Sharing the Simda Pseudo DGA

There was the takedown of Simda reported yesterday by Microsoft. According to that report, Simda communicates “up to six hard-coded IPs” and has a DGA that it uses to set the hosts field in the HTTP header and also used as seed for encryption.

This is the reversed algorithm, as reversed of sample MD5 892A0A4DC4C3EEA90BECE60C142AEAF1 (that is the extracted unpacked Simda executable, contact us to receive the sample):

void Simda_GenerateRandomString(unsigned MinLength, char * Domain, unsigned MaxLength, DWORD Random1)
{
    unsigned __int64 randvalue = __rdtsc();
    Random1 = (DWORD)randvalue;
    unsigned DomainLength = MinLength + Random1 % (MaxLength - MinLength);

    for (unsigned n = 0; n < DomainLength; n++)
    {
        if ( Random1 & 1 )
            Domain[n] = Random1 % 0xA + 48;
        else
            Domain[n] = Random1 % 0x1A + (16 * (Random1 & 2) | 0x41);

        Random1 = ((Random1 << 1) & 0xFFFFFFFF) + ((Random1 >> (32 - 1)) & 0xFFFFFFFF);
    }

    Domain[DomainLength] = 0;
}

void Simda_GenerateDomains()
{
    for (unsigned n = 0; n < 1000; n++)
    {
        char Domain[100] = "report.";

        Simda_GenerateRandomString(15, Domain + 7, 20, n);

        strcat(Domain, ".com");

        // lowercase it
        for (unsigned n = 0; Domain[n]; n++)
            Domain[n] = tolower(Domain[n]);

        printf("%s\n", Domain);
    }
}

The output will be random domains in this format:

report.31u9m179ce7931sk3y.com
report.17q3w793g7iqgmy3.com
report.w9u1m931c9sk7y31o.com
report.k5y5c5555gmy5c5.com
report.79w1u93179ei7q3w7.com
report.55g55aaaaaaa5ku.com
report.17i31qgmy7cei7q3.com