Locky DGA Threat Actor(s)

Posted: March 7th, 2016 | Author: | Filed under: IT Related | Tags: , , | No Comments »

While “Locky” is still hot. Let me write a small update on my findings.

Based on the (new) DGA algorithm published in Forcepoint’s blog post, with the help of pyLockyDGA project, I’ve performed a minor patch on the python code to allow me to automate some stuff.

I quick run for 1 month DGA lead me to the following results (filtered to see only registered and resolved domains):

qxicsfgofp.in
yqbcarhmtuskpq.be
taflicbfuos.pw
yqbcarhmtuskpq.be
taflicbfuos.pw
afcnikg.be

Whois record all of those domains contains these 2 emails

  • jgou.veia@gmail.com
  • tech1@101domain.com

And from a quick search, jgou.veia@gmail.com is a known threat actor involved with several botnet CnC domains earlier and also mentioned several legal notices. I also found a few domains registered by tech1@101domain.com has been sinkholed by several law enforcement and regulators. With those findings, i simply conclude that those emails can be (potentially) associated directly or indirectly with Locky. (unless they are security researchers who registered the domains for sinkhole/research purpose)

IP resolved by those domains in the list above are:

  • 195.22.28.196
  • 195.22.28.197
  • 195.22.28.198
  • 195.22.28.199

Thanks to whoxy.com ; domains registered by jgou.veia@gmail.com can be found here [compact whois record] and domains registered by tech1@101domain.com can be found here [compact whois record]

Copy and paste version of the IOCs is available here

Any error or mislead information? Please let me know by email or in the comment. Thanks 🙂