the current domain number, determines how many of the PRNG cycles are discarded:\r\nversion 1 version 2\r\nnot present\r\nIn Pseudocode this is:\r\ndiscards = timestamp / 604800 + 2\r\nIF domain_nr % 9 \u003c 8\r\n IF domain_nr % 9 \u003e= 6\r\n discards -= 1\r\n REPEAT discards TIMES\r\n r = rand(r)/256 % 32768\r\nNotice that for every ninth domain discarding is skipped. Since the discards are the only time-dependent part of the DGA,\r\nthose domains are invariants and prime targets for sinkholing.\r\nLength of Random Domain\r\nAfter the PRNG is initialized, the length of the random part of the domain is randomly picked. The two versions use almost\r\nthe same algorithm:\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 5 of 19\n\nversion 1 version 2\r\nBoth versions first generate three random numbers (ri is the random number after initialization and, for the second version,\r\ndiscarding):\r\n𝑟𝑖 + 1 = 1103515245 ⋅𝑟𝑖 + 12435 mod2\r\n31\r\n𝑟𝑖 + 2 = 1103515245 ⋅𝑟𝑖 + 1 + 12435 mod2\r\n31\r\n𝑟\r\n𝑖 + 3 = 1103515245 ⋅𝑟𝑖 + 2 + 12435 mod2\r\n31\r\nThe first version uses the three random values to set the length as follows:\r\n𝑑𝑙𝑒𝑛𝑔𝑡ℎ\r\n(𝑣1) = ⌊𝑟𝑖 + 1\r\n256\r\nmod32768⌋⌊\r\n𝑟𝑖 + 2\r\n256\r\nmod32768⌋ − ⌊\r\n𝑟𝑖 + 3\r\n256\r\nmod32768⌋ mod6 + 6\r\nThe second version works almost the same, apart from (a) the third random number being added rather than subtracted and\r\n(b) the minimum length bein 7 instead of 6:\r\n𝑑𝑙𝑒𝑛𝑔𝑡ℎ\r\n(𝑣2) = ⌊𝑟𝑖 + 1\r\n256\r\nmod32768⌋⌊\r\n𝑟𝑖 + 2\r\n256\r\nmod32768⌋ + ⌊\r\n𝑟𝑖 + 3\r\n256\r\nmod32768⌋ mod6 + 7\r\nThis gives lengths between 6 and 11 characters for the first version, and 7 and 12 characters for the second version.\r\nBuilding the Random Domain\r\nKraken uses straightforward calls to the random number generator to determine the characters of the random domain. All\r\ncharacters a-z are about equally likely picked. Both version use the exact same algorithm:\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 6 of 19\n\nversion 1 version 2\r\nIn Pseudocode this is:\r\ndomain = \"\"\r\nREPEAT domain_length TIMES\r\n r = rand(r)\r\n domain += (r/256 % 32768) % 26 + 'a'\r\nBase Domain\r\nThe final step of the domain generation algorithm is to append the base domain. For the first version, these base domains are\r\nfour dynamic DNS providers. A few of the samples with the second DGA version use the same DDNS providers, for the\r\nmost part the base domains are regular top level domains though. Domains are picked one after another from a hard-coded\r\nlist:\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 7 of 19\n\nversion 1 version 2\r\nThe base domains are:\r\nversion 1, some version 2 samples\r\n“dyndns.org” → “yi.org” → “dynserv.com” → “mooo.com” (Free DDNS Providers)\r\nversion 2\r\n“com” → “net” → “tv” → “cc” (Top Level Domains)\r\nDomain Counter\r\nAs seen above, both DGA take a running counter as input. The counter starts at zero. Instead of an upper bound, the counter\r\nis reset after 30 minutes of trying to contact the C\u0026C servers. There is some wait time between contacting domains which I\r\ndid not examine; the expected number of generated domains is therefore unknown to me.\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 8 of 19\n\nversion 1 version 2\r\nThe old DGA always increments the index by one, regardless of the call-home attempt for the generated domains. For\r\nversion 2 things are a little more complicated; the DGA can increment the counter by one or two:\r\nversion 1 version 2\r\nThe counter in version 2 is incremented depending on the DNS response to the generated domain. The IP is compared to\r\nvarious hard-coded domains. For example:\r\n0040AFB9 cmp eax, 127 ; eax first tuple of IP\r\n0040AFBC jz short private_ip\r\n0040AFBE\r\n0040AFBE loc_40AFBE:\r\n0040AFBE cmp eax, 192\r\n0040AFC3 jnz short loc_40AFCD\r\n0040AFC5 cmp ecx, 168\r\n0040AFCB jz short private_ip\r\n0040AFCD\r\n0040AFCD loc_40AFCD:\r\n0040AFCD cmp eax, 172\r\n0040AFD2 jnz short loc_40AFDE\r\n0040AFD4 cmp ecx, 16 ; ecx second tuple of IP\r\n0040AFD7 jl short loc_40AFEB\r\n0040AFD9 cmp ecx, 31\r\n0040AFDC jle short private_ip\r\n...\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 9 of 19\n\nAll IPs from the following list are treated specially (I do not know why 66.116.125.150 and 72.51.27.51 get special\r\ntreatments, maybe those were sinkholes in the past).\r\nrange comment\r\n127.x.x.x reserved range\r\n192.168.x.x reserved range\r\n172.16.0.0 - 172.31.255.255 reserved range\r\n0.x.x.x includes failed queries\r\n1.1.1.1, 2.2.2.2, … , 255.255.255.255 unlikely answers? Sandbox detection?\r\n66.116.125.150 IP in US\r\n72.51.27.51 IP in Canada\r\nIf the IP matches with one of above the subnets, the counter grows to the next multiple of two, i.e., even counters are\r\nincreased by two, and odd counters are increased one.\r\nSince inside the DGA routine, odd counters are rounded down to the same number as their previous (even) counters, every\r\ndomain that returned an IP that was not in a “blacklisted” range will be checked twice. I, for one, don’t think that’s a flaw of\r\nthe DGA, but a — overly complicated — way to recheck domains.\r\nAlgorithm and Samples\r\nPython Implementations\r\nVersion 1\r\nThe following Python Code generates 1000 domains for a provided seed (either a or b ). The code alternately generates\r\ndomains for when the hardcoded IP callback failed and succeeded.\r\nimport time\r\nfrom ctypes import c_int, c_uint\r\nimport argparse\r\ndef rand(r):\r\n t = c_int(1103515245 * r + 12435).value\r\n return t\r\ndef crop(r):\r\n return (r // 256) % 32768\r\ndef dga(index, seed_set, temp_file=True):\r\n seeds = {'a': {'ex': -0x0FCFBF88, 'nex': 0x8924541},\r\n 'b': {'ex': -0x1FCFBF87, 'nex': 0x7924542}}\r\n tlds = [\"dyndns.org\", \"yi.org\", \"dynserv.com\", \"mooo.com\"]\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 10 of 19\n\ndomain_nr = int(index/2) + 1000015\r\n if temp_file:\r\n x = int(c_int(domain_nr*(domain_nr + 7)*(domain_nr+12)).value /9.0)\r\n y = domain_nr*(domain_nr+1)\r\n r = c_int(x + y + seeds[seed_set]['ex']).value\r\n else:\r\n x = int(c_int((domain_nr + 2)*(domain_nr + 7)*domain_nr).value/9.0)\r\n y = (domain_nr*3 + 1)*domain_nr\r\n r = c_int(x + y + seeds[seed_set]['nex']).value\r\n rands = 3*[0]\r\n for i in range(3):\r\n r = rand(r)\r\n rands[i] = crop(r)\r\n domain_length = (rands[0]*rands[1] - rands[2]) % 6 + 6\r\n domain = \"\"\r\n for i in range(domain_length):\r\n r = rand(r)\r\n ch = crop(r) % 26 + ord('a')\r\n domain += chr(ch)\r\n domain += \".\" + tlds[domain_nr % 4]\r\n return domain\r\ndef get_domains(nr, seed_set):\r\n domains = []\r\n for i in range(nr):\r\n for temp_file in range(2):\r\n domains.append(dga(i*2, seed_set, temp_file))\r\n return domains\r\nif __name__==\"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument('-s', '--seed', choices=['a','b'], default='a')\r\n args = parser.parse_args()\r\n for domain in get_domains(1000, args.seed):\r\n print(domain)\r\nFor example:\r\n$ python dga_v1.py -s b\r\nhmhxnupkc.mooo.com\r\nquowesuqbbb.mooo.com\r\nrffcteo.dyndns.org\r\nadrcgmzrm.dyndns.org\r\nbdubefoeug.yi.org\r\nbpdyttrlp.yi.org\r\nhovdworcxd.dynserv.com\r\ndljemwae.dynserv.com\r\nnlnylxvrbel.mooo.com\r\ndcdkfq.mooo.com\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 11 of 19\n\ngyuzohut.dyndns.org\r\nlfiavsbyntu.dyndns.org\r\nwaxmtzkqblh.yi.org\r\nzvfctvkdng.yi.org\r\nhshfmrobfjr.dynserv.com\r\nuaqjtycx.dynserv.com\r\nprifhjstv.mooo.com\r\ncsukibyyt.mooo.com\r\nghcxncadnj.dyndns.org\r\niskqszufrft.dyndns.org\r\nThese are also the domains from The Malware Analyst’s Cookbook.\r\nVersion 2\r\nThe second DGA also takes the current date and top level set\r\nimport time\r\nimport argparse\r\nfrom datetime import datetime\r\ndef rand(r):\r\n t = (1103515245 * r + 12435) \u0026 0xFFFFFFFF\r\n return t\r\ndef crop(r):\r\n return (r // 256) % 32768\r\ndef dga(index, date, seed_set, temp_file=True, tld_set_nr=1):\r\n tld_sets = {1: [\"com\", \"net\", \"tv\", \"cc\"],\r\n 2: [\"dyndns.org\", \"yi.org\", \"dynserv.com\", \"mooo.com\"]}\r\n seeds = {'a': {'ex': 24938314 , 'nex': 24938315 },\r\n 'b': {'ex': 1600000, 'nex': 1600001}}\r\n tlds = tld_sets[tld_set_nr]\r\n domain_nr = int(index/2)\r\n if temp_file:\r\n r = 3*domain_nr + seeds[seed_set]['ex']\r\n else:\r\n r = 3*domain_nr + seeds[seed_set]['nex']\r\n discards = (int(time.mktime(date.timetuple())) - 1207000000) // 604800 + 2\r\n if domain_nr % 9 \u003c 8:\r\n if domain_nr % 9 \u003e= 6:\r\n discards -= 1\r\n for _ in range(discards):\r\n r = crop(rand(r))\r\n rands = 3*[0]\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 12 of 19\n\nfor i in range(3):\r\n r = rand(r)\r\n rands[i] = crop(r)\r\n domain_length = (rands[0]*rands[1] + rands[2]) % 6 + 7\r\n domain = \"\"\r\n for i in range(domain_length):\r\n r = rand(r)\r\n ch = crop(r) % 26 + ord('a')\r\n domain += chr(ch)\r\n domain += \".\" + tlds[domain_nr % 4]\r\n return domain\r\ndef get_domains(nr, date, seed, tld_set):\r\n domains = []\r\n for i in range(nr):\r\n for temp_file in range(2):\r\n domains.append(dga(i*2, date, seed, temp_file, tld_set))\r\n return domains\r\nif __name__==\"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"-d\", \"--date\",\r\n help=\"date for which to generate domains\")\r\n parser.add_argument(\"-t\", \"--tld\", choices=[1,2], type=int,\r\n help=\"tld set\", default=1)\r\n parser.add_argument('-s', '--seed', choices=['a','b'], default='a')\r\n args = parser.parse_args()\r\n if args.date:\r\n d = datetime.strptime(args.date, \"%Y-%m-%d\")\r\n else:\r\n d = datetime.now()\r\n for domain in get_domains(1000, d, args.seed, args.tld):\r\n print(domain)\r\nFor example:\r\n$ python dga_v2.py -d 2013-12-12 -t 1 -s a\r\ngwbgmsmhgsp.com\r\nbizyssylscs.com\r\negbmbdey.net\r\nogoqxbevdeqm.net\r\niuhqhbmq.tv\r\niuhqhbmq.tv\r\nwedlgyvplmt.cc\r\nzoipmnwr.cc\r\ngktdtghza.com\r\ntoogdpdiekwh.com\r\niuhqhbmq.net\r\noxfjukumll.net\r\nvwmlcid.tv\r\nglmvhcm.tv\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 13 of 19\n\npgmryukdb.cc\r\negbmbdey.cc\r\nvsdvzwt.com\r\nwixcaiktigew.com\r\nxewokii.net\r\nlvctmusxcyz.net\r\nYou also find the code on my GitHub page.\r\nProperties of the DGA\r\nThe properties of the two DGAs are:\r\nversion 1 version 2\r\ntime dependent no yes\r\ngranularity - 1 week\r\ndomains per seed and\r\nday\r\nvariable, as many as can be generated in 30\r\nminutes\r\nsee version 1\r\nsequence sequential see version 1\r\nwait time between\r\ndomains\r\nunknown see version 1\r\ntop level domains .dyndns.org, yi.org, dynserv.com, mooo.com\r\nsome as version 1, but mostly com, .net,\r\n.tv, .cc\r\nsecond level characters lower case a-z see version 1\r\nsecond level domain\r\nlength\r\n6 to 11 7 to 12\r\nSamples\r\nThe following table shows reports on malwr.com that contact at least one domain generated by the second version of\r\nKraken’s DGA. Many samples seem to be downloader, e.g., Vobfus, and the domains are actually generated by the Kraken\r\npayload.\r\nmd5\r\nanalysis\r\ndate\r\ntlds Microsoft Kaspersky Sophos\r\n04966960f3f5ed32ae479079a1bcf6e9\r\n16 Jul.\r\n2013\r\n1A 1Oderoor.gen!C\r\nEmail-Worm.Win32.Agent.fe\r\n2EncPk-DJ\r\nf2ae73d866bb4edd14ee96cf74fbb423\r\n05 Aug.\r\n2013\r\n1A Clean 3Generic 1Generic-S\r\nc13abb6be8a1c7fc9b18c8fd0a9488b7\r\n09 Oct.\r\n2013\r\n1A 4Rimecud.A 2Generic\r\n5Rimecud-DD\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 14 of 19\n\nmd5\r\nanalysis\r\ndate\r\ntlds Microsoft Kaspersky Sophos\r\nc13abb6be8a1c7fc9b18c8fd0a9488b7\r\n10 Oct.\r\n2013R\r\n1A 3Rimecud.A 2Generic\r\n4Rimecud-DD\r\n1ec55311a564f8272d62ccb621a8b513\r\n22 Oct.\r\n2013\r\n1A 3Sisron 6Agent.hdqc\r\n1EncPk-CK\r\n1ec55311a564f8272d62ccb621a8b513\r\n28 Nov.\r\n2013R\r\n1A 3Sisron 5Agent.hdqc\r\n1EncPk-CK\r\n1ec55311a564f8272d62ccb621a8b513\r\n18 Dec.\r\n2013R\r\n1A 3Sisron 5Agent.hdqc\r\n1EncPk-CK\r\n04966960f3f5ed32ae479079a1bcf6e9\r\n24 Jan.\r\n2014R\r\n2B 0Oderoor.gen!C 2Generic 1EncPk-DJ\r\n1ec55311a564f8272d62ccb621a8b513\r\n24 Jan.\r\n2014R\r\n1A 3Sisron 5Agent.hdqc\r\n1EncPk-CK\r\n1ec55311a564f8272d62ccb621a8b513\r\n25 Jan.\r\n2014R\r\n1A 3Sisron 5Agent.hdqc\r\n1EncPk-CK\r\n04966960f3f5ed32ae479079a1bcf6e9\r\n27 Jan.\r\n2014R\r\n2\r\nB 0Oderoor.gen!C 2Generic 1EncPk-DJ\r\n1ec55311a564f8272d62ccb621a8b513\r\n05 Feb.\r\n2014R\r\n1A 3Sisron 5Agent.hdqc\r\n1EncPk-CK\r\n1ec55311a564f8272d62ccb621a8b513\r\n13 Feb.\r\n2014R\r\n1A 3Sisron 5Agent.hdqc\r\n1EncPk-CK\r\n1ec55311a564f8272d62ccb621a8b513\r\n21 Feb.\r\n2014R\r\n1A 3Sisron 5Agent.hdqc\r\n1EncPk-CK\r\nc7ec51ac3b9d91a483f1860c3d965f16\r\n03 Mar.\r\n2014\r\n1A Clean 2Generic 1Generic-S\r\nc7ec51ac3b9d91a483f1860c3d965f16\r\n17 Mar.\r\n2014R\r\n1A 0Oderoor.M 2Generic 1Generic-S\r\nc7ec51ac3b9d91a483f1860c3d965f16\r\n19 Mar.\r\n2014R\r\n1A 0Oderoor.M 2Generic 1Generic-S\r\nc7ec51ac3b9d91a483f1860c3d965f16\r\n25 Mar.\r\n2014R\r\n1A 0Oderoor.M 2Generic 1Generic-S\r\nc7ec51ac3b9d91a483f1860c3d965f16\r\n01 Apr.\r\n2014R\r\n1A 0Oderoor.M 2Generic\r\n4Agent-AGLO\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 15 of 19\n\nmd5\r\nanalysis\r\ndate\r\ntlds Microsoft Kaspersky Sophos\r\nc7ec51ac3b9d91a483f1860c3d965f16\r\n22 Apr.\r\n2014R\r\n1A Clean 5Agent.hegf\r\n4Agent-AGLO\r\nc413f1a0738a3b475db2ed44aecbf3ba\r\n16 Jun.\r\n2014\r\n1A 0Oderoor.M 2Generic\r\n1EncPk-CK\r\n0bfd909d651a11e3d3cdf5b091ee12a1\r\n28 Jun.\r\n2014 1A 7Vobfus 8Win32.Agent.agdmx\r\n1SillyFDC-S\r\n15993254499407fd7cbe701be11106f1\r\n01 Jul.\r\n2014\r\n1A 6Vobfus.ZV 7Win32.Agent.ageop\r\n1SillyFDC-S\r\n1598723f88c6432e8ceee68336a08b01\r\n01 Jul.\r\n2014\r\n1A 6Vobfus 7Win32.Agent.agcvt 1VB-ALW\r\n17d4b6b618f7576023dd3b983416a180\r\n01 Jul.\r\n2014\r\n1A 6Vobfus Worm.Win32.Vobfus.escx 1VB-ALW\r\n1bfac857a733ec498fc1efc0ebb6a236\r\n02 Jul.\r\n2014 1A 6Vobfus.ZO 7Win32.Agent.agcnq 1VB-ALW\r\n1cfb3882d79b42f2f881ea20cca0f780\r\n02 Jul.\r\n2014 1A 6Vobfus Worm.Win32.Vobfus.esdv 1VB-ALW\r\n1e291e57c007acd5aecbcddd156c46e6\r\n02 Jul.\r\n2014 1A 6Vobfus Worm.Win32.Vobfus.escj\r\n1SillyFDC-S\r\n1fafa36c436af003b28fd9d7befddf01\r\n02 Jul.\r\n2014\r\n1A 6Vobfus 7Win32.Agent.agerc\r\n1SillyFDC-S\r\n20ff4c7b6265bc2b7e9b66bbfe4c8ee6\r\n02 Jul.\r\n2014\r\n1A 6Vobfus.ZZ Worm.Win32.Vobfus.esdw 1VB-ALW\r\n22a5ce2602e8a0f76e4ab1db713098c6\r\n03 Jul.\r\n2014\r\n1A 6Vobfus Worm.Win32.Vobfus.esaj 1VB-ALW\r\n26e7996626da3fbf66b78c0b5969efc1\r\n03 Jul.\r\n2014 1A 6Vobfus.ZM 7Win32.VBKrypt.urjq 1VB-ALW\r\n272577cdcd11389a4b95d5eae8f3c5b1\r\n04 Jul.\r\n2014\r\n1A 6Vobfus.ZW 7Win32.Agent.agexl\r\n1SillyFDC-S\r\n27549feb774b058fde65bc3936a0bf36\r\n04 Jul.\r\n2014\r\n1A 6Vobfus 7Win32.Agent.agcvt 1VB-ALW\r\n2807aafab5a799ff261b3f614aecbf91\r\n04 Jul.\r\n2014\r\n1A 6Vobfus.ZC Worm.Win32.Vobfus.erwz\r\n1SillyFDC-AH\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 16 of 19\n\nmd5\r\nanalysis\r\ndate\r\ntlds Microsoft Kaspersky Sophos\r\n2812ce13236087c1a5b30f63ae33c7a0\r\n04 Jul.\r\n2014\r\n1A 6Vobfus.ZW 7Win32.Agent.agexl\r\n1SillyFDC-S\r\n2825b9e636ad7a9304ea97981b68bf20\r\n04 Jul.\r\n2014\r\n1A 6Vobfus.YS 7Win32.VBKrypt.uqif\r\n1SillyFDC-AH\r\n292028779b7c4c2e525ccbad0e0f5161\r\n04 Jul.\r\n2014 1A 6Vobfus 7Win32.Agent.agere\r\n1SillyFDC-S\r\n2bc4df2819c8983b1511814809c2c641\r\n04 Jul.\r\n2014 1A 6Vobfus Worm.Win32.Vobfus.esdv 1VB-ALW\r\n28d89ceb348459fd7d1468e130b1a706\r\n04 Jul.\r\n2014\r\n1A 6Vobfus.ZD Worm.Win32.Vobfus.erxc\r\n1SillyFDC-AH\r\n2c3b96ca3a18140dfcd42434f3e03020\r\n04 Jul.\r\n2014\r\n1A 6Vobfus.ZQ Worm.Win32.Vobfus.erzx 1VB-ALW\r\n2c931871fef3b50c0bd2b4961419a311\r\n04 Jul.\r\n2014 1A 6Vobfus Worm.Win32.Vobfus.esat 1VB-ALW\r\n2cae6bd4e939b318726eebb347db0a26\r\n04 Jul.\r\n2014\r\n1A 6Vobfus.ZW 7Win32.Agent.agexl\r\n1SillyFDC-S\r\n2cc5ad6770250338bd5844904fb18181\r\n04 Jul.\r\n2014\r\n1A 6Vobfus 7Win32.Agent.agcsv 1VB-ALW\r\n2d07ba427df9cd2c4af815015a484391\r\n04 Jul.\r\n2014\r\n1A 6Vobfus.YY Worm.Win32.Vobfus.ervr\r\n1SillyFDC-S\r\n2d321324e9a28c834a750860122233c6\r\n04 Jul.\r\n2014\r\n1A 6Vobfus 7Win32.Agent.agcvt 1VB-ALW\r\n2db1a991aea1664e3dcbc5e75e108131\r\n04 Jul.\r\n2014\r\n1A 6Vobfus Worm.Win32.Vobfus.erwv 1Generic-S\r\n2f2a752f96ecb251efdc275f0ec8ea80\r\n04 Jul.\r\n2014\r\n1A 6Vobfus.ZV ?\r\n1SillyFDC-S\r\n2fab042f7b482e8aa2c5ecd413f2eff1\r\n05 Jul.\r\n2014\r\n1A 6Vobfus 7Win32.Agent.agcvt 1VB-ALW\r\n2fcae2e2a9ed2f36bd399c77da2470c6\r\n05 Jul.\r\n2014 1A 6Vobfus.ZW 7Win32.Agent.agexl\r\n1SillyFDC-S\r\n30cc569d95b4401aa0681b8e01299981\r\n05 Jul.\r\n2014 1A 6Vobfus.YU ? ?\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 17 of 19\n\nmd5\r\nanalysis\r\ndate\r\ntlds Microsoft Kaspersky Sophos\r\n30cf2bf448db73c75e153216d4cd4fc0\r\n05 Jul.\r\n2014\r\n1A 6Vobfus 7Win32.VBKrypt.uron\r\n1SillyFDC-S\r\n302471280652d2d1817757ef0f8ad656\r\n05 Jul.\r\n2014\r\n1A 6Vobfus Worm.Win32.Vobfus.esdv 1VB-ALW\r\n3127e3127a2a206a8dc6bc21f4693386\r\n05 Jul.\r\n2014\r\n1A 6Vobfus.ZW 7Win32.Agent.agexl\r\n1SillyFDC-S\r\n33bf61ebeb41d157b45d3180d1f71b76\r\n05 Jul.\r\n2014\r\n1A 6Vobfus.ZN 7Win32.VBKrypt.urkc 1VB-ALW\r\n33c739e7d6aa599c05ff9f94a5768921\r\n05 Jul.\r\n2014\r\n1A 6Vobfus.ZR 7Win32.Agent.agcpv 1VB-ALW\r\n32d5e945a82fb6fb511e7bdd32cf8c21\r\n05 Jul.\r\n2014 1A 6Vobfus Worm.Win32.Vobfus.eseu 1Generic-S\r\n34defe58f6d305960fff8c295bd9b851\r\n05 Jul.\r\n2014\r\n1A 6Vobfus.ZW ?\r\n1SillyFDC-S\r\n383977446a2a42bd1427703974265606\r\n06 Jul.\r\n2014\r\n1A 6Vobfus.ZW 7Win32.Agent.agexl\r\n1SillyFDC-S\r\n39408e199dd996cbe915c5c32261c490\r\n06 Jul.\r\n2014 1A 6Vobfus.ZN 7Win32.VBKrypt.urkc 1VB-ALW\r\n395df008604e98e228ed41ce67f213b1\r\n06 Jul.\r\n2014 1A 6Vobfus.ZV 7Win32.Agent.ageop\r\n1SillyFDC-S\r\n3d6d6bbe37b37be79c43dc6a7b052a46\r\n06 Jul.\r\n2014\r\n1A 6Vobfus 7Win32.Agent.agere\r\n1SillyFDC-S\r\n38ab4d2cda29c4ba1346da4b85c81800\r\n06 Jul.\r\n2014 1A 6Vobfus.ZW 7Win32.Agent.agexl\r\n1SillyFDC-S\r\n3ca13a5648d4f2573f28b37638333701\r\n06 Jul.\r\n2014 1A 6Vobfus.YF 7Win32.VBKrypt.uprs\r\n1SillyFDC-AH\r\n3bc39b3af9f13317744fd0548503baa6\r\n07 Jul.\r\n2014\r\n1A 6Vobfus.YU Worm.Win32.Vobfus.erwm 1VB-ALR\r\nc413f1a0738a3b475db2ed44aecbf3ba\r\n30 Sep.\r\n2014R\r\n1A 0Oderoor.M Clean\r\n1EncPk-CK\r\n675d97e5cdd3b7e07c7945fa5398e599\r\n21 May.\r\n2015\r\n1A ? ? ?\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 18 of 19\n\nPrefixes: 0Backdoor:Win32/, 1Mal/, 2HEUR:Trojan.Win32., 3Trojan:Win32/, 4Troj/, 5Trojan-Downloader.Win32.,\r\n6Worm:Win32/, 7Trojan.\r\nTLDS: A com, net, tv, cc. Bdyndns.org, yi.org, dynserv.com, mooo.com\r\nSource: https://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nhttps://bin.re/blog/krakens-two-domain-generation-algorithms/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://bin.re/blog/krakens-two-domain-generation-algorithms/"
	],
	"report_names": [
		"krakens-two-domain-generation-algorithms"
	],
	"threat_actors": [],
	"ts_created_at": 1775434768,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e614ba803069125717948902e4068a9b5843016b.pdf",
		"text": "https://archive.orkl.eu/e614ba803069125717948902e4068a9b5843016b.txt",
		"img": "https://archive.orkl.eu/e614ba803069125717948902e4068a9b5843016b.jpg"
	}
}