Xanda's Blog !~!

Locky DGA Threat Actor(s)


While “Locky” is still hot. Let me write a small update on my findings.

Based on the (new) DGA algorithm published in Forcepoint’s blog post, with the help of pyLockyDGA project, I’ve performed a minor patch on the python code to allow me to automate some stuff.

I quick run for 1 month DGA lead me to the following results (filtered to see only registered and resolved domains):


Whois record all of those domains contains these 2 emails

  • jgou.veia@gmail.com
  • tech1@101domain.com

And from a quick search, jgou.veia@gmail.com is a known threat actor involved with several botnet CnC domains earlier and also mentioned several legal notices. I also found a few domains registered by tech1@101domain.com has been sinkholed by several law enforcement and regulators. With those findings, i simply conclude that those emails can be (potentially) associated directly or indirectly with Locky. (unless they are security researchers who registered the domains for sinkhole/research purpose)

IP resolved by those domains in the list above are:


Thanks to whoxy.com ; domains registered by jgou.veia@gmail.com can be found here [compact whois record] and domains registered by tech1@101domain.com can be found here [compact whois record]

Copy and paste version of the IOCs is available here

Any error or mislead information? Please let me know by email or in the comment. Thanks 🙂

How Did I Find APT16 New Infa with VirusTotal pDNS and a lil Bit of Luck


[Quick and short update]

Last couple of weeks, I was reading the The EPS Awakens – Part 2 blog entry from FireEye and found this one IP,, was previously used as their C2 server. I used VirusTotal IP information, these few domains appeared:

2015-07-01 frppl.com
2015-07-01 jrjfj.com
2015-07-01 pjntx.com
2015-07-01 vzflx.com
2015-07-01 yeaqm.com

I went and check more information on each domain listed and found new infra (IPs) being used:

frppl.com domain information
jrjfj.com domain information
pjntx.com domain information
yeaqm.com domain information

I quickly check the server HTTP response header and this is what I’ve found that they are all the same:

HTTP/1.1 403 Forbidden
Server: nginx/1.6.2
Date: (current time of check)
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

Okay, we already have,,, Lets just quickly perform the HTTP response header loop for the whole /24 subnet (or maybeee i lil bit more). This is the result:

Okay i’m running out of time, my kids are waiting for me outside.

From my quick check on the domain resolved to the IP range – , I can safely assume that those are APT16 new infra. But I not really confident to attribute –, but those IPs in that range, and domains revolved to that range, are fishy!

Happy hunting