Domain generation algorithm - Locky

Question

Looking at a DGA called Locky written in python. This is some part of it.

# Shift the dates
    modYear = uint32(__ROR4__(modConst1 * (SystemTime.wYear + 0x1BF5), 7))
    modYear = uint32(__ROR4__(modConst1 * (modYear + seed + modConst2), 7))
    modDay = uint32(__ROR4__(modConst1 * (modYear + (SystemTime.wDay >> 1) + modConst2), 7))
    modMonth = uint32(__ROR4__(modConst1 * (modDay + SystemTime.wMonth + modConst3), 7))

    # Shift the seed
    seed = uint32(__ROL4__(seed, 17))

    # Finalize Modifier
    modBase = uint32(__ROL4__(pos & 7, 21))

    modFinal = uint32(__ROR4__(modConst1 * (modMonth + modBase + seed + modConst2), 7))
    modFinal = uint32(modFinal + modConst2)

I understand the different actions, but im a little confused to why they do what they do. Is it to make the whole thing as randomly as possible or is there some specific thought behind each bitshift, multiplying etc. You can find the whole thing here: https://github.com/sourcekris/pyLockyDGA

score 0 · Answer 1 · answered Apr 02 '18 at 12:08

All these tactics are being used to make the Reverse Engineering harder and also to make the domains more "unpredictable".

Different malware families employ different such techniques. This github repo will help you understand the DGAs used by some of the most popular malware. "https://github.com/baderj/domain_generation_algorithms"

Domain generation algorithm - Locky

1 Answers1