## INTRODUCING # ROKRAT #### A sophisticated malware campaign targeting South Korean government officials involved in reunification [THIS BLOG WAS AUTHORED BY WARREN MERCER AND PAUL RASCAGNERES](https://blogs.cisco.com/author/warrenmercer) [WITH CONTRIBUTIONS FROM MATTHEW MOLYETT.](http://blogs.cisco.com/author/matthewmolyett) ----- ### EXECUTIVE SUMMARY ##### Talos is tracking an actor that uses malicious documents using the Korean language in order to compromise systems. This actor is quick to cover their tracks and very quickly cleaned up compromised hosts used as Command and Control. We finally identified a new campaign, leveraging a malicious Hangul Word Processor (HWP) document. After analyzing the payload, we determined the malware was a Remote Administration Tool which we have named, ROKRAT. This campaign started with a spear phishing email containing a malicious attachment, the HWP document. One of the identified emails was sent from the email server of Yonsei, a private university in Seoul. The address used in the email was ‘kgf2016@yonsei.ac.kr’ which is the contact email of the Korea Global Forum where the slogan in 2016 was “Peace and Unification of the Korean Peninsula” which gave more credit and legitimacy to the email. The HWP document contained an embedded Encapsulated PostScript (EPS) object. This is zlib compressed and trivial to obtain. The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an executable is launched, ROKRAT. This RAT has the added complexity that the command and control servers are legitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for both C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases. Additionally, these 3 platforms all make use of HTTPS connectivity making it much more difficult to identify specific patterns or the usage of specific tokens. ----- ##### SPEAR PHISHING CAMPAIGN At right are examples of the emails used against victims in South Korea. The first email Talos discovered was the most interesting. In this first sample, we observed the attackers praising the user for accepting to join a panel relating to the “Korean Reunification and North Korean Conference”. The text in the email explains that the receiver should complete the document to provide necessary feedback. However, this appears to be a fake conference. The closest match we identified to any Unification conference was held in January 2017 which was the NYDA [Reunification conference. The sender is ‘kgf2016@](https://nkleadershipwatch.wordpress.com/2017/01/19/nyda-reunification-joint-conference-held/) yonsei.ac.kr’ which is the contact email of the **[Korea Global Forum.](http://www.kgforum.kr/)** When we analyzed the email headers we were able to determine the Sender IP was 165.132.10.103. With a little magic from ‘nslookup’, we quickly determined this to be part of the Yonsei University network, the SMTP server in fact. We believe that the email address was compromised and abused by the attackers to send the email used in this campaign. The sample filename translates as ‘Unification North Korea Conference _ Examination Documents’ _Examples of the emails used_ which reinforces the text in the email about the _against victims in South Korea._ reunification conference. For an added bonus, the attacker even suggests in the email that people who completed the document would get paid a ‘small fee’. Perhaps the gift of embedded malware is the payment. We suspect the attacker is hoping the victim will feel empathetic toward the sender as the Kangwon The second email Talos analyzed had less effort Province (where Munch'ŏn is located) was applied. The email was from a free Korean mail previously part of South Korea. The attachment service provided by Daum, Hanmail, showing contains a story about a person called ‘Ewing Kim’ there was no attempt at trying to appear to be who is looking for help. from an official body or person compared with the previous email. The subject was merely ‘Request The email’s attachments are two different HWP Help’ while the attachment filename was ‘I’m a documents that were both leveraging same munchon person in Gangwon-do, North Korea’. vulnerability, CVE-2013-0808. ----- ##### MALICIOUS HWP DOCUMENT A​n​ ​H​W​P​ ​d​o​c​u​m​e​n​t​ ​i​s​ ​c​o​m​p​o​s​e​d​ ​b​y​ ​O​L​E​ ​o​b​j​e​c​t​s​.​ ​I​n​ ​t​h​i​s​ ​c​a​s​e​,​ ​i​t​ ​c​o​n​t​a​i​n​s​ ​a​n​ ​E​P​S​ ​o​b​j​e​c​t​ ​n​a​m​e​d​ ​B​I​N​0​0​0​1​.​e​p​s​.​ ​ A​s​ ​w​i​t​h​ ​a​l​l​ ​H​W​P​ ​d​o​c​u​m​e​n​t​s​ ​t​h​e​ ​i​n​f​o​r​m​a​t​i​o​n​ ​i​s​ ​z​l​i​b​ ​c​o​m​p​r​e​s​s​e​d​ ​s​o​ ​y​o​u​ ​m​u​s​t​ ​d​e​c​o​m​p​r​e​s​s​ ​t​h​e​ ​.​e​p​s​ ​t​o​ ​g​e​t​ ​t​h​e​ ​ t​r​u​e​ ​s​h​e​l​l​c​o​d​e​.​ ``` u​s​e​r​@​l​n​x​$​ oledump .py 183be2035d5a546670d2b9deeca4eb59 1: 497 '\x05HwpSummaryInformation' 2: 2708 'BinData/BIN0001.eps' 3: 2560 'BodyText/Section0' 4: 265 'BodyText/Section1' 5: 3202 'DocInfo' 6: 524 'DocOptions/_LinkDoc' 7: 256 'FileHeader' 8: 2866 'PrvImage' 9: 1380 'PrvText' 10: 136 'Scripts/DefaultJScript' 11: 13 'Scripts/JScriptVersion' ``` T​h​e​ ​s​h​e​l​l​c​o​d​e​ ​u​s​e​d​ ​t​o​ ​e​x​p​l​o​i​t​ ​t​h​e​ ​C​V​E​-​2​0​1​3​-​0​8​0​8​ ​c​a​n​ ​b​e​ ​i​d​e​n​t​i​f​i​e​d​ ​i​n​ ​t​h​e​ ​E​P​S​ ​o​b​j​e​c​t​:​ ``` 0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​ 0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​ 0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​ 0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​ 0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​9​0​9​0​9​0​9​0​9​0​9​0​9​0​9​0​9​0​9​0​E​8​0​0​0​0​0​0​0​0​5​E​8​9​3​6​1​4​2​F​0​0​8​1​E​9​0​8​1​4​2​F​0​0​0​3​F​1​8​3​C​6​0​2​3​E​8​A​0​6​3​4​ 9​0​4​6​B​9​7​E​1​8​2​F​0​0​8​1​E​9​3​9​1​4​2​F​0​0​3​E​3​0​0​6​4​6​4​9​8​3​F​9​0​0​7​5​F​6​E​B​G​3​9​0​9​0​6​2​1​8​1​A​F​1​F​2​F​2​9​6​5​3​C​2​F​2​F​2​F​2​C​C​7​9​8​2​F​E​C​C​7​9​ 8​2​E​E​C​C​7​9​A​2​F​A​C​C​7​2​8​A​E​E​E​A​C​C​7​9​F​2​8​7​0​0​7​9​3​0​3​1​A​7​7​9​1​E​A​4​A​5​C​4​7​9​8​7​F​A​C​1​0​D​C​1​3​2​0​E​5​E​7​6​3​2​8​6​F​5​3​3​3​D​F​F​F​1​0​A​1​9​0​6​ 7​9​3​5​A​D​A​C​A​F​3​0​F​6​F​2​A​7​7​9​1​E​A​1​A​4​A​5​9​2​C​4​7​9​8​F​F​E​C​4​7​9​9​F​F​A​C​4​7​ ``` A​n​ ​i​n​t​e​r​e​s​t​i​n​g​ ​t​h​i​n​g​ ​i​s​ ​t​h​a​t​ ​t​h​e​ ​s​h​e​l​l​c​o​d​e​ ​d​o​e​s​ ​n​o​t​ ​s​t​a​r​t​ ​w​i​t​h​ ​a​ ​‘​n​o​r​m​a​l​’​ ​N​O​P​ ​s​l​e​d​ ​u​s​i​n​g​ ​0​x​9​0​ ​b​u​t​ ​w​i​t​h​ ​0​x​0​4​0​4​ ​ (​a​d​d​ ​a​l​,​ ​0​x​4​)​:​ ``` u​s​e​r​@​l​n​x​$​ ​r​a​s​m​2​ ​-​d​ ​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​0​4​9​0​9​0​9​0​9​0​9​0​9​0​9​0​9​0​9​0​9​0​E​8​0​0​0​0​0​0​0​0​5​E​ a​d​d​ ​a​l​,​ ​0​x​4​ a​d​d​ ​a​l​,​ ​0​x​4​ a​d​d​ ​a​l​,​ ​0​x​4​ a​d​d​ ​a​l​,​ ​0​x​4​ a​d​d​ ​a​l​,​ ​0​x​4​ n​o​p​ n​o​p​ n​o​p​ n​o​p​ n​o​p​ n​o​p​ n​o​p​ n​o​p​ n​o​p​ n​o​p​ c​a​l​l​ ​0​x​1​9​ p​o​p​ ​e​s​i​ ``` ----- T​h​e​ ​p​u​r​p​o​s​e​ ​o​f​ ​t​h​e​ ​s​h​e​l​l​c​o​d​e​ ​e​m​b​e​d​d​e​d​ ​i​n​ ​t​h​e​ ​2​ ​H​W​P​ ​d​o​c​u​m​e​n​t​s​ ​i​s​ ​t​o​ ​d​o​w​n​l​o​a​d​ ​a​n​d​ ​t​o​ ​d​e​c​o​d​e​ ​a​ ​p​a​y​l​o​a​d​ ​ a​va​i​l​a​b​l​e​ ​o​n​ ​t​h​e​ ​I​n​t​e​r​n​e​t​.​ ​O​n​c​e​ ​d​e​c​o​d​e​d​,​ ​t​h​e​ ​f​i​l​e​ ​(​a​ ​P​E​3​2​)​ ​i​s​ ​e​x​e​c​u​t​e​d​;​ ​h​e​r​e​ ​i​s​ ​t​h​e​ ​e​x​t​r​a​c​t​e​d​ ​U​R​L​ ​w​h​i​c​h​ ​t​h​e​ ​ d​o​c​um​e​n​t​ ​a​t​t​e​m​p​t​s​ ​t​o​ ​d​o​w​n​l​o​a​d​ ​t​h​e​ ​.​j​p​g​ ​f​r​o​m​:​ **S​H​A​2​5​6​:​​7​d​1​6​3​e​3​6​f​4​7​e​c​5​6​c​9​f​e​0​8​d​7​5​8​a​0​7​7​0​f​1​7​7​** **S​H​A​2​5​6​:​ ​5​4​4​1​f​4​5​d​f​2​2​a​f​6​3​4​9​8​c​6​3​a​4​9​a​a​e​8​2​0​6​5​0​8​** 8​f​a​3​0​a​f​6​8​f​3​9​a​a​c​8​0​4​4​1​a​3​f​0​3​7​7​6​1​e​ 6​9​6​4​f​9​0​6​7​c​f​a​7​5​9​8​7​9​5​1​8​3​1​0​1​7​b​d​4​f​ ​ **F​i​l​e​n​a​m​e​:​​ᄐ​ᅩ​ᆼ​ᄋ​ᅵ​ᆯ​ᄇ​ᅮ​ᆨ​ᄒ​ᅡ​ᆫ​ᄒ​ᅡ​ᆨ​ᄉ​ᅮ​ᆯ​ᄃ​ᅢ​ᄒ​ᅬ​_​ᄉ​ᅵ​ᆷ​ᄉ​ᅡ​ᄉ​ᅥ​ᄅ​.​h​w​p​** **F​i​l​e​n​a​m​e​:​ ​저​는​요​ ​북​조​선​ ​강​원​도​ ​문​천​ ​사​람​이​에​요​.​h​w​p​ ​** ​(​“​N​o​r​t​h​ ​K​o​r​e​a​ ​C​o​n​f​e​r​e​n​c​e​ ​_​ ​E​x​a​m​i​n​a​t​i​o​n​ ​D​o​c​u​m​e​n​t​s​”​)​ (​“​I​'​m​ ​a​ ​m​u​n​c​h​o​n​ ​p​e​r​s​o​n​ ​f​r​o​m​ ​G​a​n​g​w​o​n​ ​P​r​o​v​i​n​c​e​ ​i​n​ ​N​o​r​t​h​ ​K​o​r​e​a​.​”​)​ **U​R​L​:​ ​h​t​t​p​:​/​/​d​i​s​c​g​o​l​f​g​l​o​w​[​.​]​c​o​m​:​/​w​p​-​c​o​n​t​e​n​t​/​p​l​u​g​i​** n​s​/​m​a​i​n​t​e​n​a​n​c​e​/​i​m​a​g​e​s​/​w​o​r​k​e​r​.​j​p​g **U​R​L​:​ ​h​t​t​p​:​/​/​a​c​d​d​e​s​i​g​n​s​[​.​]​c​o​m​[​.​]​a​u​/​c​l​i​e​n​t​s​/​** A​C​P​R​C​M​/​k​i​n​g​s​t​o​n​e​.​j​p​g ----- ##### ROKRAT ANALYSIS The RAT downloaded by the 2 HWP documents belong to the same family. The main difference between the samples are the Command and Control capabilities. One of the samples analyzed only uses Twitter to interact with the RAT while the second one uses Twitter as well as the cloud platforms: Yandex and Mediafire. The Twitter tokens we were able to extract are the same in both variants. There is obvious ongoing effort to add features to this RAT to allow for more sophisticated levels of attacks. ###### ANALYSIS FRUSTRATIONS! FIGURE A The ROKRAT author implements several techniques typically seen to frustrate human analysts and avoid sandbox execution. First, the malware does not run on Windows XP systems. It uses the GetVersion() API to get the OS [version. If the MajorVersion](https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms724833(v=vs.85).aspx) is 5 (corresponding to Windows XP or Windows Server 2003), the malware executes an infinite loop of sleep, as shown in FIGURE A. **FIGURE B** Additionally, the malware checks the current running processes in order to identify tools usually used by malware analysts or within sandbox environments. **FIGURE B shows the code used to perform this task.** The malware checks the process names in use on the victim machine. It compares if the executed process name matches a partial name hardcoded in the sample. Here is the complete list: - “mtool” for VMWare - “rocex” for Process Tools Explorer - “llyd” for OllyDBG - “vbox” for VirtualBox - “ython” for Python (used by Cuckoo - “iddler” for Fiddler Sandbox for - “ortmo” for Portmon example) - “iresha” for - “ilemo” for File Wireshark Monitor - “rocmo” for Process - “egmon” for Monitor Registry Monitor - “utoru” for Autoruns - “peid” for PEiD - “cpvie” for TCPView ----- If any of these processes are discovered running on the system during this phase of execution, the malware jumps to a fake function which generates dummy HTTP traffic. Furthermore, we discovered that if the malware is being debugged or if it was not executed from the HWP document (i.e. double clicking the binary), or if the OpenProcess() function succeed on the parent process the fake function is called as well. The purpose of this appears to be to generate network traffic to provide some level of feedback/discovery during any dynamic analysis research. This could generate a seemingly ‘good’ indicator of compromise when in fact it is merely fake traffic generated. The fake function performs connections to the following URLs: **• https://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg** **• http://www[.]hulu[.]com/watch/559035/episode3.mp4** ``` 104.119.137.206 HTTP 117 GET lwatch/SSQOBS/episodeB.mp4 HTTP/1.1 104.119.137.206 HTTP 128 GET lwatch/SSQOBS HTTP/1.1 104.119.137.206 HTTP 117 GET lwatch/SSQOBS/episodeB.mp4 HTTP/1.1 104.119.137.206 HTTP 128 GET lwatch/SSQOBS HTTP/1.1 104.119.137.206 HTTP 117 GET lwatch/SSQOBS/episodeB.mp4 HTTP/1.1 104.119.137.206 HTTP 128 GET lwatch/SSQOBS HTTP/1.1 104.119.137.206 HTTP 117 GET lwatch/SSQOBS/episodeB.mp4 HTTP/1.1 104.119.137.206 HTTP 128 GET lwatch/SSQOBS HTTP/1.1 104.119.137.206 HTTP 117 GET lwatch/SSQOBS/episodeB.mp4 HTTP/1.1 104.119.137.206 HTTP 128 GET lwatch/SSQOBS HTTP/1.1 104.119.137.206 HTTP 117 GET lwatch/SSQOBS/episodeB.mp4 HTTP/1.1 104.119.137.206 HTTP 128 GET lwatch/SSQOBS HTTP/1.1 ``` The Amazon URL displays a WWII game called ‘Men of War’ whilst the Hulu URL attempts to stream a Japanese anime show called ‘Golden Time’. These URLs are not malicious; the malware pretends to navigate these locations. The files do not exist during the investigation and were downloaded only if a malware analyst tool is running on _Japanese anime show ‘Golden Time’, shown on Hulu_ the system. We believe these URLs are used to attempt to trick any analysis. ----- ###### C&C INFRASTRUCTURE ROKRAT uses a legitimate platform in order to communicate, receive orders and exfiltrate documents. In total, we identified 12 hardcoded tokens used to communicate to these legitimate platforms all via their public APIs. **CC #1: TWITTER:** **FIGURE C** The first CC discovered is Twitter. We identified 7 different Twitter API tokens hardcoded in the sample (Consumer Key + Consumer Secret + Token + Token Secret). The malware is able to get orders by checking the last message on the Twitter timeline. The order can be either execute commands, move a file, remove a file, kill a process, download, and execute a file. The RAT is able to tweet also and the sent data is randomly prefixed by one following 3 characters hardcoded word: SHA-TOM-BRN-JMS-ROC-JAN-PED-JHN-KIM- LEE- To perform these tasks, the malware uses the official Twitter API, as seen in FIGURE C. **CC #2: YANDEX:** The second CC is Yandex and more specifically the Yandex cloud platform and the platform **FIGURE D** allows the creation of disks in the Yandex cloud. Concerning this CC, we identified 4 Yandex tokens hardcoded in the sample. The API in FIGURE D is used to download and execute files or to upload stolen documents. The exfiltrated documents are uploaded to: disk:/12ABCDEF/Document/ Doc20170330120000.tfs Where “12ABCDEF” is a random hexadecimal ID to identify the target and Doc20170330120000 contains the date. ----- **CC #3: MEDIAFIRE:** The last cloud platform used by the Remote Administration Tool is Mediafire. This website is **FIGURE E** used in the same way as Yandex with the purpose being to use the file storage provided by Mediafire in order to download and execute files or to upload stolen information. See FIGURE E. In this case, the malware author hardcoded one account in the sample (email / password / application ID). ###### ADDITIONAL FEATURES: SCREENSHOTS CAPTURE & KEYLOGGER Additionally, one of the samples is able to capture screenshots of the infected system. To perform this task, the developer used the GDI API, as shown in FIGURE F. A keylogger is also present in the analyzed sample. The SetWindowsHookEx() API is used to retrieve the stroked keys and the GetKeyNameText() API is used to retrieve a string **FIGURE F** that represents the name of a key. In addition to the key, the title of the foreground window is stored in order to known where the infected user is typing (by using the GetForegroundWindow() and GetWindowText() API). See FIGURE G. **FIGURE G** ----- ##### CONCLUSION COVERAGE This campaign shows us a motivated malware Additional ways our customers can detect and actor. The usage of HWP (an application mainly block this threat are listed below. used in Korea) and the fact that emails and documents are perfectly written in Korean suggests **PRODUCT** **PROTECTION** that the author is a native Korean speaker. AMP The RAT used during this campaign was CWS innovative, using novel communication channels. ROKRAT uses Twitter and two cloud platforms Email Security (Yandex and Mediafire) in order to give orders, Network Security send files, and get files. This communication channel is extremely hard to contain because Threat Grid organizations often have legitimate uses of these Umbrella platforms. The malware includes exotic features such as the fact that it performs requests to WSA legitimate websites (Amazon and Hulu) if the sample is executed in a sandbox or if a malware [Advanced Malware Protection (AMP) is ideally](http://www.cisco.com/c/en/us/support/security/amp-firepower-software-license/tsd-products-support-series-home.html) analyst tool is used. We assume the goal is to suited to prevent the execution of the malware generate incorrect reports and IOC. used by these threat actors. This investigation shows us once again that South **[CWS or WSA web scanning prevents access to](http://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html)** Korean interests sophisticated threat actors. malicious websites and detects malware used in In this specific case, the actor compromised a these attacks. legitimate email address of a big forum organized **[Email Security can block malicious emails sent by](http://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html)** by a university in Seoul in order to forge the spear threat actors as part of their campaign. phishing email, which increased the chance of success. We know that it was a success because [The Network Security protection of IPS and NGFW](http://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html) during our research we identified infected systems have up-to-date signatures to detect malicious communicating with the command & control network activity by threat actors. previously mentioned. **[AMP Threat Grid helps identify malicious binaries](http://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html)** and build protection into all Cisco Security products. **[Umbrella, our secure internet gateway (SIG),](https://umbrella.cisco.com/)** blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network ----- ##### I​O​C​S​ ###### F​I​L​E​S​ ​H​A​S​H​E​S​ T​O​K​E​N​S​ H​W​P​ ​D​o​c​u​m​e​n​t​s​:​ **M​E​D​I​A​F​I​R​E​** - 7​d​1​6​3​e​3​6​f​4​7​e​c​5​6​c​9​f​e​0​8​d​ **A​c​c​o​u​n​t​ ​#​1​** 7​5​8​a​0​7​7​0​f​1​7​7​8​f​a​3​0​a​f​6​8​f​ 3​9​a​a​c​8​0​4​4​1​a​3​f​0​3​7​7​6​1​e​ **U​s​e​r​n​a​m​e​:​ ​k​s​y​1​8​2​8​2​4​@​g​m​a​i​l​.​c​o​m​** **A​p​p​l​i​c​a​t​i​o​n​ ​I​D​:​ ​8​1​3​4​2​** - 5​4​4​1​f​4​5​d​f​2​2​a​f​6​3​4​9​8​c​6​3​a​ 4​9​a​a​e​8​2​0​6​5​0​8​6​9​6​4​f​9​0​6​7​ **T​W​I​T​T​E​R​** c​f​a​7​5​9​8​7​9​5​1​8​3​1​0​1​7​b​d​4​f​ ​ A​c​c​o​u​n​t​ ​#​1 R​O​K​R​A​T​ ​P​E​3​2​:​ **​C​o​n​s​u​m​e​r​ ​k​e​y​:​ ​s​O​P​c​U​K​j​J​t​e​Y​r​g​8​k​l​X​C​4​X​U​l​k​9​l​** - c​d​1​6​6​5​6​5​c​e​0​9​e​f​4​1​0​c​5​b​b​a​ **T​o​k​e​n​:​ ​7​2​2​2​2​6​1​7​4​0​0​8​3​1​5​9​0​4​-​u​6​P​1​F​l​I​7​I​D​g​8​V​I​Y​e​7​2​0​X​0​g​q​D​Y​c​A​M​Q​A​R​** 4​0​b​a​d​0​b​4​9​4​4​1​a​f​6​c​f​b​4​8​7​ 7​2​e​7​e​4​a​9​d​e​3​d​6​4​6​b​4​8​5​1​c​ A​c​c​o​u​n​t​ ​#​2​ - 0​5​1​4​6​3​a​1​4​7​6​7​c​6​4​7​7​b​6​d​a​ **C​o​n​s​u​m​e​r​ ​k​e​y​:​ ​s​g​p​a​l​y​F​1​K​u​k​V​K​a​P​A​e​P​b​3​E​G​e​M​T​** c​d​6​3​9​f​3​0​a​8​a​5​b​9​e​1​2​6​f​f​3​1​ **T​o​k​e​n​:​ ​7​5​9​5​7​7​6​3​3​6​3​0​5​9​3​0​2​9​-​C​Q​z​X​M​f​v​s​Q​2​R​z​t​F​Y​a​w​U​P​e​V​b​A​z​c​S​n​w​l​l​X​** 5​3​2​b​5​8​f​c​2​9​c​8​3​6​4​6​0​4​d​0​0​ A​c​c​o​u​n​t​ ​#​3​ **C​o​n​s​u​m​e​r​ ​k​e​y​:​ ​X​V​v​a​u​o​X​K​f​n​A​U​m​2​q​d​R​1​n​N​E​Z​q​k​N​** ###### N​E​T​W​O​R​K​S​ T​o​k​e​n​:​ ​7​5​2​3​0​2​1​4​2​4​7​4​0​5​1​5​8​5​-​r​2​T​H​1​D​k​8​t​U​5​T​e​t​U​y​f​n​w​9​c​5​O​g​A​1​p​o​p​T​j​ M​a​l​i​c​i​o​u​s​ ​U​R​L​s​:​ A​c​c​o​u​n​t​ ​#​4​ - h​t​t​p​:​/​/​d​i​s​c​g​o​l​f​g​l​o​w​[​.​]​c​o​m​:​ **C​o​n​s​u​m​e​r​ ​k​e​y​:​ ​U​1​A​o​C​S​L​L​H​x​f​e​D​b​t​x​R​X​V​g​j​7​y​0​0​** /​w​p​-​c​o​n​t​e​n​t​/​p​l​u​g​i​n​s​/​ **T​o​k​e​n​:​ ​7​7​9​5​4​6​4​9​6​6​0​3​5​6​1​9​8​4​-​Q​m​8​C​k​n​T​v​S​4​n​K​x​W​O​B​4​t​J​v​b​t​B​U​M​B​f​N​C​K​E​** m​a​i​n​t​e​n​a​n​c​e​/​i​m​a​g​e​s​/​ w​o​r​k​e​r​.​j​p​g​ A​c​c​o​u​n​t​ ​#​5​ **C​o​n​s​u​m​e​r​ ​k​e​y​:​ ​9​n​d​X​A​B​6​U​c​x​h​Q​V​o​B​A​k​E​K​n​w​z​t​4​C​** - h​t​t​p​:​/​/​a​c​d​d​e​s​i​g​n​s​.​c​o​m​[​.​]​a​u​/​ c​l​i​e​n​t​s​/​A​C​P​R​C​M​/ **T​o​k​e​n​:​ ​7​7​7​8​5​2​1​5​5​2​4​5​0​8​0​5​7​6​-​H​0​k​X​Y​c​Q​C​p​V​6​q​i​F​E​R​3​8​h​3​w​S​1​t​B​F​d​R​O​c​Q​** ​k​i​n​g​s​t​o​n​e​.​j​p​g​ A​c​c​o​u​n​t​ ​#​6​ N​o​t​ ​m​a​l​i​c​i​o​u​s​ ​U​R​L​s​ ​b​u​t​ ​c​o​uld​ ​ **C​o​n​s​u​m​e​r​ ​k​e​y​:​ ​Q​C​D​X​T​a​O​C​P​B​Q​M​4​V​Z​i​g​r​R​j​2​C​n​J​i​** b​e​ ​u​s​e​ ​t​o​ ​i​d​e​n​t​i​f​y​ ​R​A​T​ **T​o​k​e​n​:​ ​7​7​5​8​4​9​5​7​2​1​2​4​3​0​7​4​5​7​-​4​I​C​T​j​Y​m​O​f​A​y​5​M​X​2​F​x​U​H​V​d​U​f​q​e​N​T​Y​Y​q​j​** ​e​x​e​c​u​t​i​o​n​:​ A​c​c​o​u​n​t​ ​#​7​ h​t​t​p​s​:​/​/​w​w​w​[​.​]​a​m​a​z​o​n​[​.​]​c​o​m​/ **C​o​n​s​u​m​e​r​ ​k​e​y​:​ ​2​D​Q​8​G​q​K​h​D​W​p​5​5​X​I​l​7​7​E​s​9​o​F​R​V​** ​M​e​n​-​W​a​r​-​P​C​/​d​p​/​B​0​0​1​Q​Z​G​V​E​C​ **T​o​k​e​n​:​ ​7​7​8​8​5​5​4​1​9​7​8​5​1​5​4​5​6​0​-​0​Y​U​V​Z​t​Z​j​K​b​l​o​2​g​T​G​W​K​i​N​F​6​7​R​O​w​S​9​M​M​q​** /​E​s​o​f​t​T​e​a​m​/​w​a​t​c​h​c​o​m​.​j​p​g​ Y​a​n​d​e​x​ h​t​t​p​:​/​/​w​w​w​[​.​]​h​u​l​u​[​.​]​c​o​m​/​ **T​o​k​e​n​ ​#​1​:​ ​A​Q​A​A​A​A​A​Y​m​4​q​t​A​A​N​s​s​-​X​F​f​X​3​F​j​U​8​V​m​V​R​7​6​k​4​a​M​A​0​** w​a​t​c​h​/​5​5​9​0​3​5​/​e​p​i​s​o​d​e​3​.​m​p​4​ **T​o​k​e​n​ ​#​2​:​ ​A​Q​A​A​A​A​A​A​8​u​D​K​A​A​N​x​E​x​o​j​b​q​p​s​-​U​O​I​i​8​k​c​8​E​A​h​c​q​8​** **T​o​k​e​n​ ​#​3​:​ ​A​Q​A​A​A​A​A​Y​9​j​8​K​A​A​N​y​U​L​D​u​Y​U​1​2​4​0​r​j​v​p​N​X​c​R​d​F​5​T​w​** **T​o​k​e​n​ ​#​4​:​ ​A​Q​A​A​A​A​A​Z​D​P​B​1​A​A​N​6​l​1​H​t​3​c​t​A​L​U​1​f​l​i​x​5​7​T​v​u​M​a​4​** -----