Advertisement
MalwareMustDie

#MalwareMustDie Zbot Trojan Analysis / Spam Campaign Attach.

May 28th, 2013
6,586
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 28.76 KB | None | 0 0
  1. ========================
  2. #MalwareMustDie!
  3. Attachment Zbot Campaign Spam.
  4. File/malware Analysis:
  5. Sample : ./Statement57-27-05-2013.exe
  6. MD5 : 0bbf809dc46ed5d6c9f1774b13521e72
  7. SHA256 : 00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
  8.  
  9. @unixfreaxjp ~]$ date
  10. Tue May 28 23:50:23 JST 2013
  11.  
  12. ========================
  13.  
  14. // Some fakes:
  15.  
  16.  
  17. Fake Compile date: 2011-02-07 04:32:22
  18. Fake (PE) signature:
  19. LegalTrademarks: Gyhinoh Vovyruc Owog Ubuxe Evy Vuzy Ciza Nanef Hary
  20. SubsystemVersion: 4.0
  21. InitializedDataSize: 76288
  22. Publisher: Commander Group
  23. Product: Yzy
  24. Version: 3, 6
  25. Original name: Mpjogana1vavo.exe
  26. Internal name: Ocosiq
  27. File version: 3, 6, 5
  28. Description: Erytep Zadopi Ukaho
  29.  
  30.  
  31. // Looks creepy enough, see the hash has already in VT database:
  32.  
  33. // Virus Totals:
  34.  
  35. VT URL : https://www.virustotal.com/latest-scan/00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
  36.  
  37. SHA256: 00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
  38. SHA1: 9a50fa08e71711d26d86f34d8179f87757a88fa8
  39. MD5: 0bbf809dc46ed5d6c9f1774b13521e72
  40. File size: 237.0 KB ( 242688 bytes )
  41. File name: Statement 57-27-05-2013.exe
  42. File type: Win32 EXE
  43. Tags: peexe
  44. Detection ratio: 27 / 47
  45. Analysis date: 2013-05-28 11:38:53 UTC ( 2 minutes ago )
  46. First submission 2013-05-27 12:48:38 UTC ( 22 hours, 52 minutes ago )
  47. Last submission 2013-05-28 11:38:53 UTC ( 2 minutes ago )
  48.  
  49. Verdict of ./Statement 57-27-05-2013.exe with MD5 0bbf809dc46ed5d6c9f1774b13521e72 :
  50. ----------------------------------------------------------------------------
  51. MicroWorld-eScan: Trojan.GenericKD.1012186
  52. nProtect : Trojan.Zbot.IAA
  53. McAfee : PWS-Zbot-FBBF
  54. Malwarebytes : Spyware.Passwords
  55. F-Prot : W32/Trojan3.FID
  56. Symantec : Trojan.Zbot
  57. Norman : Suspicious_Gen4.EBMZD
  58. ByteHero : Trojan.Malware.Obscu.Gen.002
  59. TrendMicro-HouseCall : TROJ_GEN.RC9H1ER13
  60. Avast : Win32:Malware-gen
  61. Kaspersky : Trojan-Spy.Win32.Zbot.lvpo
  62. BitDefender : Trojan.GenericKD.1012186
  63. Sophos : Troj/Zbot-FHI
  64. Comodo : TrojWare.Win32.Trojan.Agent.Gen
  65. F-Secure : Trojan.GenericKD.1012186
  66. DrWeb : Trojan.PWS.Panda.4379
  67. VIPRE : Trojan.Win32.Generic!BT
  68. AntiVir: TR/Spy.ZBot.lvpo
  69. Emsisoft : Trojan.Win32.Agent.AMN (A)
  70. ESET-NOD32: Win32/Spy.Zbot.AAU
  71. GData : Trojan.GenericKD.1012186
  72. Commtouch : W32/Trojan.RYWZ-7367
  73. AhnLab-V3 : Spyware/Win32.Zbot
  74. Ikarus : Trojan-Spy.Agent
  75. Fortinet : W32/Zbot.AOV!tr
  76. AVG : Zbot.AGJ
  77.  
  78.  
  79. ==================================
  80. Why Zbot?? A Hint for all user
  81. ===================================
  82. Why it's a Zbot?
  83. Let's take a look at the VT report page at the behavior tab,
  84. See these zbot variant trademarks below↓ (ref:VT behavior info)
  85.  
  86. Drops:
  87. C:\Documents and Settings\<USER>\Application Data\Etivu\irjypy.exe
  88. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp4affcd27.bat
  89. C:\Documents and Settings\<USER>\Application Data\Microsoft\AddressBook\<USER>.wab
  90. And self-copied:
  91. C:\autoexec.bat
  92. C:\WINDOWS\system32\rsaenh.dll
  93. And injection of the following processes:
  94. explorer.exe
  95. wscntfy.exe
  96. python.exe
  97. VBoxTray.exe
  98. irjypy.exe
  99. Also an opening of (LDAP/AD) Services:
  100. MACHINE: localhost
  101. DATABASE: SERVICES_ACTIVE_DATABASE
  102. Thus the UDP Communication <MACHINE_DNS_SERVER>:53
  103. 64.4.10.33:123
  104. 78.161.154.194:25633
  105. 186.29.77.250:18647
  106. 190.37.115.43:29609
  107. 187.131.8.1:13957
  108. 181.67.50.91:27916
  109. :
  110.  
  111. ======================
  112. BYNARY ANALYSIS
  113. ======================
  114.  
  115. // The hex:
  116.  
  117. Sections:
  118. .text 0x1000 0x282f8 164864
  119. .rdata 0x2a000 0x840 2560
  120. .data 0x2b000 0x1c70b 67584
  121. .rsrc 0x48000 0x1788 6144
  122.  
  123. Entry Point at 0x243cb
  124. Virtual Address (Reversing Start) is 0x424fcb
  125. FileAccess & CreateDate: 2013:05:28 12:38:54+01:00
  126. Unpacked but decoded..
  127.  
  128. Hex:
  129.  
  130. 00004D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
  131. 0010B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
  132. 002000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  133. 003000 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 ................
  134. 00400E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
  135. 005069 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
  136. 006074 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
  137. 00706D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
  138. 008007 21 34 D1 43 40 5A 82 43 40 5A 82 43 40 5A 82 .!4.C@Z.C@Z.C@Z.
  139. 009050 48 07 82 51 40 5A 82 BC 60 5E 82 73 40 5A 82 PH..Q@Z..`^.s@Z.
  140. 00A045 63 50 82 51 40 5A 82 80 4F 07 82 6A 40 5A 82 EcP.Q@Z..O..j@Z.
  141. 00B0C0 48 07 82 4B 40 5A 82 15 48 5C 82 55 40 5A 82 .H..K@Z..H..U@Z.
  142. 00C052 69 63 68 43 40 5A 82 00 00 00 00 00 00 00 00 RichC@Z.........
  143. 00D050 45 00 00 4C 01 04 00 D6 75 4F 4D 00 00 00 00 PE..L....uOM....
  144. 00E000 00 00 00 E0 00 0E 01 0B 01 04 00 00 84 02 00 ................
  145. 00F000 2A 01 00 00 00 00 00 CB 4F 02 00 00 10 00 00 .*.......O......
  146. 010000 A0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@.........
  147. 011004 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
  148. 012000 A0 04 00 00 04 00 00 EF 78 04 00 02 00 00 00 .........x......
  149. 013000 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
  150. 014000 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
  151. 015038 A1 02 00 64 00 00 00 00 80 04 00 88 17 00 00 8...d...........
  152. 016000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  153. 017000 00 00 00 00 00 00 00 40 B1 02 00 1C 00 00 00 ........@.......
  154. 018000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  155. 019000 00 00 00 00 00 00 00 00 B0 02 00 40 00 00 00 ............@...
  156. 01A000 00 00 00 00 00 00 00 00 A0 02 00 38 01 00 00 ............8...
  157. 01B000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  158. 01C000 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 .........text...
  159. 01D0F8 82 02 00 00 10 00 00 00 84 02 00 00 04 00 00 ................
  160. 01E000 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
  161. 01F02E 72 64 61 74 61 00 00 40 08 00 00 00 A0 02 00 .rdata..@.......
  162.  
  163.  
  164. // let's take a look deeper into the PE,
  165. // You'll find Encrypted Namess:
  166.  
  167. aO5wtsorusvc 0x42B8B5
  168. a8eysgvdxnrdrmq 0x42B8C5
  169. aWvecqn3l6na5kv 0x42B8F4
  170. aQadfxc3bkbf6a7 0x42B90D
  171. a1k4f88rrsqgj3p 0x42F647
  172. aMosebysnhh3liy 0x42FD11
  173. aQhbheglrtya 0x431082
  174. aDb1xkjnouegqm8 0x43108E
  175. aWhvdsthna3stgf 0x431633
  176. aXq4pbgyyo2y1af 0x43168A
  177. aRmkluoeowsbd5q 0x43169D
  178. aAtxdtwisbwtaqv 0x431B0B
  179. aMnnlt73yynlsgn 0x431E11
  180. a2lotgmlteqxhen 0x433EE8
  181. aMhhev7ngmbnabs 0x434201
  182. aO15lyfcgwsrffh 0x4343CC
  183. aRbmxwyrdebxc4q 0x43440E
  184. aCefsqvjtjfusoo 0x434439
  185. aGktg3qeulemrem 0x4347B7
  186. aOw4qmji2lcapqu 0x434969
  187. aMbchrhfikirjuv 0x434D94
  188. aJhcixlnclhnasd 0x435318
  189. aQckavhbsue811o 0x435A7F
  190. aIbaadkacjtanuo 0x435DB4
  191. aJlptchgcrflx8g 0x435E07
  192. aAuqtkevbqlfmbv 0x43661B
  193. aSuyim6vh22ffnk 0x436A4E
  194. aWsxn3prvlrmt7q 0x436E5E
  195. aByrox5fnfiwpwa 0x437912
  196. aNg2hskcdygucdk 0x43792C
  197. aEumbpejckmqitr 0x438030
  198. aUm6bojq1k4qhee 0x4395D3
  199. aX68nruj61yqfdh 0x439779
  200. aWdjykxqpve8lhf 0x43AADF
  201.  
  202. // And encoded functions at .Text:
  203.  
  204. sub_420FAD .text 0x420FAD
  205. sub_421087 .text 0x421087
  206. sub_421631 .text 0x421631
  207. sub_421702 .text 0x421702
  208. sub_42183D .text 0x42183D
  209. sub_421869 .text 0x421869
  210. sub_421B23 .text 0x421B23
  211. sub_421CC4 .text 0x421CC4
  212. sub_421E53 .text 0x421E53
  213. sub_421F97 .text 0x421F97
  214. sub_4220AA .text 0x4220AA
  215. sub_4221B2 .text 0x4221B2
  216. sub_4223A5 .text 0x4223A5
  217. sub_42243B .text 0x42243B
  218. sub_42274F .text 0x42274F
  219. sub_42289C .text 0x42289C
  220. sub_4229FB .text 0x4229FB
  221. sub_422B13 .text 0x422B13
  222. sub_422BD6 .text 0x422BD6
  223. sub_422BF8 .text 0x422BF8
  224. sub_422CA9 .text 0x422CA9
  225. sub_422D7F .text 0x422D7F
  226. sub_422E3B .text 0x422E3B
  227. sub_4230C6 .text 0x4230C6
  228. sub_4232AD .text 0x4232AD
  229. sub_42337C .text 0x42337C
  230. sub_4237AF .text 0x4237AF
  231. sub_4238B3 .text 0x4238B3
  232. sub_4241F6 .text 0x4241F6
  233. sub_4242CC .text 0x4242CC
  234. sub_42438D .text 0x42438D
  235. sub_424538 .text 0x424538
  236. sub_4246D2 .text 0x4246D2
  237. sub_4247BB .text 0x4247BB
  238. sub_424885 .text 0x424885
  239. sub_42498A .text 0x42498A
  240. sub_424A56 .text 0x424A56
  241. sub_424B47 .text 0x424B47
  242. sub_424BD7 .text 0x424BD7
  243. sub_424C9C .text 0x424C9C
  244. sub_424D35 .text 0x424D35
  245. sub_424D87 .text 0x424D87
  246. sub_424E6F .text 0x424E6F
  247. sub_427214 .text 0x427214
  248. sub_4272A8 .text 0x4272A8
  249. sub_42734F .text 0x42734F
  250. sub_42743D .text 0x42743D
  251. sub_427560 .text 0x427560
  252. sub_427634 .text 0x427634
  253. sub_427718 .text 0x427718
  254. sub_427739 .text 0x427739
  255. sub_42781B .text 0x42781B
  256. sub_42875E .text 0x42875E
  257. sub_4289BA .text 0x4289BA
  258. sub_428AC6 .text 0x428AC6
  259. sub_428D3D .text 0x428D3D
  260. sub_428DD9 .text 0x428DD9
  261. sub_428EB0 .text 0x428EB0
  262. sub_428F2B .text 0x428F2B
  263. sub_429063 .text 0x429063
  264. [...]
  265.  
  266.  
  267. // Not good.. The decoded here and there...
  268. // let's analyze & decode this for more info..
  269.  
  270.  
  271. ===============================
  272. Peeling the Binary
  273. ===============================
  274.  
  275.  
  276. // Analysis result upon effort to decode the binary:
  277.  
  278. // List of the full DLL used:
  279.  
  280. cabinet.dll
  281. @kernel32.dll
  282. kshell32.dll
  283. urlmon.dll
  284. Wadvapi32.dll
  285. userenv.dll
  286. gdiplus.dll
  287. LdrLoadDll
  288. ntdll.dll
  289. KERNEL32.dll
  290. USER32.dll
  291. ADVAPI32.dll
  292. SHLWAPI.dll
  293. SHELL32.dll
  294. Secur32.dll
  295. ole32.dll
  296. GDI32.dll
  297. WS2_32.dll
  298. CRYPT32.dll
  299. WININET.dll
  300. OLEAUT32.dll
  301. NETAPI32.dll
  302. IPHLPAPI.DLL
  303. VERSION.dll
  304. msvcrt.dll
  305.  
  306. // List of the full call used:
  307.  
  308. BSeTcbPrivilege
  309. SeShutdownPrivilege
  310. ProfileImagePath
  311. ObtainUserAgentString
  312. GetProductInfo
  313. RegDeleteKeyExW
  314. GetFileInformationByHandleEx
  315. SetFileInformationByHandle
  316. GdiplusStartup
  317. GdiplusShutdown
  318. GdipCreateBitmapFromHBITMAP
  319. GdipDisposeImage
  320. GdipGetImageEncodersSize
  321. GdipGetImageEncoders
  322. GdipSaveImageToStream
  323. GetProcAddress
  324. LoadLibraryA
  325. NtTerminateProcess
  326. LdrLoadDll
  327. LdrGetDllHandle
  328. NtQueryInformationProcess
  329. WaitForSingleObject
  330. CreateThread
  331. SetLastError
  332. GetModuleHandleW
  333. InitializeCriticalSection
  334. GetLastError
  335. DeleteCriticalSection
  336. FileTimeToDosDateTime
  337. GetTempFileNameW
  338. DosDateTimeToFileTime
  339. lstrcmpA
  340. lstrcpynA
  341. FreeLibrary
  342. LoadLibraryW
  343. CreateFileW
  344. lstrlenW
  345. GetTempPathW
  346. GetProcAddress
  347. FileTimeToLocalFileTime
  348. SetFileAttributesW
  349. lstrcpyW
  350. lstrcpyA
  351. lstrcmpiA
  352. CreateRemoteThread
  353. OpenProcess
  354. VirtualFreeEx
  355. Process32FirstW
  356. Process32NextW
  357. CreateToolhelp32Snapshot
  358. CloseHandle
  359. GetEnvironmentVariableW
  360. CreateProcessW
  361. GetCurrentThread
  362. Thread32First
  363. Thread32Next
  364. LoadLibraryA
  365. lstrcmpiW
  366. LeaveCriticalSection
  367. EnterCriticalSection
  368. GetTickCount
  369. TerminateThread
  370. WaitForMultipleObjects
  371. DuplicateHandle
  372. ResumeThread
  373. VirtualFree
  374. VirtualAlloc
  375. VirtualProtect
  376. GetThreadContext
  377. SetThreadContext
  378. VirtualQuery
  379. GetCurrentProcess
  380. InterlockedCompareExchange
  381. FlushInstructionCache
  382. GetCurrentThreadId
  383. lstrlenA
  384. TryEnterCriticalSection
  385. SetEvent
  386. Sleep
  387. CreateEventW
  388. ResetEvent
  389. GetExitCodeThread
  390. SetThreadPriority
  391. GetSystemTime
  392. GetCommandLineW
  393. GetNativeSystemInfo
  394. GetDriveTypeW
  395. GetSystemDefaultUILanguage
  396. GetLogicalDrives
  397. GetProcessTimes
  398. GetModuleFileNameW
  399. lstrcmpW
  400. GlobalMemoryStatusEx
  401. GetUserDefaultUILanguage
  402. GetDiskFreeSpaceExW
  403. GetVolumeInformationW
  404. TlsGetValue
  405. TlsSetValue
  406. SetEndOfFile
  407. SetFilePointerEx
  408. SetFileTime
  409. WriteFile
  410. GetFileAttributesW
  411. ReadFile
  412. FlushFileBuffers
  413. GetFileSizeEx
  414. GetFileTime
  415. DeleteFileW
  416. GetFileInformationByHandle
  417. LocalFree
  418. CreateDirectoryW
  419. ExpandEnvironmentStringsW
  420. TlsAlloc
  421. GetPrivateProfileStringW
  422. GetPrivateProfileIntW
  423. TlsFree
  424. FindFirstFileW
  425. FindClose
  426. RemoveDirectoryW
  427. FindNextFileW
  428. GetThreadPriority
  429. QueryPerformanceCounter
  430. MapViewOfFile
  431. UnmapViewOfFile
  432. CreateFileMappingW
  433. MoveFileExW
  434. WideCharToMultiByte
  435. MultiByteToWideChar
  436. GetVersionExW
  437. ExitProcess
  438. GetSystemTimeAsFileTime
  439. WTSGetActiveConsoleSessionId
  440. GetHandleInformation
  441. HeapAlloc
  442. HeapFree
  443. HeapDestroy
  444. HeapCreate
  445. HeapReAlloc
  446. GetProcessId
  447. UnregisterWait
  448. RegisterWaitForSingleObject
  449. SystemTimeToFileTime
  450. GetTimeZoneInformation
  451. GetLocalTime
  452. InterlockedIncrement
  453. InterlockedDecrement
  454. IsBadReadPtr
  455. VirtualAllocEx
  456. WriteProcessMemory
  457. CreateMutexW
  458. OpenMutexW
  459. ReleaseMutex
  460. lstrcatW
  461. GetComputerNameW
  462. GetVolumeNameForVolumeMountPointW
  463. SetErrorMode
  464. OpenEventW
  465. GetCurrentProcessId
  466. GlobalLock
  467. GlobalUnlock
  468. CharToOemW
  469. GetCursorPos
  470. GetIconInfo
  471. DrawIcon
  472. LoadCursorW
  473. GetSystemMetrics
  474. GetLastInputInfo
  475. CharUpperW
  476. GetClipboardData
  477. TranslateMessage
  478. PostQuitMessage
  479. CharLowerA
  480. CharLowerW
  481. DispatchMessageW
  482. PeekMessageW
  483. orMultipleObjects
  484. ExitWindowsEx
  485. ToUnicode
  486. GetKeyboardState
  487. GetLengthSid
  488. OpenProcessToken
  489. GetSidSubAuthority
  490. OpenThreadToken
  491. GetSidSubAuthorityCount
  492. GetTokenInformation
  493. CreateProcessAsUserW
  494. LookupPrivilegeValueW
  495. AdjustTokenPrivileges
  496. CryptVerifySignatureW
  497. CryptGetKeyParam
  498. CryptImportKey
  499. CryptDestroyKey
  500. CryptDestroyHash
  501. InitializeSecurityDescriptor
  502. SetSecurityDescriptorDacl
  503. ConvertStringSecurityDescriptorToSecurityDescriptorW
  504. GetSecurityDescriptorSacl
  505. SetSecurityDescriptorSacl
  506. RegCreateKeyExW
  507. RegCloseKey
  508. EqualSid
  509. CryptGetHashParam
  510. CryptAcquireContextW
  511. CryptReleaseContext
  512. CryptCreateHash
  513. CryptHashData
  514. RegQueryValueExW
  515. RegQueryInfoKeyW
  516. RegDeleteKeyW
  517. RegDeleteValueW
  518. RegOpenKeyExW
  519. RegFlushKey
  520. RegEnumKeyExW
  521. RegSetValueExW
  522. InitiateSystemShutdownExW
  523. IsWellKnownSid
  524. ConvertSidToStringSidW
  525. PathRemoveExtensionW
  526. PathFindFileNameW
  527. PathRemoveFileSpecW
  528. StrCmpNA
  529. StrRChrA
  530. StrCmpIW
  531. StrChrW
  532. StrCmpW
  533. StrCmpNIW
  534. StrCmpNW
  535. StrChrA
  536. StrCmpNIA
  537. PathRemoveBackslashW
  538. PathRenameExtensionW
  539. PathGetDriveNumberW
  540. PathIsDirectoryW
  541. PathSkipRootW
  542. PathUnquoteSpacesW
  543. wvnsprintfW
  544. wvnsprintfA
  545. PathQuoteSpacesW
  546. PathFindExtensionW
  547. PathMatchSpecW
  548. PathIsURLW
  549. UrlUnescapeA
  550. PathAddBackslashW
  551. StrStrIW
  552. SHLWAPI.dll
  553. SHGetFolderPathW
  554. CommandLineToArgvW
  555. ShellExecuteW
  556. GetUserNameExW
  557. DeleteSecurityContext
  558. DecryptMessage
  559. EncryptMessage
  560. CoCreateInstance
  561. CoUninitialize
  562. CoInitializeSecurity
  563. CoInitializeEx
  564. CoTaskMemFree
  565. CoSetProxyBlanket
  566. CLSIDFromString
  567. StringFromGUID2
  568. CreateStreamOnHGlobal
  569. CreateCompatibleBitmap
  570. CreateCompatibleDC
  571. SelectObject
  572. DeleteObject
  573. CreateDCW
  574. GetDeviceCaps
  575. DeleteDC
  576. BitBlt
  577. GetAddrInfoW
  578. freeaddrinfo
  579. WSAGetOverlappedResult
  580. WSASend
  581. WSARecv
  582. getaddrinfo
  583. FreeAddrInfoW
  584. WSAStringToAddressW
  585. WSAAddressToStringA
  586. WSACreateEvent
  587. WSAEventSelect
  588. WSAEnumNetworkEvents
  589. WSAAddressToStringW
  590. WSAIoctl
  591. WSACloseEvent
  592. PFXImportCertStore
  593. CertDeleteCertificateFromStore
  594. CertOpenSystemStoreW
  595. CertCloseStore
  596. CertEnumCertificatesInStore
  597. CertDuplicateCertificateContext
  598. PFXExportCertStoreEx
  599. CryptUnprotectData
  600. HttpSendRequestExA
  601. HttpQueryInfoA
  602. InternetConnectA
  603. InternetCrackUrlA
  604. InternetReadFile
  605. InternetSetOptionA
  606. InternetWriteFile
  607. HttpOpenRequestA
  608. HttpEndRequestA
  609. HttpAddRequestHeadersA
  610. InternetOpenA
  611. InternetCloseHandle
  612. InternetQueryOptionA
  613. NetUserGetInfo
  614. NetApiBufferFree
  615. NetUserEnum
  616. GetAdaptersAddresses
  617. GetFileVersionInfoW
  618. VerQueryValueW
  619. GetFileVersionInfoSizeW
  620. _errno
  621. memcpy
  622. memcmp
  623. _purecall
  624. memset
  625. memchr
  626. memmove
  627. strcmp
  628. _ultow
  629. _vsnwprintf
  630. _vsnprintf
  631. strtoul
  632. RtlUnwind
  633. SetFilePointer
  634. OutputDebugStringA
  635. TerminateProcess
  636. UnhandledExceptionFilter
  637. SetUnhandledExceptionFilter
  638. _except_handler3
  639.  
  640.  
  641. // Now we see much better picture of what the bins
  642. // actually does...
  643.  
  644. // Let's see the traces..
  645.  
  646. ===================================================
  647. Traces Analysis - Tearing aparts malware functions
  648. ===================================================
  649.  
  650. // The logic used for the temporary files:
  651.  
  652. tmp (calling environment temp)
  653. %s%08x.%s (format)
  654. Wrote file: C:\Documents and Settings\USER\Local Settings\Temp\tmpf8d49d9f.bat (checked)
  655.  
  656. // The config used:
  657.  
  658. C(is a variable).dat
  659. Wrote file: C:\Documents and Settings\rik\Local Settings\Application Data\cofa.uxo.dat (checked)
  660.  
  661. // Trace of decoding method:
  662.  
  663. Microsoft Enhanced Cryptographic Provider v1.0
  664.  
  665. // decoded target sections:
  666.  
  667. .text < to be encoded
  668. .data < to be encoded
  669. .reloc < to be added section...
  670.  
  671. // batch commands executed via CMD:
  672.  
  673. del "%s"
  674. if exist "%s" goto d
  675. @echo off
  676. del /F "%s"
  677.  
  678. // some username sets.. #precious #hint if u know zbot.
  679.  
  680. tellerplus
  681. bancline
  682. fidelity
  683. micrsolv
  684. bankman
  685. vantiv
  686. episys
  687. jack henry
  688. cruisenet
  689. gplusmain
  690. silverlake
  691. v48d0250s1
  692. fastdoc
  693.  
  694. // Code injection process names:
  695.  
  696. launchpadshell.exe
  697. dirclt32.exe
  698. wtng.exe
  699. prologue.exe
  700. pcsws.exe
  701. fdmaster.exe
  702.  
  703. // It indeed confirming the x64 processor..
  704.  
  705. IsWow64Process
  706.  
  707. //...and also sniffng x64 at:
  708. HKCU\Software\Microsoft","SUCCESS","Desired Access: Create Sub Key, WOW64_64Key"
  709. HKCU\Software\Microsoft\Haatneylcoa","SUCCESS","Desired Access: Query Value, Set Value, WOW64_64Key"
  710. HKLM\Software\Microsoft\Windows NT\CurrentVersion","SUCCESS","Desired Access: Query Value, WOW64_64Key"
  711. HKLM\Software\Policies\Microsoft\Cryptography","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
  712. HKLM\Software\Microsoft\Cryptography","SUCCESS","Desired Access: Read, WOW64_64Key"
  713. HKLM\System\WPA\TabletPC","NAME NOT FOUND","Desired Access: Query Value, WOW64_64Key"
  714. HKLM\SYSTEM\WPA\MediaCenter","SUCCESS","Desired Access: Query Value, WOW64_64Key"
  715. HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
  716. HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
  717. HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\awoty.exe","NAME NOT FOUND","Desired Access: R
  718. HKCU\Software\Microsoft\Haatneylcoa","SUCCESS","Desired Access: Query Value, WOW64_64Key"
  719. HKLM\System\WPA\TabletPC","NAME NOT FOUND","Desired Access: Query Value, WOW64_64Key"
  720. HKLM\SYSTEM\WPA\MediaCenter","SUCCESS","Desired Access: Query Value, WOW64_64Key"
  721. HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
  722. HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
  723. HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmd.exe","NAME NOT FOUND","Desired Access: Read, WOW64
  724. HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
  725. HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
  726.  
  727.  
  728. // Some HTTP Headers commands..
  729.  
  730. POST
  731. GET
  732. HTTP/1.1
  733. Connection: Close
  734. Accept-Language:
  735.  
  736. // Tests connection sites:
  737.  
  738. http://www.google.com/
  739. http://www.bing.com/
  740.  
  741. // internet connectivity..
  742.  
  743. connection
  744. proxy-connection
  745. content-length
  746. transfer-encoding
  747. upgrade
  748. chunked
  749. keep-alive
  750. close
  751. Authorization
  752. Basic
  753. div
  754. script
  755. nbsp;
  756.  
  757. // Zbot commands:
  758.  
  759. DELETE
  760. HEAD
  761. PUT
  762. CONNECT
  763. OPTIONS
  764. TRACE
  765. COPY
  766. LOCK
  767. MKCOL
  768. MOVE
  769. PROPFIND
  770. PROPPATCH
  771. SEARCH
  772. UNLOCK
  773. REPORT
  774. MKACTIVITY
  775. CHECKOUT
  776. MERGE
  777. M-SEARCH
  778. NOTIFY
  779. SUBSCRIBE
  780. UNSUBSCRIBE
  781. PATCH
  782. PURGE
  783.  
  784.  
  785. // Wrote log file:
  786.  
  787. C:\Documents and Settings\rUSER\ntuser.dat.LOG","SUCCESS","EndOfFile: 49,152"
  788. C:\Documents and Settings\rUSER\ntuser.dat.LOG","SUCCESS","EndOfFile: 53,248"
  789. C:\Documents and Settings\rUSER\ntuser.dat.LOG","SUCCESS","EndOfFile: 57,344"
  790.  
  791.  
  792. ======================
  793. More registry
  794. (Is not what has been written in VT , only)
  795. =====================
  796.  
  797. // wrote base64 encoded encrypted data in registry at:
  798.  
  799. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\2fejgjfb:
  800. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\21ai7ij3:
  801. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\36j81186:
  802. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\11e25340:
  803.  
  804. ... with data like;
  805.  
  806. sDRF4O5RpPdxW5NITFgtTeurljPpBoq+Oh0xJITaj36z/X/WWiQWX9WHdNCznV3RdwdwZN/0nCG5QS0wAd5ZZMREnj14Nvrv+lQh
  807. fmMIdOuYSAK+HY1uM2kIt6HJXkx0o5nlx5dPslmKUtiGcBISorfLD91MQh7SqWrv2Y7noOkieVerFwA/KHIBxZK2+yjlmpF+uMd8
  808. l4A/e31F9M6AMgSCr3tYUTc48swBh3rTkykzEQolU0dLODBtVnYTbbfVw9XGZ4UUt7y7JDNcv+hNQ+y/38TCUv2rnHpP0AFgeBz9
  809. ZS+fxT8x3IjXt0uNtEewlWS021QvBeaQaho3zQlq0luTbRO1aBGu3WEPtJSe5MyMC6bjIvHj8z9NMSuKrpW58Y7k04nRk/zRUXwu
  810. B2qxbKsVy3G2FiPfEsWiVK+vlUBq3oq+SuTHd/Rj1MHKamn4JUr3nOm3dSSvfMrv59d3BWRWCj3BheORrJ3uZLOqf8Tgl8kOhvTh
  811. jdnGTn3+AB8DWXTAhHuHf9K7qhLq0xDKTACu9tUZbee+D8sOeB5awW9MfWCfahnKJtWy0oZNWGghC/FQQDmeIjNWXLkCvRIA1R7v
  812. fLcudKlrmS9728Uu4yhNoO9sS09hjyXTFflA1EYIKHxCo8TlmAkuSgwrkicEOOt1yGzrGhO0I52iqCIH50iy4dYB1iStoB/g0B6t
  813. [...]
  814. YvkC4cYclFqVOo2lYVaGFGA7ziaJAyvFJ5rIYYRA6i8nF42SRC6kVigdDdIQPqV7LRcXntGPixcVaPDgb/qIILNbz8zkJ7boLUzn
  815. fDyj+fO9gHo+PiX27xLt27tNPySsZtfg62dFFL1qOsgY/sk2YF1gKBkneMInWcOI29mxA1alAGMriU8wRX/OrhE1aRx9li4gGdm9
  816. ETCRCWfq+cZZQlRl+3cDC9aanA7QfqycElf1vFXA5cqq+Marv53gItjzauowZqyMzy7VAmxRwpvCcu2mMrJG/TS0xgNY9D7ZKuFR
  817. ktuHDQZbNCgiT/LcEIJyaPBVH8ijBSEsMg==
  818.  
  819. ..or :
  820.  
  821. sDRF4HBUpPc1RhRP2lGIpNhVWo8a6AqeVn0oKIj8Ho8EP8ECwN64q+uHdNCznV3RdwdwZN/0nCC5QS1feP0llodjFaqWEV/LhZQ7
  822. jzjEp70owuIN0mbmNl4gkYzIF/lBu54KVHORFnOg6y8/8hEjk2+XugiKz+mZKEZAZPMLJqia9bBdKG301jxlRmGuzM4BsB2m7UTX
  823. a7SjVX4swkd+nsQBuIHcKdu3Ul9EhafWwNnOQD2DEEA7x3vJeL8YnNXjeIUElx7fbe0DDGLpvt0SIdjnEoCkV7iEEfAcVGhuX8Wf
  824. wkPZ3YczFbwYIdLjjiutxhnGVeUBNBZiZeP42nV7n8hnjFFlQp3R+CodXah+ihJo56J6X4hhgx0mw4DCuMTXOb2a0cCfPSdH1kw/
  825. B7aP54wBuitjH+F8ur/eVK+vlUBq3oq+SuTHd/Rj1MHKamn4JUr3nHMS0XVvcmc6MCZBMAsVT6yiTDQPXG+KIurQ5AzcvskOhvTh
  826. jdnGTn3+AB8DWXTAhHuHf9K7qhLqSLVuHcKSvEIWlBhoaiyq7jS3CXFazeck5JFrQYaL0oZNWGghC/FQQDmeIjNWXLkCvRIA1R7v
  827. fLe10Q06Xn1t10UmGGnfKbFKyq/g8HNxRG9/gRf24g1Co/TkmAkuSm4xcbYkTTYDG4B2hM5p6rCX7WmrbREBsuzbGlIdswor2lGU
  828. [...]
  829. d+oZ653QF8A2uYYy8Lk3KCHoq/qfKNqZwt4hWSyU6E8X2yYjYlOceMX73pilACKfgVBsBYAdm4pcUVwflzM6beswWiT3uJ9hEWlS
  830. lS3JVPlSidGGQuNcXDoOzybYamvE3VUyXTRIjBgEepRkz2GOQiZTT/+0MFmSY1xxFkuTyH2v7fEXaB+P32l37Vgsvh9YADlAoBgl
  831. mPOufRCwC+OMP+5/bF8CjDOrHYTb5ZIVqiszPnpruR6MiZOqL6V1fEEnp3WA6fqPIu/4z4uDaVeagG0otDzjWMc+Bl/2n+69hawW
  832. G750I28g/NNd359zupA8nSvdUO4W38Vk9Z+LZAFhV2JNs4ZNI9jhjIuw1VxAJXNBvB7xMsFk+xx1QV/1aw2+ZAh4i8BBvnpO1joq
  833. V0dx238ObAIiUwe9Og8k7TK10JnC+wVyb0OM1Ki2qN3RXIZi8Zee5Uwi3EwxD4YJ0ve3S6ra8spViYr8pMdwOCDIvHNtXey3i8C/
  834. xdaYuz3JlYb2lkF4GT48uO/sBheOoiY60EdXchYSmJFjO9LvFaK9L4PsDYPuHiYy4Cty8ptFJ6Quh/1vl6vCkMYLY6I6TI89PpQm
  835. d3FqPBeIALgS5BC9U7a9ft3zUDFfe1Q0ZERX+p/Y0ci935hlNuDQDcnvlUj+BjyV/Swmc55oYEOvDB1EchFPiZ3SwCkoNb81qbmY
  836. vBIJk6kWMMrsZXXEAIMYGEIZCJorLumRPkhk0UtJzPNCLeoNi0CW7PH2PoBtK66EqIg=
  837.  
  838. ... And with additional encrypted data like:
  839.  
  840.  
  841. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\36j81186:
  842.  
  843. 0000 F8 58 5F 63 96 5D 93 0E A5 87 99 35 CB EC EC DB .X_c.].....5....
  844. 0010 4F C2 CE 34 BD 47 55 28 8D AB 08 BB BC 43 E4 FE O..4.GU(.....C..
  845. 0020 50 E4 3B 81 59 11 55 13 97 99 8A BE A4 F7 2F 35 P.;.Y.U......./5
  846. 0030 86 52 70 64 DE F4 9C 30 BF 40 2D 30 A9 7F FD 35 .Rpd...0.@-0...5
  847. 0040 1A 74 4D 90 41 85 90 FF CE D4 2B 61 F8 74 31 4F .tM.A.....+a.t1O
  848. 0050 56 51 D3 00 A4 96 48 69 ED E6 63 E0 3B 83 93 50 VQ....Hi..c.;..P
  849. 0060 E2 E4 D5 E0 05 D8 71 14 1A C5 1A 10 8A 80 A5 72 ......q........r
  850. 0070 6F AB 11 0F AA 83 C4 52 D4 AF E2 7F F5 42 E8 37 o......R.....B.7
  851. 0080 1B 0A 54 A0 27 79 A3 E9 6E 51 DC 30 14 93 3E EB ..T.'y..nQ.0..>.
  852. 0090 6B A2 3C 27 32 DD 9B D2 41 92 92 FF 50 71 21 62 k.<'2...A...Pq!b
  853. 00A0 E4 10 47 27 33 5B A5 3E 58 A8 33 8A 89 0B E0 8B ..G'3[.>X.3.....
  854. 00B0 AB 22 C0 44 07 5F 01 6D C7 A7 E8 27 50 3B 34 43 .".D._.m...'P;4C
  855. 00C0 DE AD 75 1B 08 E9 68 EB FD CF 73 F5 D8 77 3E B3 ..u...h...s..w>.
  856. 00D0 19 4B E1 82 93 FE 3A ED CB D6 CC 32 94 9D AF 84 .K....:....2....
  857. 00E0 A1 96 22 4B 40 19 8A EF 2A DF D2 03 52 8E 19 47 .."K@...*...R..G
  858. 00F0 A5 75 39 5D 9D 4F 04 F2 79 37 4B B7 FE D4 42 04 .u9].O..y7K...B.
  859. 0100 31 B1 5E 0D 4C 19 81 9A 9D CE FE 72 83 98 F7 12 1.^.L......r....
  860. 0110 61 84 81 B3 F0 DF 12 74 5E 34 02 1A DD AD 78 9E a......t^4....x.
  861. [...] [...] [...]
  862.  
  863.  
  864. // This mess was changing my internet account with LDAP service:
  865.  
  866. \Internet Account Manager\Accounts\WhoWhere\LDAP Server ID: 0x00000003
  867. \Internet Account Manager\Accounts\WhoWhere\Account Name: "WhoWhere インターネット ディレクトリ サービス"
  868. \Internet Account Manager\Accounts\WhoWhere\LDAP Server: "ldap.whowhere.com"
  869. \Internet Account Manager\Accounts\WhoWhere\LDAP URL: "http://www.whowhere.com"
  870. \Internet Account Manager\Accounts\WhoWhere\LDAP Search Return: 0x00000064
  871. \Internet Account Manager\Accounts\WhoWhere\LDAP Timeout: 0x0000003C
  872. \Internet Account Manager\Accounts\WhoWhere\LDAP Authentication: 0x00000000
  873. \Internet Account Manager\Accounts\WhoWhere\LDAP Simple Search: 0x00000001
  874. \Internet Account Manager\Accounts\WhoWhere\LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"
  875. \Internet Account Manager\Accounts\VeriSign\LDAP Server ID: 0x00000002
  876. \Internet Account Manager\Accounts\VeriSign\Account Name: "VeriSign インターネット ディレクトリ サービス"
  877. \Internet Account Manager\Accounts\VeriSign\LDAP Server: "directory.verisign.com"
  878. \Internet Account Manager\Accounts\VeriSign\LDAP URL: "http://www.verisign.com"
  879. \Internet Account Manager\Accounts\VeriSign\LDAP Search Return: 0x00000064
  880. \Internet Account Manager\Accounts\VeriSign\LDAP Timeout: 0x0000003C
  881. \Internet Account Manager\Accounts\VeriSign\LDAP Authentication: 0x00000000
  882. \Internet Account Manager\Accounts\VeriSign\LDAP Search Base: "NULL"
  883. \Internet Account Manager\Accounts\VeriSign\LDAP Simple Search: 0x00000001
  884. \Internet Account Manager\Accounts\VeriSign\LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"
  885. \Internet Account Manager\Accounts\Bigfoot\LDAP Server ID: 0x00000001
  886. \Internet Account Manager\Accounts\Bigfoot\Account Name: "Bigfoot インターネット ディレクトリ サービス"
  887. \Internet Account Manager\Accounts\Bigfoot\LDAP Server: "ldap.bigfoot.com"
  888. \Internet Account Manager\Accounts\Bigfoot\LDAP URL: "http://www.bigfoot.com"
  889. \Internet Account Manager\Accounts\Bigfoot\LDAP Search Return: 0x00000064
  890. \Internet Account Manager\Accounts\Bigfoot\LDAP Timeout: 0x0000003C
  891. \Internet Account Manager\Accounts\Bigfoot\LDAP Authentication: 0x00000000
  892. \Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search: 0x00000001
  893. \Internet Account Manager\Accounts\Bigfoot\LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
  894. \Internet Account Manager\Accounts\Active Directory GC\LDAP Server ID: 0x00000000
  895. \Internet Account Manager\Accounts\Active Directory GC\Account Name: "Active Directory"
  896. \Internet Account Manager\Accounts\Active Directory GC\LDAP Server: "NULL"
  897. \Internet Account Manager\Accounts\Active Directory GC\LDAP Search Return: 0x00000064
  898. \Internet Account Manager\Accounts\Active Directory GC\LDAP Timeout: 0x0000003C
  899. \Internet Account Manager\Accounts\Active Directory GC\LDAP Authentication: 0x00000002
  900. \Internet Account Manager\Accounts\Active Directory GC\LDAP Simple Search: 0x00000000
  901. \Internet Account Manager\Accounts\Active Directory GC\LDAP Bind DN: 0x00000000
  902. \Internet Account Manager\Accounts\Active Directory GC\LDAP Port: 0x00000CC4
  903. \Internet Account Manager\Accounts\Active Directory GC\LDAP Resolve Flag: 0x00000001
  904. \Internet Account Manager\Accounts\Active Directory GC\LDAP Secure Connection: 0x00000000
  905. \Internet Account Manager\Accounts\Active Directory GC\LDAP User Name: "NULL"
  906. \Internet Account Manager\Accounts\Active Directory GC\LDAP Search Base: "NULL"
  907. \Internet Account Manager\Accounts\PreConfigVer: 0x00000004
  908. \Internet Account Manager\Accounts\PreConfigVerNTDS: 0x00000001
  909. \Internet Account Manager\Server ID: 0x00000004
  910. \Internet Account Manager\Default LDAP Account: "Active Directory GC"
  911.  
  912. // And activate the malicious WAB (AddressBook):
  913.  
  914. \Software\Microsoft\WAB\WAB4\Wab File Name\: "C:\Documents and Settings\rik\Application Data\Microsoft\Address Book\rik.wab"
  915. \Software\Microsoft\WAB\WAB4\OlkContactRefresh: 0x00000000
  916. \Software\Microsoft\WAB\WAB4\OlkFolderRefresh: 0x00000000
  917.  
  918. (the other is as per you saw in the behavior analysis, good reference)
  919.  
  920.  
  921. ================================
  922. // Zbot Network Analysis:
  923. =================================
  924.  
  925. //ICMP:
  926.  
  927.  
  928. (DST-IP)
  929. ---------------
  930. 109.242.53.221
  931. 203.59.98.143
  932. 87.126.253.100
  933. 194.225.33.145
  934. 62.38.110.99
  935.  
  936. // TCP Communication (ESTABLISHED)
  937.  
  938. (IP):(DST-PORT)
  939. ---------------
  940. 176.62.240.159 TCP/1046
  941. 190.37.198.197 TCP/1050
  942. 77.52.101.167 TCP/1047
  943. 92.51.106.142 TCP/1044
  944.  
  945. // TCP Communication (FAILED)
  946.  
  947. 77.52.101.167 TCP/1047
  948.  
  949. // UDP Communication (ESTABLISHED)
  950.  
  951. (IP):(DST-PORT)
  952. ---------------
  953. 87.202.38.85:26043
  954. 79.135.36.74:26094
  955. 181.67.50.91:27916
  956. 203.59.98.143:28022
  957. 78.161.154.194:25633
  958. 194.94.127.98:25549
  959. 176.62.240.159:24509
  960. 2.134.138.250:24581
  961. 95.141.135.26:25316
  962. 190.37.198.197:28133
  963. 195.169.125.228:29902
  964. 190.11.9.62:29691
  965. 190.37.115.43:29609
  966. 63.85.81.254:29130
  967. 66.170.195.42:28632
  968. 77.52.101.167:28906
  969. 36.69.33.103:29025
  970. 63.85.81.254:29130
  971. 176.62.240.159:24509
  972. 75.4.237.76:24145
  973. 49.245.21.129:10029
  974. 94.68.105.30:10038
  975. 122.163.41.96:10211
  976. 201.248.5.93:10313
  977. 84.59.222.81:21469
  978. 180.254.255.197:10643
  979. 41.201.235.43:10761
  980. 109.242.53.221:10914
  981. 124.123.214.163:10940
  982. 194.225.33.145:11337
  983. 180.254.155.197:10643
  984. 209.252.46.18:10643
  985. 89.122.155.200:10556
  986. 108.251.104.195:10416
  987. 91.22.119.127:10497
  988. 37.212.177.153:10510
  989. 89.122.155.200:10556
  990. :
  991. [...]
  992.  
  993. Please see the UDP PCAP for the full list here:
  994. http://www.mediafire.com/?rteb7ee8xs9rzk0
  995.  
  996. ---
  997. #MalwareMustDie!
  998. @unixfreaxjp ~]$ date
  999. Tue May 28 23:50:23 JST 2013
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement