Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Finding a DGA in less than one Minute

Published on: 19.11.2014

Recently, we stumbled upon a malware sample (MD5: 177b75910ae8c0091bafef4950c0b224) that obviously employs a domain generation algorithm (DGA). We analyzed the sample with Joe Sandbox 10.5 which will be released soon.

As the signature overview highlights, Joe Sandbox has detected that the malware generates random DNS queries:

Massive injections and system behavior has been detected as well:

Also the network behavior is quite extensive:

One of the cool new features of Joe Sandbox 10 is a context based search integrated into the behavior analysis reports. With it you can search any data Joe Sandbox has captured:

In order to find the DGA, search for the term "DNSQuery":

It seems explorer.exe is doing some DNS queries. Clicking on the search hits lets one navigate easily to the corresponding data:

As the cutting outlines, DnsQuery_A has been called 244 times which matches the extensive network behavior. By clicking on the source address one can jump to the function where this DnsQuery API has been called:

The instructions before the DnsQuery API outline that the domain name is generated generated by the function 12AE200. With the help of the IDA Bridge plugin, one can load memory dumps extracted by Joe Sandbox easily:

And pull in dynamic behavior data:

Full Analysis Report available at (use Firefox to open it):