While “Locky” is still hot. Let me write a small update on my findings.
I quick run for 1 month DGA lead me to the following results (filtered to see only registered and resolved domains):
qxicsfgofp.in yqbcarhmtuskpq.be taflicbfuos.pw yqbcarhmtuskpq.be taflicbfuos.pw afcnikg.be
Whois record all of those domains contains these 2 emails
And from a quick search, firstname.lastname@example.org is a known threat actor involved with several botnet CnC domains earlier and also mentioned several legal notices. I also found a few domains registered by email@example.com has been sinkholed by several law enforcement and regulators. With those findings, i simply conclude that those emails can be (potentially) associated directly or indirectly with Locky. (unless they are security researchers who registered the domains for sinkhole/research purpose)
IP resolved by those domains in the list above are:
Copy and paste version of the IOCs is available here
Any error or mislead information? Please let me know by email or in the comment. Thanks 🙂