Hacking the Hackers

Sometimes it’s fun to turn the tables on the bad guys. A hobby of mine is hijacking botnets to see what all the fuss is about. The goal for today is to gain a shell on the malware host server.

 DISCLAIMER: Don’t do any of this. It’s almost certainly illegal and jail sucks.

Anyway. C&C web panels are commonly included with malware, and act as a central dashboard providing statistics, command functionality, and access to stolen information such as passwords. As they are essentially the heart and brain of a malware campaign and can be used to control thousands of infected hosts they tend to be hidden on obscure domains, deep from the prying eyes of Google and other search indexers, making them difficult to discover. The panels themselves are usually secured with long and complicated passwords and sometimes require specific URL parameters to be present before access is granted.

 They also tend to be poorly coded and subject to exploitation, which we will leverage to our advantage. 

First, we need to find an admin panel for an active botnet. This can be difficult, depending on your standards, and often is time consuming. Options including reverse-engineering malware found in the wild, using a malware tracker, or social engineering someone on one of the underground forums. Because I’m lazy I chose option 2, using a malware tracker, which conveniently provides the C&C url directly. The downside is the link most likely will not last long now as it has been marked as a malware host. Most serious threat actors will migrate to a new domain at the first whiff of public detection.

Fig 1: malware tracker

Looking at some recent URLs we see a domain hosting both KeyBase and Pony, making this ideal for reasons discussed shortly. Serious players almost never use a single host for multiple C&C panels, meaning the owner or owners are most likely new to the scene and inexperienced. This is good for us as it increases our chances at finding a bug or mistake to exploit.

As detailed by Paolo Stagno at VoidSec, the panel for KeyBase is rather poorly coded and has a couple of major vulnerabilities, including SQL injection.  Here’s the vulnerable bit of code, located in file post.php:

Fig 2: post.php variable definitions

Fig 3: vulnerable $sqlinsertn function

Notice the utter lack of input validation – escaping the query and appending our own code at $machinename in figure 3 is what allows us to own this server.

Using sqlmap we can view the databases available to the mysql user. We also learn that the backend is Windows, and that we have db-admin privileges. We also can tell from the table names of the current db that a zeus or citadel panel is lurking somewhere on the server.

According to VoldSec the KeyBase application also has a file upload vulnerability. Unfortunately I was unable to get this to work, leaving us to find another way to access the backend system.

Now, due to design flaw or some other unknown reason, the creators of the Pony malware loader store the login credentials for the panel to the database itself…in plain text. Let’s take a look:

Fig 4: Pony C&C panel users

Now we have the admin credentials for one of the panels present: dmjcode/NAS12345

Fig 5: infected machines and stolen passwords

Fig 6: Nope

Fig 7: write errors on sqlmap

Fig 8: Pony config.php showing db credentials

Now we’re getting somewhere. Using the mysql username and pass we can now login to the phpmyadmin panel.

Fig 9: Looking at some local databases

Using phpmyadmin, let’s add a single 1-line backdoor:

Fig 10: Simple PHP backdoor. I chose a random table to add it to

Closer view:

Fig 11: Same

Using the MySQL SELECT into outfile command, we can write to the local file system. Because this is Windows, we have permission to write to the local htdocs folder:

Fig 12: Writing the backdoor to the local file system

Now we have a backdoor to the local windows machine.

Fig 13: Viewing the local file system

Using a combination of local files and executing my own SQL statements, I was able to find the zeus panel and log myself in. The password was the same as with pony – don’t reuse passwords! Even bad guys make this mistake.

Fig 14: Zeus family malware C&C panel. Not sure which one this is.

Poking around on the zeus panel, it seemed some of the bots were pushing version of cryptolocker. Unfortunately I was not able to penetrate the host that controlled this software. The good news is that they were using a version of cryptolocker-type malware that Kaspersky has a tool to decrypt files.

Also on host were CC tracks and full card info for online and in-store fraudulent purchases.

Fig 15: CC info

The owners of the malware caught on at this point and took everything offline. Unfortunately for them, all the bots not yet suffering from cryptolocker were deleted by me first 🙂

Print Share Comment Cite Upload Translate

APA

() » Hacking the Hackers. Retrieved from https://www.truth.cx/2016/12/19/hacking-the-hackers/.

MLA

" » Hacking the Hackers." - , https://www.truth.cx/2016/12/19/hacking-the-hackers/

HARVARD

» Hacking the Hackers., viewed ,

VANCOUVER

- » Hacking the Hackers. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2016/12/19/hacking-the-hackers/

CHICAGO

" » Hacking the Hackers." - Accessed . https://www.truth.cx/2016/12/19/hacking-the-hackers/

IEEE

" » Hacking the Hackers." [Online]. Available: https://www.truth.cx/2016/12/19/hacking-the-hackers/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa Sometimes it's fun to turn the tables on the bad guys. A hobby of mine is hijacking botnets to see what all the fuss is about. The goal for today is to gain a shell on the malware host server.<br /><br /> DISCLAIMER: Don't do any of this. It's almost certainly illegal and jail sucks.<br /><br />Anyway. C&C web panels are commonly included with malware, and act as a central dashboard providing statistics, command functionality, and access to stolen information such as passwords. As they are essentially the heart and brain of a malware campaign and can be used to control thousands of infected hosts they tend to be hidden on obscure domains, deep from the prying eyes of Google and other search indexers, making them difficult to discover. The panels themselves are usually secured with long and complicated passwords and sometimes require specific URL parameters to be present before access is granted.<br /><br /> They also tend to be poorly coded and subject to exploitation, which we will leverage to our advantage.  <br /><br />First, we need to find an admin panel for an active botnet. This can be difficult, depending on your standards, and often is time consuming. Options including reverse-engineering malware found in the wild, using a malware tracker, or social engineering someone on one of the underground forums. Because I'm lazy I chose option 2, using a malware tracker, which conveniently provides the C&C url directly. The downside is the link most likely will not last long now as it has been marked as a malware host. Most serious threat actors will migrate to a new domain at the first whiff of public detection. <br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-YqzsIQ9hfSY/WDttCzh86AI/AAAAAAAAZCc/qxiP5OZAkQsf-9T4bUfdvFyyKCmerzdRwCLcB/s1600/2016-11-27-153237_780x630_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="322" src="https://4.bp.blogspot.com/-YqzsIQ9hfSY/WDttCzh86AI/AAAAAAAAZCc/qxiP5OZAkQsf-9T4bUfdvFyyKCmerzdRwCLcB/s400/2016-11-27-153237_780x630_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 1: malware tracker</td></tr></tbody></table><br />Looking at some recent URLs we see a domain hosting both KeyBase and Pony, making this ideal for reasons discussed shortly. Serious players almost never use a single host for multiple C&C panels, meaning the owner or owners are most likely new to the scene and inexperienced. This is good for us as it increases our chances at finding a bug or mistake to exploit.<br /><br />As detailed by Paolo Stagno at VoidSec, the panel for KeyBase is rather poorly coded and has a couple of major vulnerabilities, including SQL injection.  Here's the vulnerable bit of code, located in file post.php:<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-8mz2WY6KxFI/WDuQsVQUK0I/AAAAAAAAZDo/rccUopg6pp0Crjnz5yO-sngzzYClRBy6wCEw/s1600/2016-11-27-175523_509x189_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="146" src="https://1.bp.blogspot.com/-8mz2WY6KxFI/WDuQsVQUK0I/AAAAAAAAZDo/rccUopg6pp0Crjnz5yO-sngzzYClRBy6wCEw/s400/2016-11-27-175523_509x189_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 2: post.php variable definitions</td></tr></tbody></table><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-ItqeHckECxU/WDuQsCbqDWI/AAAAAAAAZDk/sgjK6h3S5fkF_WT_CCVJEb73GSMdWJnMwCEw/s1600/2016-11-27-175447_658x224_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="135" src="https://1.bp.blogspot.com/-ItqeHckECxU/WDuQsCbqDWI/AAAAAAAAZDk/sgjK6h3S5fkF_WT_CCVJEb73GSMdWJnMwCEw/s400/2016-11-27-175447_658x224_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 3: vulnerable $sqlinsertn function<br /><br /><br /></td></tr></tbody></table>Notice the utter lack of input validation - escaping the query and appending our own code at $machinename in figure 3 is what allows us to own this server.<br /><br /><div class="separator" style="clear: both; text-align: center;"></div>Using sqlmap we can view the databases available to the mysql user. We also learn that the backend is Windows, and that we have db-admin privileges. We also can tell from the table names of the current db that a zeus or citadel panel is lurking somewhere on the server.<br /><br />According to VoldSec the KeyBase application also has a file upload vulnerability. Unfortunately I was unable to get this to work, leaving us to find another way to access the backend system.<br /><br />Now, due to design flaw or some other unknown reason, the creators of the Pony malware loader store the login credentials for the panel to the database itself...in plain text. Let's take a look:<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-O-DjoJtLA6U/WDuQrxKeqoI/AAAAAAAAZD0/CPMMT_OB6qM4NBamS6UVU6kE7f9ImK6ugCEw/s1600/2016-11-27-132434_516x129_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="100" src="https://1.bp.blogspot.com/-O-DjoJtLA6U/WDuQrxKeqoI/AAAAAAAAZD0/CPMMT_OB6qM4NBamS6UVU6kE7f9ImK6ugCEw/s400/2016-11-27-132434_516x129_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 4: Pony C&C panel users<br /><br /></td></tr></tbody></table>Now we have the admin credentials for one of the panels present: dmjcode/NAS12345<br /><div><br /></div><div>The panel itself is pretty bare of activity. Looking at the stats we learn that only a handful of machines have been infected by the malware:</div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-pPe0xLALxz0/WDurc3jgPNI/AAAAAAAAZEE/5QTYUP2iQI0DnvHiHb3DTT5Q_uWOePQpQCLcB/s1600/2016-11-27-195759_764x484_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="252" src="https://2.bp.blogspot.com/-pPe0xLALxz0/WDurc3jgPNI/AAAAAAAAZEE/5QTYUP2iQI0DnvHiHb3DTT5Q_uWOePQpQCLcB/s400/2016-11-27-195759_764x484_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 5: infected machines and stolen passwords</td></tr></tbody></table><div><br /></div><div>Nothing interesting here. Going back to sqlmap for inspiration I found that I overlooked something previously - the presence of a phpmyadmin installation. We know the current mysql user from our earlier sqlmap. Maybe they reuse passwords?</div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-EaJVw1fgc8c/WDuxwfy7DkI/AAAAAAAAZEQ/VKyXaXwSdI4Wv8HYTZQH7JkfyKoRneJLgCLcB/s1600/2016-11-27-202517_457x299_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="261" src="https://4.bp.blogspot.com/-EaJVw1fgc8c/WDuxwfy7DkI/AAAAAAAAZEQ/VKyXaXwSdI4Wv8HYTZQH7JkfyKoRneJLgCLcB/s400/2016-11-27-202517_457x299_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 6: Nope</td></tr></tbody></table><div>Back to sqlmap yet again. Because we are running on Windows (and thus have fewer permission issues), we can try and read and writing to the backend system directly with the os-shell, file-read, and file-write options.</div><div><br /></div><div>Trying the os-shell and file-write features fails almost instantly. After some investigation I learned that this was not due to permission errors but due to how sqlmap attempts to write the files to the remote server.  </div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-Qo-pPb25vpg/WDu2rqsYNiI/AAAAAAAAZEg/-slyy3O4oNs3W0OPJbqXVxfZZ-gianJBgCLcB/s1600/2016-11-27-204655_680x239_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="140" src="https://4.bp.blogspot.com/-Qo-pPb25vpg/WDu2rqsYNiI/AAAAAAAAZEg/-slyy3O4oNs3W0OPJbqXVxfZZ-gianJBgCLcB/s400/2016-11-27-204655_680x239_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 7: write errors on sqlmap</td></tr></tbody></table><div><br /></div><div><br /></div><div>Luckily, the file-read feature does work. By correctly guessing the location of the Pony config.php file we can pull it with sqlmap. Let's take a look:</div><div><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-cipX3pkFLJ0/WDu9UniXWfI/AAAAAAAAZEs/Es5GRFQ1JrMQqMIDzW6pLko3iiJ-Vf6eACLcB/s1600/2016-11-27-211527_357x188_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="210" src="https://4.bp.blogspot.com/-cipX3pkFLJ0/WDu9UniXWfI/AAAAAAAAZEs/Es5GRFQ1JrMQqMIDzW6pLko3iiJ-Vf6eACLcB/s400/2016-11-27-211527_357x188_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 8: Pony config.php showing db credentials</td></tr></tbody></table></div><div><br /></div><div>Now we're getting somewhere. Using the mysql username and pass we can now login to the phpmyadmin panel.<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-KsLDf9ifW7E/WDu-nzdFA6I/AAAAAAAAZE0/zUbAIcQpg0ovD9lxIE3Qdw7wVRbNN73xgCLcB/s1600/2016-11-27-212023_1352x549_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="161" src="https://1.bp.blogspot.com/-KsLDf9ifW7E/WDu-nzdFA6I/AAAAAAAAZE0/zUbAIcQpg0ovD9lxIE3Qdw7wVRbNN73xgCLcB/s400/2016-11-27-212023_1352x549_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 9: Looking at some local databases</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div></div><div>Using phpmyadmin, let's add a single 1-line backdoor:<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-QuGykZuk2lk/WFg-WlEFJGI/AAAAAAAAZLM/qCTp2gpbvCQttK8dmfIvIw1qrtoNaLmXgCLcB/s1600/2016-11-27-125144_990x522_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="168" src="https://3.bp.blogspot.com/-QuGykZuk2lk/WFg-WlEFJGI/AAAAAAAAZLM/qCTp2gpbvCQttK8dmfIvIw1qrtoNaLmXgCLcB/s320/2016-11-27-125144_990x522_scrot.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 10: Simple PHP backdoor. I chose a random table to add it to</td></tr></tbody></table><br /><br />Closer view:<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-aDnIvO7YFkU/WFg_RJ3wz_I/AAAAAAAAZLQ/N6Fhq_qSum0Igcw4WBzJhg2jVzYlOGLcgCLcB/s1600/2016-12-19-111309_726x155_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="85" src="https://2.bp.blogspot.com/-aDnIvO7YFkU/WFg_RJ3wz_I/AAAAAAAAZLQ/N6Fhq_qSum0Igcw4WBzJhg2jVzYlOGLcgCLcB/s400/2016-12-19-111309_726x155_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 11: Same</td></tr></tbody></table><br /><br />Using the MySQL SELECT into outfile command, we can write to the local file system. Because this is Windows, we have permission to write to the local htdocs folder:<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-1xV13xZ8NXI/WFhCO8wpJYI/AAAAAAAAZLc/g6eChSHdM-IhL5DtXdQbbsu1XsRikEPAACLcB/s1600/2016-11-27-125531_709x458_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="256" src="https://4.bp.blogspot.com/-1xV13xZ8NXI/WFhCO8wpJYI/AAAAAAAAZLc/g6eChSHdM-IhL5DtXdQbbsu1XsRikEPAACLcB/s400/2016-11-27-125531_709x458_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 12: Writing the backdoor to the local file system</td></tr></tbody></table><br /><br />Now we have a backdoor to the local windows machine.<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-SOJ2E_KZg2w/WFhEtYA10kI/AAAAAAAAZLk/teHBTLX2NDIjbLnuQmsS1_5lWkiNqp44QCLcB/s1600/2016-11-27-124531_986x610_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="246" src="https://3.bp.blogspot.com/-SOJ2E_KZg2w/WFhEtYA10kI/AAAAAAAAZLk/teHBTLX2NDIjbLnuQmsS1_5lWkiNqp44QCLcB/s400/2016-11-27-124531_986x610_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 13: Viewing the local file system</td></tr></tbody></table><br /><div class="separator" style="clear: both; text-align: center;"></div><br />Using a combination of local files and executing my own SQL statements, I was able to find the zeus panel and log myself in. The password was the same as with pony - don't reuse passwords! Even bad guys make this mistake.<br /><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-UAhzBVOzMXU/WFhGh2Y9P7I/AAAAAAAAZLw/L_ABrXSpT-Qmhc1az0r_dAzNAUohQVXdgCLcB/s1600/2016-11-27-125704_1300x692_scrot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="212" src="https://1.bp.blogspot.com/-UAhzBVOzMXU/WFhGh2Y9P7I/AAAAAAAAZLw/L_ABrXSpT-Qmhc1az0r_dAzNAUohQVXdgCLcB/s400/2016-11-27-125704_1300x692_scrot.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 14: Zeus family malware C&C panel. Not sure which one this is.<br /><br /></td></tr></tbody></table>Poking around on the zeus panel, it seemed some of the bots were pushing version of cryptolocker. Unfortunately I was not able to penetrate the host that controlled this software. The good news is that they were using a version of cryptolocker-type malware that Kaspersky has a tool to decrypt files.<br /><br />Also on host were CC tracks and full card info for online and in-store fraudulent purchases.<br /><br /><div class="separator" style="clear: both; text-align: center;"></div><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-21i-9i892V0/WFhO__9coHI/AAAAAAAAZMM/E0RaYCg52MQqnNq9xqvEynVttxWugTQ5gCLcB/s1600/edited.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="156" src="https://2.bp.blogspot.com/-21i-9i892V0/WFhO__9coHI/AAAAAAAAZMM/E0RaYCg52MQqnNq9xqvEynVttxWugTQ5gCLcB/s320/edited.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Fig 15: CC info<br /><br /></td></tr></tbody></table>The owners of the malware caught on at this point and took everything offline. Unfortunately for them, all the bots not yet suffering from cryptolocker were deleted by me first :)<br /><br /></div> First name:

Last name: