#############################################################
## Feeds of current Suppobox C2
##
## Feed Provided By: John Bambenek of Bambenek Consulting
## jcb@bambenekconsulting.com // http://bambenekconsulting.com
##
#############################################################

FALSE POSITIVE RISK: High

OTHER NAMES KNOWN AS: none

Suppobox is a word based DGA and as such, can have many collisions
with legitimate domains.  In the case of Suppobox, this risk is high.
The DGA is date and time seeded using two wordlists to create the
domains.  All domains end in .net.

The malware that uses this is generally spammed out and contains
an attachment with the malware that uses this DGA.

It generates a new domain every 8.5 minutes for a list of 85 domains.

References:
http://www.rsaconference.com/writable/presentations/file_upload/br-r01-end-to-end-analysis-of-a-domain-generating-algorithm-malware-family.pdf 
https://www.endgame.com/blog/malware-with-a-personal-touch.html

Feeds Generated by this system:

domlist - Non-Sinkholed domains that resolve in the given DGA
iplist - Non-Sinkholed IPs that resolve for the domains in domlist
master - An aggregation of both lists above.

All feeds are generated for a 90 minute lookback and are based on
domains in the DGA for yesterday, today and tomorrow based on UTC
time.