| ID | B0031 |
| Objective(s) | Command and Control |
| Related ATT&CK Techniques | Dynamic Resolution: Domain Generation Algorithms (T1568.002) |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 28 April 2024 |
Malware generates the domain name of the controller to which it connects. Access to on the fly domains enables C2 to operate as domains and IP addresses are blocked. The algorithm can be complicated in more advanced implants; understanding the details so that names can be predicted can be useful in mitigation and response. [1]
The related Dynamic Resolution: Domain Generation Algorithms (T1568.002) ATT&CK sub-technique (oriented toward an adversary perspective with examples that include malware) was defined subsequent to this MBC behavior.
This behavior is related to Unprotect technique U0906.
| Name | Date | Method | Description |
|---|---|---|---|
| Kraken | 2008 | -- | Kraken uses a domain generating algorithm to provide new domains. [2] |
| Conficker | 2008 | -- | Conficker uses a domain name generator seeded by the current date to ensure that every copy of the virus generates the same names on their respective days. [3] |
| CryptoLocker | 2013 | -- | The malware uses an internal domain generation algorithm. [4] |
| Ursnif | 2016 | -- | Previous interations of Ursnif have used a Domain Name Generation algorithm. [5] |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| whois_create | Domain Name Generation (B0031) | -- |
| network_dga | Domain Name Generation (B0031) | -- |
| network_dga_fraunhofer | Domain Name Generation (B0031) | -- |
[1] https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/
[2] http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html
[3] https://en.wikipedia.org/wiki/Conficker
[4] https://www.secureworks.com/research/cryptolocker-ransomware
[5] https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality