Tuesday, November 29, 2016

Threat Intelligence - An Adaptive Approach to Information Security - Free Consultation Available


Dear, blog, readers, as, of, today, I'm, making, publicly, available, my, portfolio, of, services, including, active, threat, intelligence, gathering, and, processing, cybercriminals, and, network, assets, profiling, real, life, personalization, of, malicious, actors, OSINT, analyses, in-depth, understanding, and, processing, of, tactics, techniques, and, procedures (TTPs), including, the, production, of, custom, timely, and, relevant, managed, or, on, demand, client-tailored, reports, and, analysis, briefs, covering, managed, security, blogging, and, conference, attendance, cybercrime, malware, botnets, and, threat, intelligence, including, the, coverage, of, geopolitically, relevant, cyber, threat, assessments.

The, portfolio, of, services, includes, but, is, not, limited, to:

Real-time, managed, or, on, demand, analysis, briefs, and, reports, production:
- analysis, briefs, and, timely, and, relevant, reports, covering, cybercrime, malware, botnets, and, threat, intelligence, including, but, not, limited, to, tactics, techniques, and, procesured (TTPs), real, life, personalization, of, cybercriminals, and, network, assets

Geopolitically, relevant, and, geographically, selected, threat, intelligence, processing, and, gathering, relevant, reports:
- geopolitically, relevant, coverage, of, selected, geographic, regions, covering, cybercrime, malware, botnets, and, threat, intelligence, including, but, limited, to, tactics, techniques, and, procedures (TTPs), real, life, personalization, of, cybercriminals, and, network assets

Managed, security, blogging, and, presentation, conference, attendance:
- threat, intelligence, processing, as, a, service, including, but, not, limited, to, the, managed, processing, and, communication, of, threat, intelligence, gathering, and, processing, information, in, the, form, of, managed, communication, to, a, selected, set, of, audiences, including, but, not, limited, to, security, blogging, and, conferences, attendance, on, behalf, of, a, selected, enterprise, further, positioning, its, understanding, and, reaching, out, to, selected, clients

Managed, tactics, techniques, and, procedures (TTPs), processing, managing, and, gathering, analysis, and, reports:
- in-depth, understanding, of, tactics, techniques, and, procesures (TTPs), relevant, to, a, specific, cybercrime, group, geopolitically, relevant, region, or, a, selected, geographically, relevant, region

Enjoy!

Saturday, September 24, 2016

New Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, a, currently, circulating, malicious, campaign, affecting, hundreds, of, Google, Play, users, potentially, exposing, their, devices, to, a, multi-tide, of, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, their, devices. Largely, relying, on a, set, of, social, engineering, vectors, cybercriminals, continue, populating, Google, Play, with, hundreds, of, malicious, releases, successfully, bypassing, Google, Play's, security, mechanisms.

Thanks, to, a, vibrant, cybercrime, ecosystem, stolen, and, compromised, accounting, data, continues, to, represent, an, underground, market, commodity, successfully, empowering, novice, cybercriminals, with, the, necessary, tools, and, know-how, to, continue, launching, malicious, attacks. Largely, relying, on, a, set, of, social, engineering, vectors, cybercriminals, continue, to, successfully, compromise, and, take, advantage, of, stolen, publisher's, account, successfully, bypassing, Google, Play's, security, mechanisms, potentially, exposing, hundreds, of, thousands, of, users, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, the, campaign, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related malicious MD5s known to have participated in the campaign:
MD5: 3c4f56ebf48a0b47bffec547804d94f4
MD5: 8a81ef6673321bddc557c486bce2a025
MD5: 789cb05effb586bda98e87e71e340c39
MD5: 505e4d58c53d47245aa89c0fd7cded83
MD5: c7bb64012126e7f75feb5d021e755903

Once, executed, a, sample, malware (MD5: 3c4f56ebf48a0b47bffec547804d94f4), phones, back, to, the, following, C&C, server, IPs:
hxxp://art.hornymilfporna.com/g/getasite/
hxxp://art.hornymilfporna.com/z/orap/
hxxp://art.hornymilfporna.com/z/z2/
hxxp://art.hornymilfporna.com/z/z5/

Related malicious MD5s known to have phoned back to the same C&C server IP (art.hornymilfporna.com):
MD5: ee329ffcd6fe835bfdc0ec1a7f033584

Related malicious MD5s known to have phoned back to the same C&C server IP (hornymilfporna.com - 54.72.9.51; 104.27.188.20; 104.24.124.113):
MD5: d990fe6ed56e5f087dfc4c1ad09e2591
MD5: d129b79a68dd362714a4d35f9901c661
MD5: d74aab1f688c670c172c3767a17c4953
MD5: 5f8a4de87409b399d262bd0ae0a908d7
MD5: 189803a93cde9e0c401ac386c154328f

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server IPs:
hxxp://fullset.link
hxxp://allmodel-pro.com
hxxp://sso.anbtr.com
hxxp://xsso.allmodel-pro.com
hxxp://fullset.info
hxxp://groupmodel.biz

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
212.61.180.100
195.22.28.222
212.61.180.100
54.72.9.51

Once, executed, a, sample, malware (MD5: 8a81ef6673321bddc557c486bce2a025), phones, back, to, the, following, C&C, server, IPs:
hxxp://cinar.pussyteenx.com/g/getasite/ - 8.5.1.44; 46.45.168.84
hxxp://cinar.pussyteenx.com/z/orap/
hxxp://cinar.pussyteenx.com/z/z2/
hxxp://cinar.pussyteenx.com/z/z5/

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84):
MD5: b9a2447a5b292566b4998c5d996f488b

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84):
MD5: f8205b4b9ae5d8ac8bf7b3996a6be408
MD5: a73138a8275b68296bfcf0ed39b2665c
MD5: ff06679eb18932e31f8b05d92a48b4eb
MD5: 107993dce5417356d40279feb2be0017
MD5: d5ed564fd2f4c10e3a26df9342a09545

Once, executed, a, sample, malware (MD5: f8205b4b9ae5d8ac8bf7b3996a6be408), phones, back, to, the, following, C&C, server, IPs:
hxxp://englishmeasure.net
hxxp://eitherdinner.net
hxxp://englishdinner.net
hxxp://eitherafraid.net
hxxp://englishafraid.net
hxxp://eithercircle.net
hxxp://englishcircle.net
hxxp://expectwheat.net
hxxp://becausewheat.net
hxxp://expectanger.net
hxxp://becauseanger.net
hxxp://expectalways.net
hxxp://becausealways.net
hxxp://expectforest.net
hxxp://becauseforest.net
hxxp://personwheat.net
hxxp://machinewheat.net
hxxp://personanger.net
hxxp://machineanger.net
hxxp://personalways.net
hxxp://machinealways.net
hxxp://personforest.net
hxxp://machineforest.net
hxxp://suddenwheat.net
hxxp://foreignwheat.net
hxxp://suddenanger.net
hxxp://foreignanger.net
hxxp://suddenalways.net
hxxp://foreignalways.net
hxxp://suddenforest.net
hxxp://foreignforest.net
hxxp://whetherwheat.net
hxxp://rightwheat.net
hxxp://whetheranger.net
hxxp://rightanger.net
hxxp://whetheralways.net
hxxp://rightalways.net
hxxp://whetherforest.net
hxxp://rightforest.net
hxxp://figurewheat.net
hxxp://thoughwheat.net
hxxp://figureanger.net
hxxp://thoughanger.net
hxxp://figurealways.net
hxxp://thoughalways.net
hxxp://figureforest.net
hxxp://thoughforest.net
hxxp://picturewheat.net
hxxp://cigarettewheat.net
hxxp://pictureanger.net
hxxp://cigaretteanger.net
hxxp://picturealways.net
hxxp://cigarettealways.net
hxxp://pictureforest.net
hxxp://cigaretteforest.net
hxxp://childrenwheat.net
hxxp://familywheat.net
hxxp://childrenanger.net
hxxp://familyanger.net
hxxp://childrenalways.net
hxxp://familyalways.net
hxxp://childrenforest.net
hxxp://familyforest.net
hxxp://eitherwheat.net
hxxp://englishwheat.net
hxxp://eitheranger.net
hxxp://englishanger.net
hxxp://eitheralways.net
hxxp://englishalways.net
hxxp://eitherforest.net
hxxp://englishforest.net
hxxp://expectschool.net
hxxp://becauseschool.net
hxxp://expectwhile.net
hxxp://becausewhile.net
hxxp://expectquestion.net
hxxp://becausequestion.net
hxxp://expecttherefore.net
hxxp://becausetherefore.net
hxxp://personschool.net
hxxp://machineschool.net
hxxp://personwhile.net
hxxp://machinewhile.net
hxxp://personquestion.net
hxxp://machinequestion.net

Once, executed, a, sample, malware (MD5: a73138a8275b68296bfcf0ed39b2665c), phones, back, to, the, following, C&C, server, IPs:
hxxp://figurefather.net
hxxp://thoughfather.net
hxxp://figureapple.net
hxxp://thoughapple.net
hxxp://figurebuilt.net
hxxp://thoughbuilt.net
hxxp://figurecarry.net
hxxp://thoughcarry.net
hxxp://picturefather.net
hxxp://cigarettefather.net
hxxp://pictureapple.net
hxxp://cigaretteapple.net
hxxp://picturebuilt.net
hxxp://cigarettebuilt.net
hxxp://picturecarry.net
hxxp://cigarettecarry.net
hxxp://childrenfather.net
hxxp://familyfather.net
hxxp://childrenapple.net
hxxp://familyapple.net
hxxp://childrenbuilt.net
hxxp://familybuilt.net
hxxp://childrencarry.net
hxxp://familycarry.net
hxxp://eitherfather.net
hxxp://englishfather.net
hxxp://eitherapple.net
hxxp://englishapple.net
hxxp://eitherbuilt.net
hxxp://englishbuilt.net
hxxp://eithercarry.net
hxxp://englishcarry.net
hxxp://expectmeasure.net
hxxp://becausemeasure.net
hxxp://expectdinner.net
hxxp://becausedinner.net
hxxp://expectafraid.net
hxxp://becauseafraid.net
hxxp://expectcircle.net
hxxp://becausecircle.net
hxxp://personmeasure.net
hxxp://machinemeasure.net
hxxp://persondinner.net
hxxp://machinedinner.net
hxxp://personafraid.net
hxxp://machineafraid.net
hxxp://personcircle.net
hxxp://machinecircle.net
hxxp://suddenmeasure.net
hxxp://foreignmeasure.net
hxxp://suddendinner.net
hxxp://foreigndinner.net
hxxp://suddenafraid.net
hxxp://foreignafraid.net
hxxp://suddencircle.net
hxxp://foreigncircle.net
hxxp://whethermeasure.net
hxxp://rightmeasure.net
hxxp://whetherdinner.net
hxxp://rightdinner.net
hxxp://whetherafraid.net
hxxp://rightafraid.net
hxxp://whethercircle.net
hxxp://rightcircle.net
hxxp://figuremeasure.net
hxxp://thoughmeasure.net
hxxp://figuredinner.net
hxxp://thoughdinner.net
hxxp://figureafraid.net
hxxp://thoughafraid.net
hxxp://figurecircle.net
hxxp://thoughcircle.net
hxxp://picturemeasure.net
hxxp://cigarettemeasure.net
hxxp://picturedinner.net
hxxp://cigarettedinner.net
hxxp://pictureafraid.net
hxxp://cigaretteafraid.net
hxxp://picturecircle.net
hxxp://cigarettecircle.net
hxxp://childrenmeasure.net
hxxp://familymeasure.net
hxxp://childrendinner.net
hxxp://familydinner.net
hxxp://childrenafraid.net
hxxp://familyafraid.net
hxxp://childrencircle.net
hxxp://familycircle.net
hxxp://eithermeasure.net
hxxp://englishmeasure.net
hxxp://eitherdinner.net
hxxp://englishdinner.net
hxxp://eitherafraid.net
hxxp://englishafraid.net
hxxp://eithercircle.net
hxxp://englishcircle.net
hxxp://expectwheat.net
hxxp://becausewheat.net
hxxp://expectanger.net
hxxp://becauseanger.net
hxxp://expectalways.net
hxxp://becausealways.net
hxxp://expectforest.net
hxxp://becauseforest.net
hxxp://personwheat.net
hxxp://machinewheat.net
hxxp://personanger.net
hxxp://machineanger.net
hxxp://personalways.net
hxxp://machinealways.net
hxxp://personforest.net
hxxp://machineforest.net
hxxp://suddenwheat.net
hxxp://foreignwheat.net
hxxp://suddenanger.net
hxxp://foreignanger.net
hxxp://suddenalways.net
hxxp://foreignalways.net
hxxp://suddenforest.net
hxxp://foreignforest.net
hxxp://whetherwheat.net
hxxp://rightwheat.net
hxxp://whetheranger.net
hxxp://rightanger.net
hxxp://whetheralways.net
hxxp://rightalways.net
hxxp://whetherforest.net
hxxp://rightforest.net
hxxp://figurewheat.net
hxxp://thoughwheat.net
hxxp://figureanger.net

Once, executed, a, sample, malware, phones, back, to the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://195.22.28.199
hxxp://184.168.221.55
hxxp://208.100.26.234
hxxp://184.168.221.35
hxxp://98.124.243.42
hxxp://208.100.26.234
hxxp://184.168.221.104
hxxp://173.236.80.218
hxxp://195.22.26.248
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://98.130.238.135

Once, executed, a, sample, malware (MD5: ff06679eb18932e31f8b05d92a48b4eb), phones, back, to, the, following, C&C, server, IPs:
hxxp://strengthbecame.net
hxxp://stillbecame.net
hxxp://strengthcontain.net
hxxp://stillcontain.net
hxxp://strengthbasket.net
hxxp://stillbasket.net
hxxp://movementsettle.net
hxxp://outsidesettle.net
hxxp://movementlanguage.net
hxxp://outsidelanguage.net
hxxp://movementdevice.net
hxxp://outsidedevice.net
hxxp://movementbefore.net
hxxp://outsidebefore.net
hxxp://buildingsettle.net
hxxp://eveningsettle.net
hxxp://buildinglanguage.net
hxxp://eveninglanguage.net
hxxp://buildingdevice.net
hxxp://eveningdevice.net
hxxp://buildingbefore.net
hxxp://eveningbefore.net
hxxp://storesettle.net
hxxp://mightsettle.net
hxxp://storelanguage.net
hxxp://mightlanguage.net
hxxp://storedevice.net
hxxp://mightdevice.net
hxxp://storebefore.net
hxxp://mightbefore.net
hxxp://doctorsettle.net
hxxp://prettysettle.net
hxxp://doctorlanguage.net
hxxp://prettylanguage.net
hxxp://doctordevice.net
hxxp://prettydevice.net
hxxp://doctorbefore.net
hxxp://prettybefore.net
hxxp://fellowsettle.net
hxxp://doublesettle.net
hxxp://fellowlanguage.net
hxxp://doublelanguage.net
hxxp://fellowdevice.net
hxxp://doubledevice.net
hxxp://fellowbefore.net
hxxp://doublebefore.net
hxxp://brokensettle.net
hxxp://resultsettle.net
hxxp://brokenlanguage.net
hxxp://resultlanguage.net
hxxp://brokendevice.net
hxxp://resultdevice.net
hxxp://brokenbefore.net
hxxp://resultbefore.net
hxxp://preparesettle.net
hxxp://desiresettle.net
hxxp://preparelanguage.net
hxxp://desirelanguage.net
hxxp://preparedevice.net
hxxp://desiredevice.net
hxxp://preparebefore.net
hxxp://desirebefore.net
hxxp://strengthsettle.net
hxxp://stillsettle.net
hxxp://strengthlanguage.net
hxxp://stilllanguage.net
hxxp://strengthdevice.net
hxxp://stilldevice.net
hxxp://strengthbefore.net
hxxp://stillbefore.net
hxxp://movementfound.net
hxxp://outsidefound.net
hxxp://movementspring.net
hxxp://outsidespring.net
hxxp://movementsuccess.net
hxxp://outsidesuccess.net
hxxp://movementbanker.net
hxxp://outsidebanker.net
hxxp://buildingfound.net
hxxp://eveningfound.net
hxxp://buildingspring.net
hxxp://eveningspring.net
hxxp://buildingsuccess.net
hxxp://eveningsuccess.net
hxxp://buildingbanker.net
hxxp://eveningbanker.net
hxxp://storefound.net
hxxp://mightfound.net
hxxp://storespring.net
hxxp://mightspring.net
hxxp://storesuccess.net
hxxp://mightsuccess.net
hxxp://storebanker.net
hxxp://mightbanker.net
hxxp://doctorfound.net
hxxp://prettyfound.net
hxxp://doctorspring.net
hxxp://prettyspring.net
hxxp://doctorsuccess.net
hxxp://prettysuccess.net
hxxp://doctorbanker.net
hxxp://prettybanker.net
hxxp://fellowfound.net
hxxp://doublefound.net
hxxp://fellowspring.net
hxxp://doublespring.net
hxxp://fellowsuccess.net
hxxp://doublesuccess.net
hxxp://fellowbanker.net
hxxp://doublebanker.net
hxxp://brokenfound.net
hxxp://resultfound.net
hxxp://brokenspring.net
hxxp://resultspring.net
hxxp://brokensuccess.net
hxxp://resultsuccess.net
hxxp://brokenbanker.net
hxxp://resultbanker.net
hxxp://preparefound.net
hxxp://desirefound.net
hxxp://preparespring.net
hxxp://desirespring.net
hxxp://preparesuccess.net
hxxp://desiresuccess.net
hxxp://preparebanker.net
hxxp://desirebanker.net
hxxp://strengthfound.net
hxxp://stillfound.net
hxxp://strengthspring.net
hxxp://stillspring.net
hxxp://strengthsuccess.net
hxxp://stillsuccess.net
hxxp://strengthbanker.net
hxxp://stillbanker.net
hxxp://movementairplane.net
hxxp://outsideairplane.net
hxxp://movementstraight.net
hxxp://outsidestraight.net
hxxp://movementguard.net
hxxp://outsideguard.net
hxxp://movementfence.net
hxxp://outsidefence.net
hxxp://buildingairplane.net
hxxp://eveningairplane.net
hxxp://buildingstraight.net
hxxp://eveningstraight.net
hxxp://buildingguard.net
hxxp://eveningguard.net
hxxp://buildingfence.net
hxxp://eveningfence.net
hxxp://storeairplane.net
hxxp://mightairplane.net
hxxp://storestraight.net
hxxp://mightstraight.net
hxxp://storeguard.net
hxxp://mightguard.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://98.124.243.39
hxxp://195.22.28.198
hxxp://216.239.34.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66
hxxp://81.21.76.62
hxxp://50.63.202.55
hxxp://208.91.197.25
hxxp://5.2.189.251
hxxp://195.22.28.198

Once, executed, a, sample, malware (MD5: 107993dce5417356d40279feb2be0017), phones, back, to, the, following, C&C, server, IPs:
hxxp://movementindustry.net
hxxp://outsideindustry.net
hxxp://movementbecame.net
hxxp://outsidebecame.net
hxxp://movementcontain.net
hxxp://outsidecontain.net
hxxp://movementbasket.net
hxxp://outsidebasket.net
hxxp://buildingindustry.net
hxxp://eveningindustry.net
hxxp://buildingbecame.net
hxxp://eveningbecame.net
hxxp://buildingcontain.net
hxxp://eveningcontain.net
hxxp://buildingbasket.net
hxxp://eveningbasket.net
hxxp://storeindustry.net
hxxp://mightindustry.net
hxxp://storebecame.net
hxxp://mightbecame.net
hxxp://storecontain.net
hxxp://mightcontain.net
hxxp://storebasket.net
hxxp://mightbasket.net
hxxp://doctorindustry.net
hxxp://prettyindustry.net
hxxp://doctorbecame.net
hxxp://prettybecame.net
hxxp://doctorcontain.net
hxxp://prettycontain.net
hxxp://doctorbasket.net
hxxp://prettybasket.net
hxxp://fellowindustry.net
hxxp://doubleindustry.net
hxxp://fellowbecame.net
hxxp://doublebecame.net
hxxp://fellowcontain.net
hxxp://doublecontain.net
hxxp://fellowbasket.net
hxxp://doublebasket.net
hxxp://brokenindustry.net
hxxp://resultindustry.net
hxxp://brokenbecame.net
hxxp://resultbecame.net
hxxp://brokencontain.net
hxxp://resultcontain.net
hxxp://brokenbasket.net
hxxp://resultbasket.net
hxxp://prepareindustry.net
hxxp://desireindustry.net
hxxp://preparebecame.net
hxxp://desirebecame.net
hxxp://preparecontain.net
hxxp://desirecontain.net
hxxp://preparebasket.net
hxxp://desirebasket.net
hxxp://strengthindustry.net
hxxp://stillindustry.net
hxxp://strengthbecame.net
hxxp://stillbecame.net
hxxp://strengthcontain.net
hxxp://stillcontain.net
hxxp://strengthbasket.net
hxxp://stillbasket.net
hxxp://movementsettle.net
hxxp://outsidesettle.net
hxxp://movementlanguage.net
hxxp://outsidelanguage.net
hxxp://movementdevice.net
hxxp://outsidedevice.net
hxxp://movementbefore.net
hxxp://outsidebefore.net
hxxp://buildingsettle.net
hxxp://eveningsettle.net
hxxp://buildinglanguage.net
hxxp://eveninglanguage.net
hxxp://buildingdevice.net
hxxp://eveningdevice.net
hxxp://buildingbefore.net
hxxp://eveningbefore.net
hxxp://storesettle.net
hxxp://mightsettle.net
hxxp://storelanguage.net
hxxp://mightlanguage.net
hxxp://storedevice.net
hxxp://mightdevice.net
hxxp://storebefore.net
hxxp://mightbefore.net
hxxp://doctorsettle.net
hxxp://prettysettle.net
hxxp://doctorlanguage.net
hxxp://prettylanguage.net
hxxp://doctordevice.net
hxxp://prettydevice.net
hxxp://doctorbefore.net
hxxp://prettybefore.net
fhxxp://ellowsettle.net
hxxp://doublesettle.net
hxxp://fellowlanguage.net
hxxp://doublelanguage.net
fhxxp://ellowdevice.net
hxxp://doubledevice.net
hxxp://fellowbefore.net
hxxp://doublebefore.net
hxxp://brokensettle.net
hxxp://resultsettle.net
hxxp://brokenlanguage.net
hxxp://resultlanguage.net
hxxp://brokendevice.net
hxxp://resultdevice.net
hxxp://brokenbefore.net
hxxp://resultbefore.net
hxxp://preparesettle.net
hxxp://desiresettle.net
hxxp://preparelanguage.net
hxxp://desirelanguage.net
hxxp://preparedevice.net
hxxp://desiredevice.net
hxxp://preparebefore.net
hxxp://desirebefore.net
hxxp://strengthsettle.net
hxxp://stillsettle.net
hxxp://strengthlanguage.net
hxxp://stilllanguage.net
hxxp://strengthdevice.net
hxxp://stilldevice.net
hxxp://strengthbefore.net
hxxp://stillbefore.net
hxxp://movementfound.net
hxxp://outsidefound.net
hxxp://movementspring.net
hxxp://outsidespring.net
hxxp://movementsuccess.net
hxxp://outsidesuccess.net
hxxp://movementbanker.net
hxxp://outsidebanker.net
hxxp://buildingfound.net
hxxp://eveningfound.net
hxxp://buildingspring.net
hxxp://eveningspring.net
hxxp://buildingsuccess.net
hxxp://eveningsuccess.net
hxxp://buildingbanker.net
hxxp://eveningbanker.net
hxxp://storefound.net
hxxp://mightfound.net
hxxp://storespring.net
hxxp://mightspring.net
hxxp://storesuccess.net
hxxp://mightsuccess.net
hxxp://storebanker.net
hxxp://mightbanker.net
hxxp://doctorfound.net
hxxp://prettyfound.net
hxxp://doctorspring.net
hxxp://prettyspring.net
hxxp://doctorsuccess.net
hxxp://prettysuccess.net
hxxp://doctorbanker.net
hxxp://prettybanker.net
hxxp://fellowfound.net
hxxp://doublefound.net
hxxp://fellowspring.net
hxxp://doublespring.net
hxxp://fellowsuccess.net
hxxp://doublesuccess.net
hxxp://fellowbanker.net
hxxp://doublebanker.net
hxxp://brokenfound.net
hxxp://resultfound.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://207.148.248.143
hxxp://50.63.202.56
hxxp://208.100.26.234
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://98.124.243.39
hxxp://195.22.28.199
hxxp://216.239.32.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66

Once, executed, a, sample, malware (MD5: d5ed564fd2f4c10e3a26df9342a09545), phones, back, to, the, following, C&C, server, IPs:
hxxp://desiredress.net
hxxp://strengthcatch.net
hxxp://stillcatch.net
hxxp://strengtheearly.net
hxxp://stilleearly.net
hxxp://strengthpublic.net
hxxp://stillpublic.net
hxxp://strengthdress.net
hxxp://stilldress.net
hxxp://expectlength.net
hxxp://becauselength.net
hxxp://expectnotice.net
hxxp://becausenotice.net
hxxp://expectindeed.net
hxxp://becauseindeed.net
hxxp://expectduring.net
hxxp://becauseduring.net
hxxp://personlength.net
hxxp://machinelength.net
hxxp://personnotice.net
hxxp://machinenotice.net
hxxp://personindeed.net
hxxp://machineindeed.net
hxxp://personduring.net
hxxp://machineduring.net
hxxp://suddenlength.net
hxxp://foreignlength.net
hxxp://suddennotice.net
hxxp://foreignnotice.net
hxxp://suddenindeed.net
hxxp://foreignindeed.net
hxxp://suddenduring.net
hxxp://foreignduring.net
hxxp://whetherlength.net
hxxp://rightlength.net
hxxp://whethernotice.net
hxxp://rightnotice.net
hxxp://whetherindeed.net
hxxp://rightindeed.net
hxxp://whetherduring.net
hxxp://rightduring.net
hxxp://figurelength.net
hxxp://thoughlength.net
hxxp://figurenotice.net
hxxp://thoughnotice.net
hxxp://figureindeed.net
hxxp://thoughindeed.net
hxxp://figureduring.net
hxxp://thoughduring.net
hxxp://picturelength.net
hxxp://cigarettelength.net
hxxp://picturenotice.net
hxxp://cigarettenotice.net
hxxp://pictureindeed.net
hxxp://cigaretteindeed.net
hxxp://pictureduring.net
hxxp://cigaretteduring.net
hxxp://childrenlength.net
hxxp://familylength.net
hxxp://childrennotice.net
hxxp://familynotice.net
hxxp://childrenindeed.net
hxxp://familyindeed.net
hxxp://childrenduring.net
hxxp://familyduring.net
hxxp://eitherlength.net
hxxp://englishlength.net
hxxp://eithernotice.net
hxxp://englishnotice.net
hxxp://eitherindeed.net
hxxp://englishindeed.net
hxxp://eitherduring.net
hxxp://englishduring.net
hxxp://expectclear.net
hxxp://becauseclear.net
hxxp://expectgeneral.net
hxxp://becausegeneral.net
hxxp://expectinclude.net
hxxp://becauseinclude.net
hxxp://expectnorth.net
hxxp://becausenorth.net
hxxp://personclear.net
hxxp://machineclear.net
hxxp://persongeneral.net
hxxp://machinegeneral.net
hxxp://personinclude.net
hxxp://machineinclude.net
hxxp://personnorth.net
hxxp://machinenorth.net
hxxp://suddenclear.net
hxxp://foreignclear.net
hxxp://suddengeneral.net
hxxp://foreigngeneral.net
hxxp://suddeninclude.net
hxxp://foreigninclude.net
hxxp://suddennorth.net
hxxp://foreignnorth.net
hxxp://whetherclear.net
hxxp://rightclear.net
hxxp://whethergeneral.net
hxxp://rightgeneral.net
hxxp://whetherinclude.net
hxxp://rightinclude.net
hxxp://whethernorth.net
hxxp://rightnorth.net
hxxp://figureclear.net
hxxp://thoughclear.net
hxxp://figuregeneral.net
hxxp://thoughgeneral.net
hxxp://figureinclude.net
hxxp://thoughinclude.net
hxxp://figurenorth.net
hxxp://thoughnorth.net
hxxp://pictureclear.net
hxxp://cigaretteclear.net
hxxp://picturegeneral.net
hxxp://cigarettegeneral.net
hxxp://pictureinclude.net
hxxp://cigaretteinclude.net
hxxp://picturenorth.net
hxxp://cigarettenorth.net
hxxp://childrenclear.net
hxxp://familyclear.net
hxxp://childrengeneral.net
hxxp://familygeneral.net
hxxp://childreninclude.net
hxxp://familyinclude.net
hxxp://childrennorth.net
hxxp://familynorth.net
hxxp://eitherclear.net
hxxp://englishclear.net
hxxp://eithergeneral.net
hxxp://englishgeneral.net
hxxp://eitherinclude.net
hxxp://englishinclude.net
hxxp://eithernorth.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://208.100.26.234
hxxp://195.22.28.199
hxxp://162.255.119.249
hxxp://208.100.26.234
hxxp://98.124.243.44

Once, executed, a, sample, malware (MD5: 789cb05effb586bda98e87e71e340c39), phones, back, to, the, following, C&C, server, IPs:
hxxp://diyar.collegegirlteen.com/g/getasite/ - 46.45.168.84
hxxp://diyar.collegegirlteen.com/z/orap/
hxxp://diyar.collegegirlteen.com/z/z2/
hxxp://diyar.collegegirlteen.com/z/z5/

Related, malicious, MD5s, known, to, have, phoned, back, to, the, following, C&C, server, IPs:
MD5: acd62483446c7ed057f312784bfddd61

Once, executed, a, sample, malware (MD5: 505e4d58c53d47245aa89c0fd7cded83), phones, back, to, the, following, C&C, server, IPs:
hxxp://van.cowteen.com/g/getasite/ - 46.45.168.84
hxxp://van.cowteen.com/z/orap/
hxxp://van.cowteen.com/z/z2/
hxxp://van.cowteen.com/z/z5/

Related. malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP:
MD5: 13f2e7b3141b84666e0209e140663ef2

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://w.bestmobile.mobi/ - 104.31.66.169; 104.31.67.169; 104.28.0.226; 104.28.1.226

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs:
MD5: 92bd8e7e58816bcb14f9dcbf839178ca
MD5: 1ee44596b174edb55c4bc497c1fe5f34
MD5: 443f732e406b3d96e53184917525e14a
MD5: a24fad894881b746c48420b019a225cf
MD5: 7c8a8f96c5b31e6ccae936ddc5226c91

Once, executed, a, sample, malware (MD5: a24fad894881b746c48420b019a225cf), phones, back, to, the, following, C&C, server, IPs:
hxxp://au.umeng.co - 140.205.170.6; 140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238; 110.173.196.195; 211.151.139.211; 211.151.139.210
hxxp://au.umeng.com/api/check_app_update - 140.205.134.243; 140.205.170.6; 140.205.250.51; 140.205.230.45; 140.205.155.238; 110.173.196.195; 211.151.151.6; 211.151.139.210;
211.151.139.211

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (au.umeng.co - 140.205.170.6; 140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238; 110.173.196.195; 211.151.139.211; 211.151.139.210):
MD5: 65a6f1e29b09ba7caa98a9763593aedb
MD5: 102111b9024b71f6ab584d22abdbc589
MD5: 9ad137e51a5b6b2288c774a74a7e80da
MD5: a70595e99b3471216404400b736eaf7c
MD5: 3d3360250c96dff33e177121113b5a3f

Once, executed, a, sample, malware, phones, back, to, the, same, C&C, server, IPs:
hxxp://211.139.191.223
hxxp://221.179.35.113

Once, executed, a, sample, malware, phones, back, to, the, same, C&C, server, IPs:
hxxp://115.28.174.189/hft/rq.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs:
MD5: c0464c5193dec0980a07fa2e50deffb1

We'll, continue, monitoring, the, market, segment, for, mobile, malware, and, post, updates, as, soon, as, new, developments, take, place.

Friday, September 23, 2016

The Rise of Mobile Malware - A Retrospective

With, mobile, malware, continuing, to, proliferate, cybercriminals, continue, getting, successfully, positioned, to, take, advantage, of, hundreds, of, thousands, of, socially, engineering, users, on, their, way, to, earn, fraudulent, revenue, in, the, process, of, monetizing, access, to, their, devices, potentially, compromising, the, confidentiality, integrity, and, availability, of, their, devices, on, their, way, to, earn, fraudulent, revenue, in the, process. 

Thanks, to, a vibrant, cybercrime, ecosystem, offering, access, to, a, variety, of, managed, cybercrime-friendly, services, next, to, the, overall, availability, of, DIY (do-it-yourself), type, of, malicious, software, generating, tools, cybercriminals, continue, getting, successfully, positioned, to, take, advantage, of, hundreds, of, thousands, of, socially, engineered, users,
on, their, way, to, monetize, access, to, their, devices, and, earn, fraudulent, revenue, in, the, process.

Largely, relying, on, a, set, of, socially, engineering, attack, vectors, cybercriminals, continue, successfully, infiltrating, and, bypassing, Google Play, the, Web's, most, popular, Android, applications, marketplace, on, their, way, to, earn, fraudulent, revenue, in, the, process, successfully, tricking, hundreds, of, thousands, of, users, into, successfully, executing, malicious, software, on, their, devices.

Thanks, to, a, vibrant, cybercrime-friendly, ecosystem, offering, a, variety, of, managed, services, including, the, compromise, of, a, legitimate, publisher's, Google Play, account, cybercriminals, continue, successfully, infiltrating, Google Play, successfully, earning, fraudulent, revenue, in, the, process, while, tricking, tens, of, thousands, of, socially, engineered, users, into, executing, malicious, software, on, their, devices.

Largely, relying, on, the, active, abuse, of, access, to, a, malware-infected, hosts, cybercriminals, continue, successfully, utilizing, basic, data, mining, techniques, to, successfully, obtain, access, to, a, set, of, Web, properties, including, but, not, limited, to, Google Play, for, the, purpose, of, successfully, earning, fraudulent, revenue, in, the, process. Largely, relying, on, basic, traffic, segmentation, tactics, cybercriminals, are, successfully, positioned, to, obtain, access, to, a, legitimate, Google Play, publisher's, account, for, the, purpose, of, successfully, monetizing, access, to, a, particular, publisher's, account, on, their, way, to, spread, malicious, software, and, earn, fraudulent, revenue, in, the, process.

These, basic, social, engineering, type, of, attack, techniques, continue, successfully, empowering, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, successfully, bypassing, Google Play's, security mechanisms, on, their, way, to, spread, malicious, software, and, earn, fraudulent, revenue, in, the, process, of, obtaining, access, to, a, particular, publisher's, Google Play, account.

Next, to, the, general, compromise, of, a, legitimate, publisher's, Google Play, account, cybercriminals, are, successfully, positioned, to, take, advantage, of, primary, Android, applications, marketplaces, such, as, Google, Play, for, the, purpose, of, successfully, establishing, rogue, publisher's, reputations, successfully, relying, on, a, set, of, cybercrime-friendly, managed, underground, type, of, managed, cybercrime-friendly, services, offering, access, to, Google, Play, for, the, purpose, of, successfully, monetizing, access, to, a, particular, publisher's, account, largely, relying, on, a, set, of, social, engineering, attack, vectors, in, combination, with, the, use, of, cybercrime-friendly, managed, DIY (do-it-yourself), type, of, managed, cybercrime-friendly, services, successfully, monetizing, access, to, a, particular, publisher's, account, for, the, purpose, of, earning, fraudulent, revenue, in, the, process, while, successfully, infiltrating, the, Web's, most, popular, Android, marketplace, Google, Play.

Next, the, general, compromise, of, a, legitimate, publisher's, Google, Play, account, next, to, the, general, infiltrating, of, Google, Play, for, the, purpose, of, pushing, malicious, software, to unsuspecting, users, cybercriminals, continue, actively, relying, on, a, set, of, underground, market, cybercrime-friendly, secondary, marketplaces, offering, access, to, hundreds, of, thousands, of, rogue, Android, applications, successfully, bypassing, a, socially, engineered, user's, security, device, security, mechanisms, on, their, way, to, earn, fraudulent, revenue, in, the, process, while, successfully, monetizing, access, to, a, particular, compromise, device, on, their, way, to earn, fraudulent, revenue, in, the, process. 

With, secondary, marketplaces, continuing, to, proliferate, cybercriminals, continue, earning, fraudulent, revenue, in, the, process, of, monetizing, and, obtaining, access, to, a, socially, engineered, user's, compromised, device. Largely, relying, on, a, set, of, black, hat, SEO (search engine optimization) tactics, cybercriminals, continue, actively, populating, secondary, marketplaces, with, hundreds, of, thousands, of, rogue, applications, potentially, exposing, the, confidentiality, integrity, and, availability, of, a, socially, engineered, user's, compromised, device, for, the, purpose, of, earning,
fraudulent, revenue, in, the, process. With, secondary, marketplaces, continuing, to, bypass, a, socially, engineered, user's, device, security, for, the, purpose, of, earning, fraudulent, revenue, in, the, process, cybercriminals, continue, to, successfully, bypass, an, affected, user's, device, security, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.

Thanks, to, a vibrant, cybercrime-friendly, ecosystem, cybercriminals, continue, to, successfully, infiltrate, primary, and, secondary, marketplaces, with, hundreds, of, malicious, releases, thanks, to, the, overall, availability, of, DIY (do-it-yourslef), malicious, software, generating, tools, next, to, the, overall, availability, of, managed, cybercrime-friendly, services, successfully, empowering, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, launching, malicious, attacks, successfully, bypassing, a, primary, and, secondary, marketplaces, security, mechanisms, in, place. Next, to, the, overall, availability, of, DIY (do-it-yourself), type, of, malicious, software, generating, tools, cybercriminals, continue, to, actively, take, advantage, of, managed, malware-as-a-service, type, of, managed, cybercrime-friendly, services, for, the, purpose, of, successfully, generating, malicious, software, type, of, cybercrime-friendly, releases, successfully, bypassing, primary, and, secondary, marketplaces, security, mechanisms, in, place. 

Among, the, most, popular, features, of, such, type, of, managed, cybercrime-friendly, type, of, managed, cybercrime-friendly, type, of, services, remain, the, active, infiltration, of, primary, and, secondary, marketplaces, including, the, active, verification, of, a, particular, malicious, release, against, the, most, popular, antivirus, scanners, successfully, ensuring, the, sucess, rate, for, a, particular, malicious, campaign, while, earning, fraudulent, revenue, in, the, process, on, their, way, to, successfully, infiltrate, a, socially, engineered, user's, device, while, earning, fraudulent, revenue, in, the, process.

Among, the, most, popular, traffic, acquisition, tactics, remain, the, active, utilization, of, underground, market, traffic, exchanges, for, the, purpose, of, successfully, monetizing, and, acquiring, the, hijacked, traffic, for, the, purpose, of, successfully, spreading, malicious, software, to, unsuspecting, users, globally, while, earning, fraudulent, revenue, in, the, process, on, their, way, to earn, fraudulent, revenue, in, the, process. Next, to, the, active, traffic, acquisition, tactics, thanks, to, the, overall, availability, of, underground, market, traffic, exchanges, cybercriminals, continue, to, actively, rely, on, basic, traffic, segmentation, tactics, for, the, purpose, of, serving, malicious, software, to, unsuspecting, users, while, earning, fraudulent, revenue, in, the, process. 

Continuing, to, rely, on, basic, traffic, segmentation, tactics, cybercriminals, continue, to, successfully, acquire, and, monetize, hijacked, traffic, successfully, monetizing, access, to, hundreds, of, thousands, of, socially, engineered, users, globally, potentially, exposing, the, confidentiality, integrity, and, availability, of, their, devices, to, a, multi-tude, of, malicious, software, while, earning, fraudulent, revenue, in the, process. Among, the, most, popular, growth, factors, for, the, purpose, of, earning, fraudulent, revenue, in, the,
process, remain, the, active, utilization, of, affiliate-network, type, of, rogue, software, generating, type, of, networks, successfully, bypassing, the, security, mechanisms, of, primary, and, secondary, marketplaces, successfully, empowering, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, earning, fraudulent, revenue, in, the, process, while, successfully, monetizing, access, to, hundreds, of, thousands, of, malware-infected, devices, globally.

Next, to, the, active, traffic, acquisition, tactics, for, the, purpose, of, earning, fraudulent, revenue, while, monetizing, access, to, socially, engineered, user's, devices, globally, cybercriminals, continue, to, actively, monetize, access, to, hundreds, of, thousands, of, compromised, Web sites, successfully, monetizing, access, in, an, automated, fashion, largely, relying, on, managed, and, automated, Web, site, exploitation, tools, and, services, successfully, bypassing, the, security, and, confidentiality, and, integrity, and, availability, of, hundreds, of, socially, engineered, users, globally. 

Once, a, particular, cybercriminal, compromises, a, legitimate, Web sites, in, an, automated, fashion, he, would, automatically, launch, a, malicious, campaign, successfully, bypassing, the, security, confidentiality, and, availability, of, hundreds, of, socially, engineered, users, globally, for, the, purpose, of, earning, fraudulent, revenue, in, the, process, while, successfully, monetizing, access, to, a, variety, of, users, globally, for, the, purpose, of, earning, fraudulent, revenue, in, the, process, while, successfully, monetizing, access, to, hundreds, of, thousands, of, users, globally, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.

Thanks, to, the, overall, availability, of, malicious, software, generating, tools, managed, cybercrime friendly, services, the, overall, prevalence, of, cybercrime-friendly, underground-marketplace, traffic, exchanges, and, the, automated, exploitation, of, hundreds, of, thousands, of, legitimate, Web sites, in, an, automated, fashion, cybercriminals, continue, to, successfully, monetize, and, earn, fraudulent, revenue, in, the, process, of, obtaining, access, to, a, targeted, user's, device, for, the, purpose, of, successfully, bypassing, the, confidentiality, availability, and, integrity, of, the, targeted, user's, device, successfully, monetizing, and, earning, fraudulent, revenue, in, the, process. 

Thanks, to, the, overall, availability, of, managed, affiliate-based, type, of, cybercrime-friendly, services, cybercriminals,
continue, to, successfully, monetize, and, obtain, access, to, hundreds, of, thousands, of, managed, cybercrime-friendly, type, of, compromised, devices, successfully, monetizing, and, earning, fraudulent, revenue, in, the, process, while, successfully, bypassing, the, confidentiality, availability, and, integrity, of, the, targeted, devices, while, successfully, monetizing, the, socially, engineered, user's, device, for, the, purpose, of, launching, malicious, software, type, of, malicious, campaigns, globally.

New Mobile Malware Spotted in the Wild, Hundreds of Users Affected

We've, recently, intercepted, a, currently, circulating, spam, campaign, affecting, hundreds, of, thousands, of, users, while, exposing, the, confidentiality, integrity, and, availability, of, their, devices, to, a, multi-tude, of, malicious, software.

Largely, relying, on, a, set, of, social, engineering, vectors, the, campaign, tries, to, trick, users, into, installing, rogue, software, on, their, devices, potentially, exposing, the, confidentiality, availability, and, integrity, of, their, devices, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related malicious URLs known to have participated in the campaign:
hxxp://market155.ru - 81.94.205.227; 31.31.204.59
hxxp://illuminatework.ru - 81.94.205.228; 31.31.204.59
hxxp://yetiathome15.ru - 81.94.205.228; 31.31.204.59
hxxp://leeroywork3.co - 81.94.205.228; 198.54.117.210
hxxp://morning3.ru - 81.94.205.228; 31.31.204.59

Once executed a sample malware (MD5: d846f7ac66a9a932235fb415b96fee5d) phones back to the following C&C server IPs:
hxxp://52.24.219.3

Related malicious MD5s known to have phoned back to the same C&C server IP (52.24.219.3):
MD5: e683af18e47c4441d5077e827c902e9e
MD5: a0c825e870f5f882cb25765151d10450
MD5: 2ce7dc2e46216887c42ba52ab3de422d
MD5: bb9dd2c44be5e2b6bc99b0cf2d1fcce1
MD5: dba5578c7271d6759ba3283a030eda33

Once executed a sample malware (MD5: 246f497dc26d18d87f9398758ca1bcc2) phones back to the following C&C server IPs:
hxxp://192.227.137.154

Related malicious MD5s known to have phoned back to the same C&C server IP (192.227.137.154):
MD5: 18e3c021ee369c34998393d5fa2cb2c4
MD5: b6a1bab3fba59504f837498719ce6e4c
MD5: ed646bbbace5bc21ea177e1ec740eb13
MD5: a991a02b269a038ff691b60cb8d23708
MD5: 1125cab12accbfd9632bdb8cd3d50742

Once executed a sample malware (MD5: 7969e4ef1b2fece87b806b5dfe25a3bb) phones back to the following C&C server IPs:
hxxp://23.227.163.110

Related malicious MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server IP:
MD5: b6a1bab3fba59504f837498719ce6e4c
MD5: ed646bbbace5bc21ea177e1ec740eb13
MD5: 1125cab12accbfd9632bdb8cd3d50742
MD5: 9cf11dee06d875a713348296d6482d31
MD5: 0413ed5dfe30b8a326b979506d224258

Known to have responded to the same malicious C&C server IPs (market155.ru - 81.94.205.227; 31.31.204.59), are, also, the, following, malicious, domains:
hxxp://volga18.ru
hxxp://dommmsc.ru
hxxp://droid175.ru
hxxp://market155.ru
hxxp://43tywer.ru
hxxp://42qtes.ru
hxxp://41warter.ru
hxxp://zappylessy.ru
hxxp://myrevansh.ru
hxxp://slon404.ru
hxxp://defmusic4.ru
hxxp://imail15.ru
hxxp://mrkt-applications.xyz
hxxp://wrkme2.ru
hxxp://youtri.ru
hxxp://market155.ru
hxxp://bascetcom4.ru

Related malicious MD5s known to have phoned back to the same C&C server IPs (81.94.205.227):
MD5: 4ed28716716a7f6dc9f6ad1526512b26

Once executed a sample malware phones back to the following C&C server IPs:
hxxp://192.227.137.154/request.php
hxxp://23.227.163.110/locker.php

Related malicious MD5s known to have phoned back to the same C&C server IPs (31.31.204.59):
MD5: e683af18e47c4441d5077e827c902e9e

Once executed a sample malware (MD5: e683af18e47c4441d5077e827c902e9e) phones back to the following C&C server IPs:
208.100.26.234
195.22.28.199
208.100.26.234
98.124.243.46
109.94.1.133
216.239.36.21
208.100.26.234
195.22.26.248
208.73.211.70
162.242.249.192
157.7.107.29
50.62.91.212
50.62.150.186
98.124.243.44
200.29.217.151
212.83.129.135
141.8.192.44
192.232.216.164
178.170.164.188
114.200.196.31
69.172.201.153
182.162.95.55
216.104.165.91
195.22.28.197
112.124.104.218
98.124.243.31
31.31.204.59
184.168.221.63
50.63.202.56
97.74.22.1
52.76.64.5
5.79.71.226
98.124.243.32
144.48.5.153
184.168.221.3
98.124.243.43
167.114.213.199
185.62.206.64
216.35.197.43
69.64.76.61
64.98.145.30
109.206.190.54
66.96.160.194
8.5.1.38
103.11.229.100

Once executed a sample malware (MD5: e683af18e47c4441d5077e827c902e9e) phones back to the following C&C server IPs:
hxxp://riddenstorm.net
hxxp://lordofthepings.ru
hxxp://learnthrew.net
hxxp://learncross.net
hxxp://senseshade.ru
hxxp://sensecross.net
hxxp://senseshade.net
hxxp://learnshade.net
hxxp://sensefloor.net
hxxp://learnfloor.net
hxxp://torethrew.net
hxxp://fallthrew.ru
hxxp://waitcross.ru
hxxp://fallcross.net
hxxp://weekfloor.net
hxxp://muchshade.net
hxxp://torefloor.net
hxxp://veryshade.net
hxxp://fallthrew.net
hxxp://fallfloor.net
hxxp://muchshade.ru
hxxp://muchthrew.net
hxxp://torecross.net
hxxp://piecefloor.net
hxxp://muchfloor.net
hxxp://pieceshade.net
hxxp://piececross.net
hxxp://veryfloor.net
hxxp://verythrew.net
hxxp://toreshade.net
hxxp://weekshade.net
hxxp://verycross.net
hxxp://waitthrew.net
hxxp://fallshade.net
hxxp://muchcross.net
hxxp://takethrew.net
hxxp://weekcross.net
hxxp://weekthrew.net
hxxp://torefloor.ru
hxxp://piecethrew.net
hxxp://verycross.ru
hxxp://piecethrew.ru
hxxp://waitcross.net
hxxp://takecross.net
hxxp://waitshade.net
hxxp://takeshade.net
hxxp://triesteach.net
hxxp://triesteach.ru
hxxp://yourcould.net
hxxp://triescould.net
hxxp://yourusual.net
hxxp://triesusual.net
hxxp://takefloor.net
hxxp://takefloor.ru
hxxp://waitfloor.net
hxxp://yourteach.net
hxxp://triesgrave.net
hxxp://yourgrave.net
hxxp://lrstnusual.net
hxxp://viewusual.ru
hxxp://viewusual.net
hxxp://lrstncould.net
hxxp://viewcould.net
hxxp://lrstnteach.net
hxxp://lrstngrave.ru
hxxp://viewteach.net
hxxp://lrstngrave.net
hxxp://viewgrave.net
hxxp://fillcould.ru
hxxp://plantusual.net
hxxp://fillusual.net
hxxp://fillcould.net
hxxp://plantcould.net
hxxp://fillteach.net
hxxp://plantgrave.net
hxxp://senseusual.ru
hxxp://senseusual.net
hxxp://plantteach.net
hxxp://fillgrave.net
hxxp://learnusual.net
hxxp://sensecould.net
hxxp://learncould.net
hxxp://learnteach.ru
hxxp://senseteach.net
hxxp://learnteach.net
hxxp://sensegrave.net
hxxp://learngrave.net
hxxp://toreusual.net
hxxp://fallusual.net
hxxp://fallgrave.net
hxxp://toregrave.net
hxxp://fallteach.net
hxxp://toreteach.net
hxxp://fallcould.net
hxxp://torecould.net
hxxp://torecould.ru
hxxp://weekusual.net
hxxp://fallgrave.ru
hxxp://veryusual.net
hxxp://verycould.net
hxxp://weekteach.ru
hxxp://weekteach.net
hxxp://weekcould.net
hxxp://veryteach.net
hxxp://weekgrave.net
hxxp://verygrave.net
hxxp://pieceusual.net
hxxp://muchusual.ru
hxxp://muchusual.net
hxxp://piececould.net
hxxp://muchcould.net
hxxp://pieceteach.net
hxxp://muchteach.net
hxxp://piecegrave.ru
hxxp://muchgrave.net
hxxp://waitusual.net
hxxp://takeusual.net
hxxp://waitcould.net
hxxp://piecegrave.net
hxxp://takecould.ru
hxxp://takecould.net
hxxp://waitteach.net
hxxp://taketeach.net
hxxp://waitgrave.net
hxxp://takegrave.net
hxxp://triesstate.ru
hxxp://triesstate.net
hxxp://yourstate.net
hxxp://triesbroke.net
hxxp://yourbroke.net
hxxp://lrstnbroke.net
hxxp://lrstnbroke.ru
hxxp://viewstate.net
hxxp://lrstnstate.net
hxxp://yournews.net
hxxp://triesnews.net
hxxp://yourmark.net
hxxp://yourmark.ru
hxxp://triesmark.net
hxxp://viewbroke.net
hxxp://lrstnmark.net
hxxp://viewmark.net
hxxp://lrstnnews.net
hxxp://viewnews.ru
hxxp://viewnews.net
hxxp://fillstate.net
hxxp://plantbroke.net
hxxp://fillbroke.net
hxxp://plantstate.net
hxxp://plantmark.ru
hxxp://plantmark.net
hxxp://fillmark.net
hxxp://fillnews.net
hxxp://sensestate.net
hxxp://plantnews.net
hxxp://learnstate.ru
hxxp://sensebroke.net
hxxp://learnstate.net
hxxp://learnbroke.net
hxxp://learnmark.net
hxxp://sensemark.net
hxxp://sensenews.ru
hxxp://sensenews.net
hxxp://learnnews.net
hxxp://torestate.net
hxxp://fallstate.net
hxxp://torebroke.net
hxxp://fallbroke.ru
hxxp://fallbroke.net
hxxp://toremark.net
hxxp://fallmark.net
hxxp://torenews.net
hxxp://weekstate.ru
hxxp://fallnews.net
hxxp://weekstate.net
hxxp://verystate.net
hxxp://weekbroke.net
hxxp://verybroke.net
hxxp://weekmark.net
hxxp://verymark.ru
hxxp://piecestate.net
hxxp://muchstate.net
hxxp://verynews.net
hxxp://weeknews.net
hxxp://verymark.net
hxxp://piecebroke.ru
hxxp://piecebroke.net
hxxp://muchbroke.net
hxxp://piecemark.net
hxxp://muchmark.net
hxxp://piecenews.net
hxxp://muchnews.ru
hxxp://muchnews.net
hxxp://waitstate.net
hxxp://waitbroke.net
hxxp://takebroke.net
hxxp://waitmark.ru
hxxp://waitmark.net
hxxp://takestate.net
hxxp://takemark.net
hxxp://waitnews.net
hxxp://takenews.net
hxxp://triesthan.net
hxxp://yourthan.ru
hxxp://yourthan.net
hxxp://triesread.net
hxxp://yourread.net
hxxp://yourmile.net
hxxp://triesking.ru
hxxp://triesmile.net
hxxp://triesking.net
hxxp://yourking.net
hxxp://lrstnthan.net
hxxp://viewthan.net
hxxp://lrstnread.net
hxxp://viewread.ru
hxxp://lrstnmile.net
hxxp://viewread.net
hxxp://viewmile.net
hxxp://lrstnking.net
hxxp://viewking.net
hxxp://plantthan.ru
hxxp://plantthan.net
hxxp://fillthan.net
hxxp://plantread.net
hxxp://fillread.net
hxxp://plantking.net
hxxp://fillmile.net
hxxp://fillmile.ru
hxxp://plantmile.net
hxxp://fillking.net
hxxp://sensethan.net
hxxp://learnthan.net
hxxp://senseread.ru
hxxp://senseread.net
hxxp://learnread.net
hxxp://sensemile.net
hxxp://learnmile.net
hxxp://senseking.net
hxxp://learnking.ru
hxxp://learnking.net
hxxp://torethan.net
hxxp://fallthan.net
hxxp://toreread.net
hxxp://fallread.net
hxxp://toremile.net
hxxp://toremile.ru
hxxp://toreking.net
hxxp://fallking.net
hxxp://fallmile.net
hxxp://weekthan.net
hxxp://verythan.ru
hxxp://verythan.net
hxxp://weekread.net
hxxp://veryread.net
hxxp://weekmile.net
hxxp://verymile.net
hxxp://weekking.net
hxxp://weekking.ru
hxxp://veryking.net
hxxp://piecethan.net
hxxp://muchthan.net
hxxp://pieceread.net
hxxp://muchread.ru
hxxp://muchread.net
hxxp://piecemile.net
hxxp://muchmile.net
hxxp://pieceking.net
hxxp://muchking.net
hxxp://waitthan.ru
hxxp://waitthan.net
hxxp://takethan.net
hxxp://waitread.net
hxxp://waitmile.net
hxxp://takeread.net
hxxp://takemile.ru
hxxp://takemile.net
hxxp://waitking.net
hxxp://takeking.net
hxxp://triessaturday.net
hxxp://triesthousand.net
hxxp://yourthousand.net
hxxp://yoursaturday.net
hxxp://triesthousand.ru
hxxp://triesloud.net
hxxp://yourloud.net
hxxp://triestree.net
hxxp://yourtree.ru
hxxp://yourtree.net
hxxp://lrstnsaturday.net
hxxp://viewsaturday.net
hxxp://lrstnthousand.net
hxxp://viewthousand.net
hxxp://lrstnloud.ru
hxxp://lrstnloud.net
hxxp://viewloud.net
hxxp://viewtree.net
hxxp://lrstntree.net
hxxp://fillsaturday.ru
hxxp://plantsaturday.net
hxxp://fillsaturday.net
hxxp://plantthousand.net
hxxp://fillthousand.net
hxxp://plantloud.net
hxxp://fillloud.net
hxxp://planttree.ru
hxxp://planttree.net
hxxp://filltree.net
hxxp://sensesaturday.net
hxxp://learnsaturday.net
hxxp://sensethousand.net
hxxp://learnthousand.ru
hxxp://learnthousand.net
hxxp://senseloud.net
hxxp://learnloud.net
hxxp://sensetree.net
hxxp://learntree.net
hxxp://toresaturday.ru
hxxp://toresaturday.net
hxxp://fallsaturday.net
hxxp://torethousand.net
hxxp://fallthousand.net
hxxp://toreloud.net
hxxp://fallloud.ru
hxxp://fallloud.net
hxxp://toretree.net
hxxp://falltree.net
hxxp://weeksaturday.net
hxxp://verysaturday.net
hxxp://weekthousand.ru
hxxp://weekthousand.net
hxxp://verythousand.net
hxxp://weekloud.net
hxxp://veryloud.net
hxxp://weektree.net
hxxp://verytree.ru
hxxp://verytree.net
hxxp://piecesaturday.net
hxxp://muchsaturday.net
hxxp://piecethousand.net
hxxp://muchthousand.net
hxxp://pieceloud.ru
hxxp://pieceloud.net
hxxp://muchtree.net
hxxp://piecetree.net
hxxp://muchloud.net
hxxp://waitsaturday.net
hxxp://takesaturday.ru
hxxp://takesaturday.net
hxxp://waitthousand.net
hxxp://takethousand.net
hxxp://takeloud.net
hxxp://waitloud.net
hxxp://waittree.ru
hxxp://waittree.net
hxxp://taketree.net
hxxp://triesstock.net
hxxp://yourstock.net
hxxp://triesthrow.net
hxxp://yourthrow.ru
hxxp://yourthrow.net
hxxp://triesreply.net
hxxp://yourreply.net
hxxp://trieswhole.net
hxxp://yourwhole.net
hxxp://lrstnstock.net
hxxp://viewstock.net
hxxp://lrstnstock.ru
hxxp://lrstnthrow.net
hxxp://viewthrow.net
hxxp://lrstnreply.net
hxxp://viewreply.ru
hxxp://viewreply.net
hxxp://lrstnwhole.net
hxxp://viewwhole.net
hxxp://plantstock.net
hxxp://fillstock.net
hxxp://plantthrow.net
hxxp://plantthrow.ru
hxxp://fillthrow.net
hxxp://plantreply.net
hxxp://fillreply.net
hxxp://plantwhole.net
hxxp://fillwhole.ru
hxxp://fillwhole.net
hxxp://sensestock.net
hxxp://learnstock.net
hxxp://sensethrow.net
hxxp://learnthrow.net
hxxp://sensereply.ru
hxxp://sensereply.net
hxxp://learnreply.net
hxxp://sensewhole.net
hxxp://fallstock.net
hxxp://fallstock.ru
hxxp://torestock.net
hxxp://learnwhole.net
hxxp://fallreply.net
hxxp://torereply.net
hxxp://fallthrow.net
hxxp://torethrow.net
hxxp://torewhole.ru
hxxp://fallwhole.net
hxxp://torewhole.net
hxxp://weekstock.net
hxxp://verystock.net
hxxp://weekthrow.net
hxxp://verythrow.net
hxxp://verythrow.ru
hxxp://weekreply.net
hxxp://weekwhole.net
hxxp://veryreply.net
hxxp://verywhole.net
hxxp://piecestock.ru
hxxp://piecestock.net
hxxp://muchstock.net
hxxp://piecethrow.net
hxxp://muchthrow.net
hxxp://piecereply.net
hxxp://muchreply.ru
hxxp://muchreply.net
hxxp://piecewhole.net
hxxp://muchwhole.net
hxxp://waitstock.net
hxxp://takestock.net
hxxp://waitthrow.ru
hxxp://waitthrow.net
hxxp://takethrow.net
hxxp://waitreply.net
hxxp://takereply.net
hxxp://takewhole.ru
hxxp://waitwhole.net
hxxp://triescold.net
hxxp://takewhole.net
hxxp://yourcold.net
hxxp://trieswrote.net
hxxp://triesbone.net
hxxp://yourbone.net
hxxp://triesbone.ru
hxxp://yourwrote.net
hxxp://triesfire.net
hxxp://yourfire.net
hxxp://lrstncold.net
hxxp://viewcold.net
hxxp://viewcold.ru
hxxp://lrstnwrote.net
hxxp://lrstnbone.net
hxxp://viewwrote.net
hxxp://viewbone.net
hxxp://lrstnfire.ru
hxxp://viewfire.net
hxxp://lrstnfire.net
hxxp://plantcold.net
hxxp://fillcold.net
hxxp://plantwrote.net
hxxp://fillwrote.ru
hxxp://plantbone.net
hxxp://fillwrote.net
hxxp://fillbone.net
hxxp://plantfire.net
hxxp://fillfire.net
hxxp://sensecold.ru
hxxp://sensecold.net
hxxp://learncold.net
hxxp://sensewrote.net
hxxp://learnwrote.net
hxxp://sensebone.net
hxxp://learnbone.ru
hxxp://learnbone.net
hxxp://sensefire.net
hxxp://learnfire.net
hxxp://torecold.net
hxxp://fallcold.net
hxxp://torewrote.ru
hxxp://torewrote.net
hxxp://fallwrote.net
hxxp://fallbone.net
hxxp://fallfire.ru
hxxp://torefire.net
hxxp://torebone.net
hxxp://fallfire.net
hxxp://weekcold.net
hxxp://weekwrote.net
hxxp://verycold.net
hxxp://verywrote.net
hxxp://weekbone.net
hxxp://weekbone.ru
hxxp://weekfire.net
hxxp://verybone.net
hxxp://veryfire.net
hxxp://piececold.net
hxxp://muchcold.net
hxxp://muchcold.ru
hxxp://piecewrote.net
hxxp://muchwrote.net
hxxp://piecebone.net
hxxp://muchbone.net
hxxp://piecefire.ru
hxxp://piecefire.net
hxxp://muchfire.net
hxxp://waitcold.net
hxxp://takecold.net
hxxp://waitwrote.net
hxxp://takewrote.ru
hxxp://takewrote.net
hxxp://waitbone.net
hxxp://takebone.net
hxxp://waitfire.net
hxxp://takefire.net
hxxp://longride.ru
hxxp://longride.net
hxxp://soilride.net
hxxp://longsmall.net
hxxp://soilsmall.net
hxxp://longought.net
hxxp://soilought.ru
hxxp://soilought.net
hxxp://longmarry.net
hxxp://soilmarry.net
hxxp://wheelsmall.ru
hxxp://wheelride.net
hxxp://saidride.net
hxxp://wheelsmall.net
hxxp://saidsmall.net
hxxp://wheelought.net
hxxp://saidought.net
hxxp://wheelmarry.net
hxxp://saidmarry.net
hxxp://saidmarry.ru
hxxp://ballride.net
hxxp://stickride.net
hxxp://sticksmall.net
hxxp://ballsmall.net
hxxp://stickought.net
hxxp://stickought.ru
hxxp://ballought.net
hxxp://stickmarry.net
hxxp://ballmarry.net
hxxp://enemyride.net
hxxp://liferide.ru
hxxp://liferide.net
hxxp://enemysmall.net
hxxp://lifesmall.net
hxxp://enemyought.net
hxxp://lifeought.net
hxxp://enemymarry.ru
hxxp://enemymarry.net
hxxp://lifemarry.net
hxxp://mouthride.net
hxxp://tillride.net
hxxp://mouthsmall.net
hxxp://tillsmall.ru
hxxp://tillsmall.net
hxxp://mouthought.net
hxxp://tillought.net
hxxp://mouthmarry.net
hxxp://tillmarry.net
hxxp://shallride.ru
hxxp://shallride.net
hxxp://deepride.net
hxxp://shallsmall.net
hxxp://deepsmall.net
hxxp://shallought.net
hxxp://deepought.ru
hxxp://deepought.net
hxxp://shallmarry.net
hxxp://deepmarry.net
hxxp://pushride.net
hxxp://pushsmall.ru
hxxp://fridayride.net
hxxp://pushsmall.net
hxxp://fridaysmall.net
hxxp://pushought.net
hxxp://pushmarry.net
hxxp://fridayought.net
hxxp://fridaymarry.ru
hxxp://fridaymarry.net
hxxp://alongride.net
hxxp://alongsmall.net
hxxp://decemberride.net
hxxp://decembersmall.net
hxxp://alongought.ru
hxxp://alongought.net
hxxp://decemberought.net
hxxp://alongmarry.net
hxxp://decembermarry.net
hxxp://longthem.net
hxxp://soilthem.ru
hxxp://soilthem.net
hxxp://longbest.net
hxxp://soilbest.net
hxxp://longconsiderable.net
hxxp://soilconsiderable.net
hxxp://longeasy.ru
hxxp://longeasy.net
hxxp://soileasy.net
hxxp://wheelthem.net
hxxp://saidthem.net
hxxp://wheelbest.net
hxxp://saidbest.ru
hxxp://saidbest.net
hxxp://wheelconsiderable.net
hxxp://saidconsiderable.net
hxxp://wheeleasy.net
hxxp://saideasy.net
hxxp://stickthem.ru
hxxp://stickthem.net
hxxp://ballthem.net
hxxp://stickbest.net
hxxp://ballbest.net
hxxp://stickconsiderable.net
hxxp://ballconsiderable.ru
hxxp://ballconsiderable.net
hxxp://stickeasy.net
hxxp://balleasy.net
hxxp://enemythem.net

Known to have phoned back to the same malicious C&C server IPs (illuminatework.ru - 81.94.205.228; 31.31.204.59), are, also, the, following, malicious, MD5s:
MD5: 04c8e24f19308bd92e0bcdb6f02e8b4e
MD5: ca2747377512d13afb9a4a7f21fda0fc
MD5: 79e2b3abdbf33552677660069f891b88

Once executed a sample malware (MD5:79e2b3abdbf33552677660069f891b88) phones back to the following malicious C&C server IPs:
hxxp://23.227.163.110

Related malicious MD5s known to have phoned back to the same malicious C&C server IPs (illuminatework.ru - 81.94.205.228; 31.31.204.59):
MD5: e683af18e47c4441d5077e827c902e9e
MD5: a0c825e870f5f882cb25765151d10450
MD5: 2ce7dc2e46216887c42ba52ab3de422d
MD5: bb9dd2c44be5e2b6bc99b0cf2d1fcce1
MD5: dba5578c7271d6759ba3283a030eda33

Related malicious MD5s known to have phoned back to the same C&C server IPs (leeroywork3.co - 81.94.205.228; 198.54.117.210):
MD5: 754fbdc3d2f2133d1922e3edae033637
MD5: be4432facc4a67acf102715a9baadbec
MD5: 42524e4cd01f1e92151e4221cb727d4e
MD5: 5abb2cc25bb3e53e7427bc9bbdc898ab
MD5: b05409a33f1409ef48e4cdbe29480edf

Once executed, a, sample, malware (MD5: 754fbdc3d2f2133d1922e3edae033637), phones, back, to, the, following, C&C, server, IPs:
hxxp://bonezyard.oo3.co - 198.54.117.210

Once executed, a, sample, malware (MD5: be4432facc4a67acf102715a9baadbec), phones, back, to, the, following, C&C, server, IPs:
hxxp://cidihifu.info
hxxp://sirabyso.info
hxxp://cinydota.info
hxxp://dixoxywy.info
hxxp://viherami.info
hxxp://dosujuba.info
hxxp://bowomacy.info
hxxp://fobefizi.info
hxxp://bozuceko.info
hxxp://ohopihe.info
hxxp://naselyfu.info
hxxp://gaquqoso.info
hxxp://mavagyte.info
hxxp://halybowu.info
hxxp://magisumi.info
hxxp://jepazana.info
hxxp://qeqywuvy.info
hxxp://jevijexi.info
hxxp://wekanila.info
hxxp://kefydeje.info
hxxp://wyticogu.info
hxxp://lymetydo.info
hxxp://rycukope.info
hxxp://lykomuru.info
hxxp://tyfegaqo.info
hxxp://zuruvuna.info
hxxp://tunopavy.info
hxxp://xuxelixi.info
hxxp://pujuwela.info
hxxp://xudohijy.info
hxxp://sirybyhi.info
hxxp://cinidofo.info
hxxp://sizaxyse.info
hxxp://vihyratu.info
hxxp://disijuwo.info
hxxp://vowamame.info
hxxp://fobyfiby.info
hxxp://boziceci.info
hxxp://fohatiza.info
hxxp://nopuleky.info
hxxp://gaqoqohi.info
hxxp://navegyfa.info
hxxp://halubose.info
hxxp://magosutu.info
hxxp://hapezawo.info
hxxp://jecojenu.info
hxxp://qekenivo.info
hxxp://qequwuqe.info
hxxp://kefidexa.info
hxxp://wetaxoly.info
hxxp://kymytyji.info
hxxp://rycikoga.info
hxxp://lykamydy.info
hxxp://rydygapu.info
hxxp://zyrivuro.info
hxxp://tunapaqe.info
hxxp://zuxylinu.info
hxxp://pujowevo.info
hxxp://xudehixe.info
hxxp://purubyly.info
hxxp://cibosoki.info
hxxp://sizexyha.info
hxxp://cihurafy.info
hxxp://disojusi.info
hxxp://viwemata.info
hxxp://dobufuwe.info
hxxp://bozacemu.info
hxxp://fogytibo.info
hxxp://bopilece.info
hxxp://goqaqozu.info
hxxp://navygyki.info
hxxp://galivoha.info
hxxp://magasufy.info
hxxp://hapyzasi.info
hxxp://mamiwuta.info
hxxp://jecejery.info
hxxp://qekuniqu.info
hxxp://jefodeno.info
hxxp://wetexive.info
hxxp://kemutyxu.info
hxxp://wycokolo.info
hxxp://lyjemyje.info
hxxp://rydufagy.info
hxxp://lyrovudi.info
hxxp://tynypapa.info
hxxp://zuxiliry.info
hxxp://tujaweqi.info
hxxp://xudyhino.info
hxxp://puwibyve.info
hxxp://xubasoxu.info
hxxp://sizyxyzo.info
hxxp://cihiroke.info
hxxp://sisajuhu.info
hxxp://viwunafi.info
hxxp://dibofusa.info
hxxp://volecety.info
hxxp://fogutiwi.info
hxxp://bopolema.info
hxxp://foqeqoby.info
hxxp://novugycu.info
hxxp://galovozo.info
hxxp://nagesuke.info
hxxp://hatizahu.info
hxxp://mamawufo.info
hxxp://hacyhasa.info
hxxp://qekinipy.info
hxxp://jefaderi.info
hxxp://qetyxiqa.info
hxxp://kemityny.info
hxxp://wexakovi.info
hxxp://kyjymyxo.info
hxxp://rydofale.info
hxxp://lyrevuju.info
hxxp://rynupago.info
hxxp://zyxolide.info
hxxp://tujeqepu.info
hxxp://zusuhiri.info
hxxp://puwobeqa.info
hxxp://xubesony.info
hxxp://puzuxyvi.info
hxxp://ciharoca.info
hxxp://sisyjuze.info
hxxp://ciwinaku.info
hxxp://divafuho.info
hxxp://vilycefe.info
hxxp://dogitisu.info
hxxp://bopaketo.info
hxxp://foqyqowa.info
hxxp://nafusyca.info
hxxp://gatozazy.info
hxxp://mamewuki.info
hxxp://hacuhaho.info
hxxp://makonife.info
hxxp://bovigymy.info
hxxp://golevobi.info
hxxp://jefededu.info
hxxp://qetuxipo.info
hxxp://jenoryre.info
hxxp://kejimyni.info
hxxp://wexykoqy.info
hxxp://wydafava.info
hxxp://lyryvuxy.info
hxxp://rynipali.info
hxxp://lyxaluja.info
hxxp://tyhyqege.info
hxxp://zusihidu.info
hxxp://tuwabepo.info
hxxp://xubusore.info
hxxp://puzozyqu.info
hxxp://xuherono.info
hxxp://sisujuba.info
hxxp://ciqonacy.info
hxxp://sivefuzi.info
hxxp://viluceka.info
hxxp://digotihy.info
hxxp://vopekefu.info
hxxp://foqiqiso.info
hxxp://bovagyte.info
hxxp://fokyvowu.info
hxxp://nofipymo.info
hxxp://gatazabe.info
hxxp://namywucy.info
hxxp://hacihazi.info
hxxp://makanika.info
hxxp://hafydehy.info
hxxp://qeroxigi.info
hxxp://jeneryda.info
hxxp://qexukope.info
hxxp://kejomyru.info
hxxp://wedefoqo.info
hxxp://kyrucune.info
hxxp://rynopavu.info
hxxp://lyzeluxi.info
hxxp://ryhuqela.info
hxxp://zysahijy.info
hxxp://tuwybegi.info
hxxp://zubisoda.info
hxxp://puzazypy.info
hxxp://xuhyroru.info
hxxp://pupijuqo.info
hxxp://ciqaname.info
hxxp://sivydubu.info
hxxp://cilicaco.info
hxxp://digetize.info
hxxp://vipukeky.info
hxxp://doqoqihi.info
hxxp://bocegyfa.info
hxxp://fokuvosy.info
hxxp://bofopyti.info
hxxp://gotezawo.info
hxxp://namuwume.info
hxxp://gacohabu.info
hxxp://makybico.info
hxxp://hadideze.info
hxxp://maraxiku.info
hxxp://jenyreji.info
hxxp://qexikoga.info
hxxp://jejamydy.info
hxxp://wedyfopi.info
hxxp://kericura.info
hxxp://wybapaqy.info
hxxp://lyzulunu.info
hxxp://ryhoqevo.info
hxxp://lysegixe.info
hxxp://tywubelu.info
hxxp://zubosojo.info
hxxp://tuzezyga.info
hxxp://xugurody.info
hxxp://pupojypi.info
hxxp://xuqenara.info
hxxp://sividuwy.info
hxxp://cilacami.info
hxxp://sigytibo.info
hxxp://vipikece.info
hxxp://dimamizu.info
hxxp://vocygyko.info
hxxp://fokivohe.info
hxxp://bofapyfu.info
hxxp://fotyzasi.info
hxxp://nomowuta.info
hxxp://gacehawy.info
hxxp://najubumi.info
hxxp://hadodeba.info
hxxp://marexice.info
hxxp://hanurezu.info
hxxp://qexojolo.info
hxxp://jejemyje.info
hxxp://qedufogu.info
hxxp://kewacudo.info
hxxp://webypapa.info
hxxp://kyzilury.info
hxxp://ryhaqeqi.info
hxxp://lysygina.info
hxxp://rywibevy.info
hxxp://zybasixi.info
hxxp://tulyzylo.info
hxxp://zugiwoje.info
hxxp://pupejygu.info
hxxp://xuqunado.info
hxxp://puvodupe.info
hxxp://cilecaty.info
hxxp://sigutiwi.info
hxxp://dimemiby.info
hxxp://vicugyci.info
hxxp://dokovoza.info
hxxp://bofypyke.info
hxxp://fotilohu.info
hxxp://bomawufo.info
hxxp://citokema.info
hxxp://goxyhase.info
hxxp://najibutu.info
hxxp://gadadewo.info
hxxp://maryxima.info
hxxp://hanireby.info
hxxp://maxajoci.info
hxxp://jejumyxa.info
hxxp://qesofoly.info
hxxp://jewecuju.info
hxxp://webutago.info
hxxp://kezolude.info
hxxp://wyheqapu.info
hxxp://lysugiro.info
hxxp://rywobeqe.info
hxxp://lyvesiny.info
hxxp://tylizyvi.info
hxxp://zugawoxa.info
hxxp://tupyjyly.info
hxxp://xuqinaji.info
hxxp://puvaduga.info
hxxp://xulyxade.info
hxxp://sifitisu.info
hxxp://citaketo.info
hxxp://simymiwe.info
hxxp://vicogemu.info
hxxp://dikevobi.info
hxxp://vofupyca.info
hxxp://fotolozy.info
hxxp://bonewuki.info
hxxp://foxuhaha.info
hxxp://nojobufy.info
hxxp://gadesesu.info
hxxp://naruxito.info
hxxp://hanarewe.info
hxxp://maxyjomu.info
hxxp://hahimybo.info
hxxp://qesafove.info
hxxp://jewycyxy.info
hxxp://qebitali.info
hxxp://kezaluja.info
hxxp://wehyqagy.info
hxxp://kysigidi.info
hxxp://ryqevepo.info
hxxp://lyvusire.info
hxxp://rylozyqu.info
hxxp://zygewono.info
hxxp://tupujyve.info
hxxp://zuqonaxu.info
hxxp://puveduli.info
hxxp://xukuxaja.info
hxxp://pufotugy.info
hxxp://citykefi.info
hxxp://simimisa.info
hxxp://cicafety.info
hxxp://dikyvowu.info
hxxp://vifipymo.info
hxxp://doralobe.info
hxxp://bonywucu.info
hxxp://foxihazo.info
hxxp://bojabuka.info
hxxp://godusehy.info
hxxp://naroxifi.info
hxxp://ganeresa.info
hxxp://mazujity.info
hxxp://hahonywi.info
hxxp://masefomo.info
hxxp://jewucyne.info
hxxp://qebotavu.info
hxxp://jezeluxo.info
hxxp://wehiqale.info
hxxp://kepagiju.info
hxxp://wyqyvegi.info
hxxp://lyvisida.info
hxxp://rylazypy.info
hxxp://lygywori.info
hxxp://typihyqa.info
hxxp://zuqanone.info
hxxp://tucyduvu.info
hxxp://xukoxaxo.info
hxxp://pufetule.info
hxxp://xutukeju.info
hxxp://simomiho.info
hxxp://cicefefa.info
hxxp://sikuvosy.info
hxxp://vidopyti.info
hxxp://direlowa.info
hxxp://vonuqumy.info
hxxp://foxahabi.info
hxxp://bojybuco.info
hxxp://fodisaze.info
hxxp://noraxiku.info
hxxp://gabyreho.info
hxxp://nazijife.info
hxxp://hahanysy.info
hxxp://masyfoti.info
hxxp://hawicywa.info
hxxp://qebetaqy.info
hxxp://jezukuni.info
hxxp://qegoqava.info
hxxp://kepegixe.info
hxxp://wequvelu.info
hxxp://kyvosijo.info
hxxp://rylezege.info
hxxp://lyguwodu.info
hxxp://rypohypo.info
hxxp://zymynora.info
hxxp://tuciduqy.info
hxxp://zukaxani.info
hxxp://pufyruva.info
hxxp://xutikexy.info
hxxp://pumamilu.info
hxxp://cicyfeko.info
hxxp://sijivohe.info
hxxp://cidapyfu.info
hxxp://diruloso.info
hxxp://vinoqyte.info
hxxp://doxehawy.info
hxxp://bojubumi.info
hxxp://fodosaba.info
hxxp://bowezicy.info
hxxp://goburezi.info
hxxp://nazojika.info
hxxp://gahenyhe.info
hxxp://masifofu.info
hxxp://hawacyso.info
hxxp://mabytate.info
hxxp://jelikuru.info
hxxp://qegaqaqi.info
hxxp://jepyguna.info
hxxp://weqivevy.info
hxxp://kevapixi.info
hxxp://wylyzela.info
hxxp://lygowojy.info
hxxp://rytehygu.info
hxxp://lymunodo.info
hxxp://tufuruqo.info
hxxp://zukexaru.info
hxxp://tycodupe.info
hxxp://xutokene.info
hxxp://pumemivy.info
hxxp://xuxufexi.info
hxxp://sijaciza.info
hxxp://cidypyky.info
hxxp://sirilohi.info
hxxp://vinaqyfo.info
hxxp://dixyhase.info
hxxp://vojibutu.info
hxxp://fosasawo.info
hxxp://bowyzime.info
hxxp://fobirebu.info
hxxp://nozejici.info
hxxp://gahunyza.info
hxxp://nasodoky.info
hxxp://hawecyhi.info
hxxp://mavutofa.info
hxxp://halokusy.info
hxxp://qegeqapu.info
hxxp://jepuguro.info
hxxp://qeqoveqe.info
hxxp://kevypinu.info
hxxp://welizevo.info
hxxp://kyfawoxa.info
hxxp://rytyhyly.info
hxxp://lymiboji.info
hxxp://rycaduga.info
hxxp://zykyxady.info
hxxp://tufirupi.info
hxxp://zutakaro.info
hxxp://punumiqe.info
hxxp://xuxofenu.info
hxxp://pujecivo.info
hxxp://cidupyce.info
hxxp://sirolozu.info
hxxp://cineqyki.info
hxxp://dixugaha.info
hxxp://vihobufy.info
hxxp://dosesasi.info
hxxp://bowizita.info
hxxp://fobarewe.info
hxxp://bozyjimu.info
hxxp://gohinebo.info
hxxp://nasadoce.info
hxxp://gaqycyzu.info
hxxp://mavitoko.info
hxxp://halakuha.info
hxxp://magymafy.info
hxxp://jepogudi.info
hxxp://qeqevepa.info
hxxp://jevupiry.info
hxxp://wekozeqi.info
hxxp://kefewono.info
hxxp://wytuhyve.info
hxxp://lymoboxu.info
hxxp://rycedylo.info
hxxp://lykuxaje.info
hxxp://tyfarugy.info
hxxp://zuryjadi.info
hxxp://tunimipa.info
hxxp://xuxafery.info
hxxp://siralobe.info
hxxp://xudipyna.info
hxxp://pujyciqi.info
hxxp://cinyqycu.info
hxxp://sizigazo.info
hxxp://vihebuke.info
hxxp://disusahu.info
hxxp://vowozufo.info
hxxp://fobewesa.info
hxxp://bozujity.info
hxxp://fohonewi.info
hxxp://nopedoma.info
hxxp://gaqucyby.info
hxxp://navotocu.info
hxxp://halykuzo.info
hxxp://magimake.info
hxxp://hapaguhu.info
hxxp://qeqyvego.info
hxxp://jecipide.info
hxxp://qekalepy.info
hxxp://kefywiri.info
hxxp://wetihyqa.info
hxxp://kymabony.info
hxxp://rycudyvi.info
hxxp://lykoxaxa.info
hxxp://ryderule.info
hxxp://zyrujaju.info
hxxp://tunomigo.info
hxxp://zuxefede.info
hxxp://pujucipu.info
hxxp://xudotyri.info
hxxp://pureloqa.info
hxxp://cibiqymy.info
hxxp://sizagobi.info
hxxp://cihybuca.info
hxxp://disisazy.info
hxxp://viwazuku.info
hxxp://dobyweho.info
hxxp://bozijife.info
hxxp://foganesu.info
hxxp://bopydoto.info
hxxp://goqoxywe.info
hxxp://navetomy.info
hxxp://galukubi.info
hxxp://magomaca.info
hxxp://hapeguzy.info
hxxp://mamuvaki.info
hxxp://jecopijo.info
hxxp://qekelege.info
hxxp://jefuwidu.info
hxxp://wetahypo.info
hxxp://kemybore.info
hxxp://wycisyqu.info
hxxp://lyjaxani.info
hxxp://rydyruva.info
hxxp://lyrijaxy.info
hxxp://tynamili.info
hxxp://zuxyfeja.info
hxxp://tujicigy.info
hxxp://xudetedu.info
hxxp://puwulopo.info
hxxp://xuboqyre.info
hxxp://sizegowu.info
hxxp://cihuvumo.info
hxxp://sisosaba.info
hxxp://viwezucy.info
hxxp://dibuwezi.info
hxxp://volojika.info
hxxp://fogynehy.info
hxxp://bopidofi.info
hxxp://foqaxyso.info
hxxp://novytote.info
hxxp://galikywu.info
hxxp://nagamamo.info
hxxp://mamivacu.info
hxxp://hacapizi.info
hxxp://qekulela.info
hxxp://jefowijy.info
hxxp://hatyfube.info
hxxp://qetehygi.info
hxxp://kemuboda.info
hxxp://wexosype.info
hxxp://kyjexaru.info
hxxp://ryduruqo.info
hxxp://lyrojane.info
hxxp://rynenuvu.info
hxxp://zyxifexo.info
hxxp://tujacila.info
hxxp://zusytejy.info
hxxp://puwilogi.info
hxxp://xubaqyda.info
hxxp://puzygopy.info
hxxp://cihivuti.info
hxxp://sisasawo.info
hxxp://ciwyzume.info
hxxp://divowebu.info
hxxp://vilehico.info
hxxp://doguneze.info
hxxp://bopodiky.info
hxxp://foqexyhi.info
hxxp://bovutofa.info
hxxp://golokysy.info
hxxp://nafemati.info
hxxp://gatufuwa.info
hxxp://mamavame.info
hxxp://hacypibu.info
hxxp://makileco.info
hxxp://jefaqixe.info
hxxp://qetyhylu.info
hxxp://jenibojo.info
hxxp://wexasyga.info
hxxp://kejyxody.info
hxxp://wydirupi.info
hxxp://lyrejara.info
hxxp://rynunuqy.info
hxxp://lyxofenu.info
hxxp://tyhecivo.info
hxxp://zusutexe.info
hxxp://tuwokolu.info
hxxp://xubeqyjo.info
hxxp://puzugoge.info
hxxp://xuhovudy.info
hxxp://sisysasi.info
hxxp://ciqizuta.info
hxxp://sivawawy.info
hxxp://vilyhimi.info
hxxp://digineba.info
hxxp://vopadice.info
hxxp://boviroko.info
hxxp://foqyxyzu.info
hxxp://fokakyhe.info
hxxp://nofumafu.info
hxxp://gatofusi.info
hxxp://namevata.info
hxxp://hacupiwy.info
hxxp://makolemi.info
hxxp://hafeqiba.info
hxxp://qeruhevy.info
hxxp://jenoboxu.info
hxxp://qexesylo.info
hxxp://kejizoje.info
hxxp://wedarugu.info
hxxp://kyryjado.info
hxxp://ryninupe.info
hxxp://lyzafery.info
hxxp://ryhyciqi.info
hxxp://zysitena.info
hxxp://tuwakovy.info
hxxp://zubyqyxi.info
hxxp://puzogolo.info
hxxp://xuhevyje.info
hxxp://pupupagu.info
hxxp://ciqozufo.info
hxxp://sivewase.info
hxxp://ciluhitu.info
hxxp://digonewi.info
hxxp://vipedima.info
hxxp://doquxyby.info
hxxp://bocaroci.info
hxxp://fokykyza.info
hxxp://bofimaky.info
hxxp://gotafuhu.info
hxxp://namycafo.info
hxxp://gacipuse.info
hxxp://makaletu.info
hxxp://hadyqiwo.info
hxxp://marihema.info
hxxp://jenebony.info
hxxp://qexusyvi.info
hxxp://jejozoxa.info
hxxp://wederuly.info
hxxp://kerujaji.info
hxxp://wybonugo.info
hxxp://lyzedede.info
hxxp://sso.anbtr.com
hxxp://ryhucipu.info
hxxp://lysotero.info
hxxp://tywykiqe.info
hxxp://zubiqynu.info
hxxp://tuzagovi.info
hxxp://xugyvyxa.info
hxxp://pupipaly.info
hxxp://xuqazuji.info
hxxp://sivywaha.info
hxxp://cilihife.info
hxxp://sigabesu.info
hxxp://vipudito.info
hxxp://dimoxywe.info
hxxp://voceromu.info
hxxp://fokukybo.info
hxxp://bofomoca.info
hxxp://fotefuzy.info
hxxp://nomucaki.info
hxxp://najelefy.info
hxxp://gacopuha.info
hxxp://hadiqisi.info
hxxp://marageto.info
hxxp://hanybowe.info
hxxp://qexisyqu.info
hxxp://jejazono.info
hxxp://qedyruve.info
hxxp://kewijaxy.info
hxxp://webanuli.info
hxxp://kyzydaja.info
hxxp://ryhocigy.info
hxxp://lysetedi.info
hxxp://rywukipa.info
hxxp://zybomyre.info
hxxp://tulegoqu.info
hxxp://zuguvyno.info
hxxp://pupopave.info
hxxp://xuqezuxu.info
hxxp://puvuwalo.info
hxxp://cilahika.info
hxxp://sigybehy.info
hxxp://citidifi.info
hxxp://dimaxesa.info
hxxp://vicyroty.info
hxxp://dokijywu.info
hxxp://bofamomo.info
hxxp://fotyfube.info
hxxp://bomicacu.info
hxxp://goxepuzo.info
hxxp://najuleke.info
hxxp://gadoqihy.info
hxxp://maregefi.info
hxxp://hanubosa.info
hxxp://maxosyty.info
hxxp://jejezori.info
hxxp://qesuwyqa.info
hxxp://jewojane.info
hxxp://webynuvu.info
hxxp://kezidaxo.info
hxxp://wyhacile.info
hxxp://lysyteju.info
hxxp://rywikigi.info
hxxp://lyvamyda.info
hxxp://tylygopy.info
hxxp://zugivyri.info
hxxp://tupapaqa.info
hxxp://xuquluny.info
hxxp://puvowavu.info
hxxp://xulehuxo.info
hxxp://sifubeze.info
hxxp://citodiku.info
hxxp://simexeho.info
hxxp://vicurofe.info
hxxp://dikojysy.info
hxxp://vofemoti.info
hxxp://fotifuwa.info
hxxp://bonacamy.info
hxxp://foxytubi.info
hxxp://nojileco.info
hxxp://gadaqize.info
hxxp://narygeku.info
hxxp://hanibiho.info
hxxp://maxasyfe.info
hxxp://hahyzosu.info
hxxp://qesowypi.info
hxxp://jewejara.info
hxxp://qebunuqy.info
hxxp://kezodani.info
hxxp://wehexiva.info
hxxp://kysutexy.info
hxxp://ryqokilu.info
hxxp://lyvemyjo.info
hxxp://rylugoge.info
hxxp://zygavydu.info
hxxp://tupypopo.info
hxxp://zuqilura.info
hxxp://puvawaqy.info
hxxp://xukyhuni.info
hxxp://pufibeva.info
hxxp://citasicy.info
hxxp://simyxezi.info
hxxp://ciciroko.info
hxxp://dikejyhe.info
hxxp://vifumofu.info
hxxp://dorofuso.info
hxxp://bonecate.info
hxxp://foxutuwu.info
hxxp://bojolami.info
hxxp://godeqiba.info
hxxp://narugecy.info
hxxp://ganovizi.info
hxxp://mazysyka.info
hxxp://hahizohe.info
hxxp://masawyfu.info
hxxp://jewyjado.info
hxxp://qebinupe.info
hxxp://jezadaru.info
hxxp://wehyxiqo.info
hxxp://kepitena.info
hxxp://wyqakivy.info
hxxp://lyvumexi.info
hxxp://rylofola.info
hxxp://lygevyjy.info
hxxp://typupogi.info
hxxp://zuqoludo.info
hxxp://tucewape.info
hxxp://xukuhuru.info
hxxp://pufobeqo.info
hxxp://xutesine.info
hxxp://simixeby.info
hxxp://cicaroci.info
hxxp://sikyjyza.info
hxxp://vidinoky.info
hxxp://dirafyhi.info
hxxp://vonycafa.info
hxxp://foxituse.info
hxxp://bojalatu.info
hxxp://fodyqiwo.info
hxxp://norogeme.info
hxxp://gabevibu.info
hxxp://nazusyco.info
hxxp://hahozoza.info
hxxp://masewyky.info
hxxp://hawuhahi.info
hxxp://qebonuga.info
hxxp://jezedady.info
hxxp://qeguxupu.info
hxxp://weqykiqe.info
hxxp://kepatero.info
hxxp://kyvimenu.info
hxxp://rylafovo.info
hxxp://lygyvyxe.info
hxxp://rypipoly.info
hxxp://zymaluji.info
hxxp://tucyqaga.info
hxxp://zukihudy.info
hxxp://pufebepi.info
hxxp://xutusira.info
hxxp://pumoxeqe.info
hxxp://cicerimu.info
hxxp://sijujybo.info
hxxp://cidonoce.info
hxxp://direfyzu.info
hxxp://vinucaki.info
hxxp://doxotuha.info
hxxp://bojykafy.info
hxxp://fodiqisi.info
hxxp://bowageta.info
hxxp://gobyviwy.info
hxxp://nazisymu.info
hxxp://gahazobo.info
hxxp://masywyce.info
hxxp://hawihozu.info
hxxp://mabanuko.info
hxxp://jeludaje.info
hxxp://qegoxugy.info
hxxp://jeperedi.info
hxxp://wequkipa.info
hxxp://kevomery.info
hxxp://wylefoqi.info
hxxp://lyguvyno.info
hxxp://rytopove.info
hxxp://lymeluxu.info
hxxp://tyciqalo.info
hxxp://zukahuje.info
hxxp://tufybagu.info
hxxp://xutisidi.info
hxxp://pumazepa.info
hxxp://xuxyriry.info
hxxp://sijijywi.info
hxxp://cidanoma.info
hxxp://siryfyby.info
hxxp://vinocacu.info
hxxp://dixetuzo.info
hxxp://vojukake.info
hxxp://fosoqihu.info
hxxp://bowegefo.info
hxxp://fobuvisa.info
hxxp://nozopety.info
hxxp://gahezowi.info
hxxp://nasuwyma.info
hxxp://hawahoby.info
hxxp://mavynuci.info
hxxp://halidazo.info
hxxp://qegaxule.info
hxxp://jepyreju.info
hxxp://qeqikigo.info
hxxp://kevamede.info
hxxp://welyfopu.info
hxxp://kyficyri.info
hxxp://rytepoqa.info
hxxp://lymulyny.info
hxxp://rycoqavi.info
hxxp://zykehuxa.info
hxxp://tufubale.info
hxxp://zutosiju.info
hxxp://punezego.info
hxxp://xuxuride.info
hxxp://pujojypu.info
hxxp://cidynoto.info
hxxp://siridywa.info
hxxp://cinacamy.info
hxxp://dixytubi.info
hxxp://vihikaca.info
hxxp://dosaquzy.info
hxxp://bowygeki.info
hxxp://fobiviho.info
hxxp://bozapefe.info
hxxp://gohuzosu.info
hxxp://nasowyto.info
hxxp://gaqehowe.info
hxxp://mavubumy.info
hxxp://halodabi.info
hxxp://magexuca.info
hxxp://jepurexy.info
hxxp://qeqokili.info
hxxp://jevemeja.info
hxxp://wekifige.info
hxxp://kefacydu.info
hxxp://wytypopo.info
hxxp://lymilyre.info
hxxp://rycaqaqu.info
hxxp://lykyguno.info
hxxp://tyfibava.info
hxxp://zurasixy.info
hxxp://tunyzeli.info
hxxp://xuxorija.info
hxxp://pujejygy.info
hxxp://xudunodu.info
hxxp://sirodyso.info
hxxp://cinecote.info
hxxp://sizutuwu.info
hxxp://vihokamo.info
hxxp://disemube.info
hxxp://vowugecy.info
hxxp://fobavizi.info
hxxp://bozypeka.info
hxxp://fohizohy.info
hxxp://nopawyfi.info
hxxp://gaqyhosa.info
hxxp://navibute.info
hxxp://haladawu.info
hxxp://magyxumo.info
hxxp://hapirabe.info
hxxp://qeqejivu.info
hxxp://jecumexi.info
hxxp://qekofila.info
hxxp://kefecyjy.info
hxxp://wetupogi.info
hxxp://kymolyda.info
hxxp://ryceqapy.info
hxxp://lykuguru.info
hxxp://rydobaqo.info
hxxp://zyrysine.info
hxxp://tunizevu.info
hxxp://zuxawixo.info
hxxp://pujyjele.info
hxxp://xudinojy.info
hxxp://puradygi.info
hxxp://cibycofa.info
hxxp://sizitusy.info
hxxp://cihakati.info
hxxp://disumuwo.info
hxxp://viwogeme.info
hxxp://dobevibu.info
hxxp://bozupeco.info
hxxp://fogoloze.info
hxxp://bopewyku.info
hxxp://goquhohi.info
hxxp://navobyfa.info
hxxp://galedasy.info
hxxp://magixuti.info
hxxp://haparawa.info
hxxp://mamyjimy.info
hxxp://jecimenu.info
hxxp://qekafivo.info
hxxp://jefycyxe.info
hxxp://wetitolu.info
hxxp://kemalyjo.info
hxxp://wycyqaga.info
hxxp://lyjogudy.info
hxxp://rydebapi.info
hxxp://lyrusura.info
hxxp://tynozeqy.info
hxxp://zuxewini.info
hxxp://tujujevo.info
hxxp://xudonoxe.info
hxxp://puwedylu.info
hxxp://xubuxojo.info
hxxp://sizatuhe.info
hxxp://cihykafu.info
hxxp://sisimusi.info
hxxp://viwageta.info
hxxp://dibyviwy.info
hxxp://volipemi.info
hxxp://fogaliba.info
hxxp://bopywyce.info
hxxp://foqihozu.info
hxxp://novebyko.info
hxxp://galusahe.info
hxxp://nagoxufu.info
hxxp://hateraso.info
hxxp://mamujita.info
hxxp://hacomewy.info
hxxp://qekefiqi.info
hxxp://jefucyna.info
hxxp://qetotovy.info
hxxp://kemylyxi.info
hxxp://wexiqolo.info
hxxp://kyjaguje.info
hxxp://lyrisudo.info
hxxp://rynazepe.info
hxxp://zyxywiry.info
hxxp://tujijeqi.info
hxxp://rydyvagu.info
hxxp://zusanona.info
hxxp://puwudyvy.info
hxxp://xuboxoxi.info
hxxp://puzetula.info
hxxp://cihukake.info
hxxp://sisomuhu.info
hxxp://ciwefafo.info
hxxp://divuvise.info
hxxp://vilopetu.info
hxxp://dogeliwo.info
hxxp://bopiwyma.info
hxxp://foqahoby.info
hxxp://bovybyci.info
hxxp://golisaza.info
hxxp://nafaxuky.info
hxxp://gatyrahu.info
hxxp://mamijifo.info
hxxp://hacanese.info
hxxp://makyfitu.info
hxxp://jefocero.info
hxxp://qetetoqe.info
hxxp://jenulyny.info
hxxp://wexoqovi.info
hxxp://kejeguxa.info
hxxp://wyduvaly.info
hxxp://lyrosuji.info
hxxp://rynezega.info
hxxp://lyxuwide.info
hxxp://tyhahepu.info
hxxp://zusynoro.info
hxxp://tuwidyqe.info
hxxp://xubaxonu.info
hxxp://puzytyvi.info
hxxp://xuhikaxa.info
hxxp://sisamuzy.info
hxxp://ciqyfaki.info
hxxp://siviviha.info
hxxp://vilepefy.info
hxxp://digulisu.info
hxxp://vopoqyto.info
hxxp://foqehowe.info
hxxp://bovubymu.info
hxxp://fokosabo.info
hxxp://nofexuce.info

Related malicious URLs known to have participated in the campaign:
hxxp://melon25.ru - 81.94.205.228

Related malicious MD5s known to have phoned back to the same malicious C&C server IPs (melon25.ru - 81.94.205.228):
MD5: ca2747377512d13afb9a4a7f21fda0fc

Related malicious MD5s known to have phoned back to the same malicious C&C server IPs (melon25.ru - 81.94.205.228):
MD5: 4a71065a8996d38361bdb9d5ba6a9462
MD5: d6e6845ff3f0c2fbc55786f24240a3d4
MD5: 63fd18f6cf1b40f13d35268d314ed8d4
MD5: 2bea9dec83787c4686e5f8f9066cbf5b
MD5: 9877d0ad41b5589be300495c6acdd499

Related malicious MD5s known to have participated in the campaign:
MD5: d846f7ac66a9a932235fb415b96fee5d
MD5: 538ca97778ac886e121bc054574d7478
MD5: 246f497dc26d18d87f9398758ca1bcc2
MD5: 7969e4ef1b2fece87b806b5dfe25a3bb
MD5: e06dd5ba1a101f855604b486d90d2651

We'll, continue, monitoring, the, market, segment, for, mobile, malware, and, post, updates, as, soon, as, new, developments, take, place.