ID	B0031
Objective(s)	Command and Control
Related ATT&CK Techniques	Dynamic Resolution: Domain Generation Algorithms (T1568.002)
Version	2.2
Created	1 August 2019
Last Modified	28 April 2024

Domain Name Generation

Malware generates the domain name of the controller to which it connects. Access to on the fly domains enables C2 to operate as domains and IP addresses are blocked. The algorithm can be complicated in more advanced implants; understanding the details so that names can be predicted can be useful in mitigation and response. [1]

The related Dynamic Resolution: Domain Generation Algorithms (T1568.002) ATT&CK sub-technique (oriented toward an adversary perspective with examples that include malware) was defined subsequent to this MBC behavior.

This behavior is related to Unprotect technique U0906.

Use in Malware

Name	Date	Method	Description
Kraken	2008	--	Kraken uses a domain generating algorithm to provide new domains. [2]
Conficker	2008	--	Conficker uses a domain name generator seeded by the current date to ensure that every copy of the virus generates the same names on their respective days. [3]
CryptoLocker	2013	--	The malware uses an internal domain generation algorithm. [4]
Ursnif	2016	--	Previous interations of Ursnif have used a Domain Name Generation algorithm. [5]

Detection

Tool: CAPE	Mapping	APIs
whois_create	Domain Name Generation (B0031)	--
network_dga	Domain Name Generation (B0031)	--
network_dga_fraunhofer	Domain Name Generation (B0031)	--

References

[1] https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/

[2] http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html

[3] https://en.wikipedia.org/wiki/Conficker

[4] https://www.secureworks.com/research/cryptolocker-ransomware

[5] https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality