The new Bigviktor Botnet is Targeting DrayTek Vigor Router
Overview
On June 17, 2020, 360Netlab Threat Detecting System flagged an interesting ELF sample (dd7c9d99d8f7b9975c29c803abdf1c33), further analysis shows that this is a DDos Bot program that propagates through the CVE-2020-8515 vulnerability which targets the DrayTek Vigor router device, and it uses DGA (Domain generation algorithm) to generate C2 domain names.
The program uses "viktor" as file name ( /tmp/viktor) in the propagation process, also a special string 0xB16B00B5(big boobs) was used in the sample , we combined the two and named it Bigviktor.
From the network’s perspective, Bigviktor’s DGA generates 1000 domain names every month, and traverses the 1000 domain names by requesting RC4 encryption & ECSDA256 signed s.jpeg , When a live C2 responses the request, bot then takes the next step to request for image.jpeg from C2 to get more instructions.
Bigviktor supports 8 kinds of instructions, which can be divided into 2 major functions
• DDoS attack
• Self-renewal
The overall network structure is shown in the figure,
Botnet scale
Daily Active Bot
DGA is a double-edged sword. While giving the author good chance to evade detection, it also gives security researcher the opportunity to register domain names to hijack infected hosts of botnets.
We registered several domains names generated by Bigviktor in June and July (workfrequentsentence.club , waitcornermountain.club), so we were able to tap into it network to measure the scale of the Botnet. As of now we only see about 900 active infected IPs. However, When taking a look at the requests of Bigviktor DGA domain name, we can see the trend is steadily going up. Its daily active Bot trend is shown in the figure below:
Bot geographic location
The IP area distribution of infected devices is as follows:
The main ASN distribution of these IPs is as follows:
412 AS45899|VNPT_Corp
194 AS7552|Viettel_Group
190 AS18403|The_Corporation_for_Financing_&_Promoting_Technology
90 AS3462|Data_Communication_Business_Group
82 AS15525|Servicos_De_Comunicacoes_E_Multimedia_S.A.
66 AS8151|Uninet_S.A._de_C.V.
52 AS45903|CMC_Telecom_Infrastructure_Company
34 AS3352|Telefonica_De_Espana
28 AS17552|True_Internet_Co.,Ltd.
22 AS8881|1&1_Versatel_Deutschland_GmbH
Infected device
By obtaining the title of the infected device's 80, 8080, and 443 port web pages, we know that the currently distributed version of the infected DrayTek Vigor router is:
269 Vigor 2960
107 Vigor 3900
87 Vigor 300B
Reverse analysis
We have captured a total of 2 versions. The first version of the bot program seems to have bugs and cannot run normally. This article uses the latest version as an example for reverse analysis.
MD5:dd7c9d99d8f7b9975c29c803abdf1c33
ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped
Packer: None
Generally speaking, the Bigviktor function is relatively simple. It binds a local port at runtime to implement a single instance, uses the RC4 algorithm to decrypt sensitive resources, including the strings to be used by DGA, and then uses DGA to generate 1000 C2 domain names based on these strings. Then the bot uses the libcurl library to send a request to the built-in legit websites to test network connectivity. If the network is up, it moves on to next step to request the s.jpeg from the C2 domain to verify the legitimacy of C2; after passing the legality test, it goes to final step to request the male.jpeg and image.jpeg resources from the C2 domain to conduct DDos attack.
We can roughly divide the bot behaviors into two categories: auxiliary behavior and malicious behavior, let us take a close look.
Auxiliary behavior
1: Use libcurl library to access network resources
DNS Option:
1.1.1.1,8.8.8.8
User-Agent Option:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
Accept Option:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
2: Bind port 61322 to implement a single instance
3: RC4 encrypts sensitive resources, the resources include the stings required by DGA, legit websites, upgrade file storage path, etc.
DA B2 F1 F7 32 FD 03 BA 58 DB FF 53 8B F2 6F 01
02 FF 00 01 03 05 00 DE 02 FF 00 01 7C DF 92 91
Take the suffixes required by DGA to generate domain as an example, the ciphertext is as follows
00000000 34 f5 96 77 11 66 35 4f 1d ae b6 04 57 77 79 9d |4õ.w.f5O.®¶.Wwy.|
00000010 db 36 d4 a8 38 5a e2 9f 6a a2 79 bf 6a 6f bf 2f |Û6Ô¨8Zâ.j¢y¿jo¿/|
00000020 cb 84 63 d4 70 c7 64 11 c6 d0 71 b3 f0 bb 54 c9 |Ë.cÔpÇd.ÆÐq³ð»TÉ|
00000030 cc f7 50 60 e2 53 72 1a ae 87 61 17 88 b0 2a 04 |Ì÷P`âSr.®.a..°*.|
00000040 71 ec f8 3d cc 42 8b 28 27 81 9b 4d 80 0c 50 3f |qìø=ÌB.('..M..P?|
00000050 d5 01 4b 8d 62 48 7f 88 7f a0 09 b9 53 b0 a0 0d |Õ.K.bH... .¹S° .|
00000060 41 6c 59 cd 2a 42 36 f1 71 71 12 bf fd 59 66 52 |AlYÍ*B6ñqq.¿ýYfR|
00000070 b2 ab c4 1e c5 30 14 19 c8 08 82 ee 29 8c 54 ab |²«Ä.Å0..È..î).T«|
00000080 34 99 0e f1 15 c8 e6 69 5e 33 3c c7 c6 ee 44 8a |4..ñ.Èæi^3<ÇÆîD.|
00000090 c2 b4 7c 76 fc 08 cf cd 0c db 34 82 e0 08 40 52 |´|vü.ÏÍ.Û4.à.@R|
000000a0 07 ec d4 0e e9 57 ee 4f 2d 0b 7e 19 51 75 b4 10 |.ìÔ.éWîO-.~.Qu´.|
000000b0 3b 97 d8 29 64 aa 4b 5c 67 77 16 b6 36 4b 6d c2 |;.Ø)dªK\gw.¶6KmÂ|
000000c0 47 09 bd b0 a7 d4 43 21 2c e5 af 41 8a ea 25 dc |G.½°§ÔC!,å¯A.ê%Ü|
000000d0 fe d3 18 28 bc 19 07 19 cd f0 84 51 9e 6a 3e b1 |þÓ.(¼...Íð.Q.j>±|
000000e0 5f 2a e0 13 51 ba 62 46 26 83 86 63 0b ed ad be |_*à.QºbF&..c.í.¾|
000000f0 59 51 e7 0b cf a7 d0 1a 94 e8 ed c2 cc f2 21 17 |YQç.ϧÐ..èíÂÌò!.|
00000100 e5 7a b5 6f 84 66 8a a1 c1 18 52 cb 50 38 6b ea |åzµo.f.¡Á.RËP8kê|
00000110 4b 10 13 56 13 b4 9c b2 3b b4 3e 4c 3c cc 01 cc |K..V.´.²;´>L<Ì.Ì|
00000120 81 ab 13 97 6c 49 e7 85 54 5f d0 92 3f 9b 7d a8 |.«..lIç.T_Ð.?.}¨|
00000130 44 72 81 54 50 4f e1 7f b5 fd 1a 78 3b 14 e3 d4 |Dr.TPOá.µý.x;.ãÔ|
After decryption
00000000 61 72 74 00 00 00 00 00 00 00 00 00 00 00 00 00 |art.............|
00000010 63 6c 69 63 6b 00 00 00 00 00 00 00 00 00 00 00 |click...........|
00000020 63 6c 75 62 00 00 00 00 00 00 00 00 00 00 00 00 |club............|
00000030 63 6f 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 |com.............|
00000040 66 61 6e 73 00 00 00 00 00 00 00 00 00 00 00 00 |fans............|
00000050 66 75 74 62 6f 6c 00 00 00 00 00 00 00 00 00 00 |futbol..........|
00000060 69 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |in..............|
00000070 69 6e 66 6f 00 00 00 00 00 00 00 00 00 00 00 00 |info............|
00000080 6c 69 6e 6b 00 00 00 00 00 00 00 00 00 00 00 00 |link............|
00000090 6e 65 74 00 00 00 00 00 00 00 00 00 00 00 00 00 |net.............|
000000a0 6e 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |nl..............|
000000b0 6f 62 73 65 72 76 65 72 00 00 00 00 00 00 00 00 |observer........|
000000c0 6f 6e 65 00 00 00 00 00 00 00 00 00 00 00 00 00 |one.............|
000000d0 6f 72 67 00 00 00 00 00 00 00 00 00 00 00 00 00 |org.............|
000000e0 70 69 63 74 75 72 65 73 00 00 00 00 00 00 00 00 |pictures........|
000000f0 72 65 61 6c 74 79 00 00 00 00 00 00 00 00 00 00 |realty..........|
00000100 72 6f 63 6b 73 00 00 00 00 00 00 00 00 00 00 00 |rocks...........|
00000110 74 65 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 |tel.............|
00000120 74 6f 70 00 00 00 00 00 00 00 00 00 00 00 00 00 |top.............|
00000130 78 79 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 |xyz.............|
4: Access a legit website to test newtork connectivity and obtain the current date
The legit websites can be decrypted by RC4, and we got the following sites
jd.com weibo.com vk.com
csdn.net okezone.com office.com
xinhuanet.com babytree.com livejasmin.com
twitch.tv naver.com aliexpress.com
stackoverflow.com tribunnews.com yandex.ru
soso.com msn.com facebook.com
youtube.com baidu.com en.wikipedia.org
twitter.com amazon.com imdb.com
reddit.com pinterest.com ebay.com
tripadvisor.com craigslist.org walmart.com
instagram.com google.com nytimes.com
apple.com linkedin.com indeed.com
play.google.com espn.com webmd.com
cnn.com homedepot.com etsy.com
netflix.com quora.com microsoft.com
target.com merriam-webster.com forbes.com
tmall.com baidu.com qq.com
sohu.com taobao.com 360.cn
tianya.cn
Visit one of these URLs to get the current date, which will be used in DGA.
format %a, %d %b %Y
Fri, 10 Jul 2020
Malicious behavior
1: Use the C2 domain name generated by DGA
The format of the domain name is [prefix.]verbe[-]adjective[-]noun.surfix, the content in [] indicates optional, theprefix has 40 words, the verbe has 100 words, the adjective has 525 words, noun has 1522 words, and surfix has 20 words. The algorithm is implemented as follows
void GenNewKey(uint32_t &key)
{
uint32_t tmp = key ^ (key << 13) ^ ((key ^ (uint32_t)(key << 13)) >> 17);
key = tmp ^ 32 * tmp;
};
string c2url;
GenNewKey(seed);
//1:prefix part
if (seed % 5 == 0)
{
GenNewKey(seed);
c2url += prefix[seed % 40];
c2url += ".";
}
//2:verbe part
GenNewKey(seed);
c2url += verbe[seed % 100];
GenNewKey(seed);
if (seed % 10 <= 1)
c2url += "-";
//3:adj part
GenNewKey(seed);
c2url += adj[seed % 525];
GenNewKey(seed);
if (seed % 10 <= 1)
c2url += "-";
//4:noun part
GenNewKey(seed);
c2url += noun[seed % 1522];
c2url += ".";
//5:surfix part
GenNewKey(seed);
c2url += surfix[seed % 20];
The current date converts into a string with format%b %Y 00:00 and the initial key is the first 4 bytes of the SHA256 value of the string, for example
currtent date: Fri, 10 Jul 2020
format ---->Jul 2020 00:00
sha256 ---->6ac0f83915ed5d7b9bb7055723084df001b16a552d758de3c415f083f931ab8c
get first 4 bytes ----> key=0x6ac0f839
Therefore, the DGA doamin is different every month. Taking the July key (0x6ac0f839) as an example, the first 5 domains generated
c2url: decidefresh-county.in
c2url: payculturaltour.org
c2url: standvisiblereach.rocks
c2url: meanforwardcap.top
c2url: raisefitsize.rocks
When we observe the actual DNS data in packet, we can see the result matches.
See the end of the article for all DGA domains in July.
2: Get the current effective C2
To connect to a vaild C2, Bigviktor start from a random position of the 1000 DGA domains. If there is no valid C2, it goes back to the first domain name and start over again.
In order to ensure that the network is completely controllable and not stolen by others, Bigviktor will verify the signature of the s.jpeg file. Only after passing the signature verification, a C2 is deemed valid.
The real payload encryption is hidden in the jpeg (s.jpeg;image.jpeg)file. The structure of jpeg is IMAGE DATA(16 BYTES): Half-RC4 KEY(16 BYTES): Ciphertext. Each sample integrates a Half-RC4 KEY(16 BYTES),each payload integrates a Half-RC4 KEY(16 BYTES), two Half-RC4 keys are spelled into a complete RC4 key(32 BYTES); also a hard-coded ECDSA256 public key is used to verify the decrypted payload.
Half-RC4 KEY:
82 BC 09 D5 47 A9 37 27 8F ED F1 7B 29 2A FA 67
Pub KEY:
03 2F 37 51 43 1F A3 58 81 66 86 F7 BA 4C A2 30
45 2C 9B 9E 12 9A E9 97 CF 69 09 CF 7F 42 D4 97 88
Take s.jpeg(md5:4c6d0bed21bc226dbaf4e6adc7402563) as an example
Splice out the complete RC4 key
Half RC4 KEY from s.jpeg + Half Rc4 from sample
------------------------------------------------------
46 00 B2 65 B0 3F 97 7F CF CB 65 31 1F D2 B3 A0
82 BC 09 D5 47 A9 37 27 8F ED F1 7B 29 2A FA 67
Decrypt Ciphertext to get
When the verification is successful, a valid C2 is obtained.The procedures of verification need to meet these condition
- signature verification
- Plaintext[2] ==\x00,Plaintext[3] ==\x09
- C2 in the plaintext is same as the Dga domain which responds to the s.jpeg request.
3:Ask for specific tasks from C2
After the Bot obtains a valid C2, it will request the image.jpeg resource from C2
Similarly, image.jpeg also needs to be decrypted and verified. After successful verification, the Bot will perform the corresponding DDos attack or update according to the instructions of image.jpeg.
Bigviktor supports a total of 8 operations,
Contact us
Readers are always welcomed to reach us on twitter, or email to netlab at 360 dot cn.
IOC
Sample MD5
7b1ab096b63480864df7b0dcfebe2e2e
dd7c9d99d8f7b9975c29c803abdf1c33
URL
http://91[.219.75.87/binary
http://91[.219.75.87/arm7
C2-IP
151.80.235.228 AS16276|OVH_SAS France|Hauts-de-France|Gravelines
C2-Domain
useinsidehigh.com:80
writeseparateliterature.com:80
Payload
4c6d0bed21bc226dbaf4e6adc7402563 s.jpeg
2e8c223f8ac1f331c36acd32ee949f6f image.jpeg
DGA domains in July
decidefresh-county.in
payculturaltour.org
standvisiblereach.rocks
meanforwardcap.top
raisefitsize.rocks
www2.tellapartspring.realty
expectrawknee.com
decidesurepizza.rocks
img.leavetall-sky.nl
dodifferentuser.fans
become-thatspare.futbol
play-better-parent.observer
telldesignerpanic.art
appear-weakrate.observer
support.showremote-conclusion.fans
raiseover-piano.org
meancoolpick.pictures
bringjunior-bench.art
ssl.remainunhappyboy.info
readafterask.net
leavelogicalambition.tel
takedramaticprimary.rocks
test.likerarereality.xyz
cloud.runconstantnerve.fans
stopseafemale.observer
offer-individualthroat.fans
meanthickprivate.info
turnfederalemploy.art
tellcold-top.one
mail2.comefirmdeposit.nl
liketypicalcorner.net
buyliving-balance.observer
video.continueleft-contact.nl
askformer-mission.top
learnaggressive-she.org
email.hearlateformal.in
keepunitedbirth.art
turntruebreakfast.futbol
cutmaingolf.art
dev.likefemalepush.rocks
dev.holdfeelingpreference.click
findvariousfish.tel
tftp.seempowerful-south.art
video.comepureproposal.link
watchcapable-sample.rocks
growborn-law.click
bringefficientvalue.one
beginlower-man.nl
speakoriginalworld.one
putmoneyearth.fans
have-wastebutton.futbol
findwildcollar.info
livepotentialdebt.pictures
mail.pull-capableprofession.tel
passbornsafe.rocks
spendcuteform.realty
walkgrandspot.pictures
take-scaredline.art
set-expensiveice.click
getnovelscratch.in
look-existinghang.com
cloud.considerunhappymain.click
www.hold-futuredisk.rocks
openlegalbus.fans
blog.hearfreshmachine.tel
mail.callthatcouple.click
leaveswimming-cold.one
go-healthyproject.observer
meanconnect-construction.nl
walknervous-video.nl
becomelast-western.com
remembersquare-sale.info
provide-roundwill.com
blog.standswimming-double.rocks
secure.seem-famoushire.tel
speakotheropening.org
holdsudden-psychology.top
hold-frontfilm.one
bringbusinesshold.realty
giveacceptablepay.link
allowremoteindependent.pictures
helpsillyhate.click
knowyellowinstruction.info
seeinternationalmachine.art
considermalescrew.click
paylife-camp.tel
makeold-course.com
www2.becomewarmrefrigerator.nl
download.decidewisecourt.rocks
lose-originalemployer.observer
leadeastprompt.futbol
changeconfidentboot.art
waitcornermountain.club
ww1.understandlegal-cancel.link
suggest-global-other.realty
changeluckytitle.com
playprivateconstruction.art
blog.mean-anyimagination.info
decide-currentemployment.top
considerupsetvirus.fans
letcornercurve.fans
talkfamousfather.club
findvastcoat.org
mail2.use-farbitter.org
remember-chemical-status.tel
vpn.try-signalsort.org
addhappyswim.xyz
standsuddeninternal.tel
raiseanxiousguitar.one
speak-weekly-hire.org
needclosetonight.realty
mail.fallfrequent-affair.fans
startpregnantreference.pictures
appeartight-fun.fans
cutplastic-drag.club
worksea-assumption.com
buytrainingdrag.one
needfemalebrown.futbol
want-mountainform.observer
pop.getless-remove.pictures
mail2.runelectronic-collar.fans
raiselogicalpin.tel
believeextraorganization.realty
remote.servepleasant-cloud.pictures
allowotherdesire.in
set-partycount.realty
diecutemuscle.net
start-sexualfactor.net
dienearbychart.xyz
ns1.requireanxiousflight.nl
a.happenaction-item.tel
secure.reportperfectyouth.xyz
runtraditionalact.observer
becomeunfairsugar.info
news.growfrontclimate.tel
images.expectpurplewriter.pictures
images.seemmaterialvegetable.pictures
runsuitablestruggle.xyz
appearfullfoundation.tel
sellharddead.in
continuebothpipe.com
watchvegetabledatabase.click
stopmiddleapple.net
use-sweetdebt.rocks
meet-purechurch.club
hearduewarning.nl
adddifferent-reference.nl
download.takehousemom.click
buildrawcloset.xyz
putactualsecond.realty
move-muchagreement.club
vpn.letfirst-concept.observer
th.sitthin-character.rocks
www2.dieseparatefeed.in
blog.buyextremeatmosphere.click
believelegalscale.info
buildappropriatestable.net
watch-coolproject.fans
doalternativeseries.link
pull-inevitable-medicine.org
staybroadcost.fans
seeofficial-thanks.net
readlostdiscount.art
serve-redtour.fans
showleatherloss.click
x.putweird-situation.net
loseanotherdisease.realty
mail2.become-alternativeside.futbol
setimpressive-sign.click
x.appearavailablebad.realty
startunusual-status.futbol
noc.waituglyclick.org
download.buildthinkreserve.fans
expectvegetablecurrency.xyz
ftp.spenddirtyrepublic.tel
email.die-prettycandle.art
pop.make-active-pass.click
lovebeginningvast.realty
includeotherwisefamily.xyz
work-historicalarm.nl
passclosescience.pictures
a.sitloud-damage.info
addinternalfreedom.futbol
set-okconcert.realty
requireenvironmentalhelp.nl
download.need-beginningfinal.art
offerdecent-twist.in
dieoriginalpeak.futbol
learnremarkabledefinition.futbol
killembarrassedclient.net
killterriblerecord.tel
images.createrichdisplay.observer
holdlowerfunny.fans
sitsorrycash.realty
playprevioustrain.net
changewestbar.net
showaggressivedamage.nl
feelnecessary-counter.click
liveproudconsequence.realty
try-decent-joint.info
trylatter-trainer.com
showsick-crack.tel
help-animal-boyfriend.org
followpropercollar.nl
take-cultural-white.futbol
workindividualpull.click
dosecuregeneral.link
likeseaprogress.art
worktrueamount.info
pullmalechurch.info
loseseaconstruction.realty
addliveruin.top
writerelevanteast.com
helpsquare-ticket.org
start-unlikelyspring.top
cutrepresentativeslice.xyz
seemiddle-cigarette.in
stopafternoonhistory.xyz
comedrunkindustry.rocks
workenvironmentalthing.club
considerover-expression.xyz
reportcreative-advance.rocks
remainfemaleblind.observer
leavewildcarry.observer
web.mean-businessgreen.observer
followworkstar.futbol
allowamazing-operation.click
gw.havefreshversion.org
remembergrosssingle.click
likecutedevelopment.info
images.showwest-funeral.club
letclassicrefrigerator.in
sayinterestingshow.com
writesufficientglad.click
test.considerusefuldrawing.art
liveslowstar.link
comebudget-improvement.com
setconfidentessay.link
happenunablerock.tel
sitapartdepartment.org
continueopenmap.com
test.writepretendcheek.one
build-representative-score.club
happen-eithermajor.realty
ssl.passplasticdiscussion.observer
killbestinevitable.futbol
pullelectricaltone.observer
img.movemeanadvertising.in
startsuccessfulsick.link
createinevitablelayer.one
setwinterfee.pictures
allow-exactsport.info
helpapartpossession.org
gw.appearsuchquality.com
becomefutureleather.xyz
use-leastmarriage.xyz
includebestjacket.rocks
cam.turn-federalnovel.tel
meetelectricalmain.click
pop.needmajor-pin.com
noc.sit-royaltrouble.net
offerwildincome.top
remote.heareveningwhole.xyz
serveokexchange.click
come-totalsignature.club
offerlowersimple.one
test.cutforwardnasty.nl
livemassive-give.org
ssl.understandweird-chocolate.info
becomeparkingpositive.fans
know-excitingappointment.realty
playtemporaryhand.tel
growdaughtercross.in
reportculturaldistance.club
decide-physicalexam.com
sell-ordinaryradio.com
buy-big-reason.org
ww1.bedependenthospital.top
th.continuenexttop.in
feelenoughmedicine.net
continueflat-meet.org
hearresidentworry.futbol
servesufficientplace.art
x.leadnervouspresident.info
suggestminorconcept.link
img.providecomprehensivenerve.nl
winloosefeedback.nl
findoppositebonus.one
change-evenexplanation.link
walkdeadluck.futbol
sitbusiness-note.rocks
happenfungather.fans
offer-characterdiamond.xyz
know-first-background.link
dev.show-trainingdouble.in
keepmanycard.top
ns1.makechance-chapter.click
reportsparegear.one
images.remainthin-wall.observer
lovesuperconsideration.rocks
www.dostraightcalm.observer
letfutureslide.one
findmediumlog.net
require-globalfix.fans
keep-forwardsomewhere.link
bringparkingperception.observer
web.fallleastcamera.top
showparkingconcern.futbol
find-worksun.one
web.tellaccuratefoot.club
tellleft-scene.observer
appeartop-writing.link
likeextremecategory.info
learnheadexchange.realty
passlogicalminor.link
asktotalfile.in
watchasleeplight.futbol
bringpluscan.futbol
email.be-careful-midnight.one
video.offer-psychologicalknowledge.info
seemostuncle.realty
ftp.takelegalcourt.observer
followwillingpsychology.link
continueexactresponse.observer
shop.seeplentyboot.pictures
ns1.make-wonderful-hold.observer
pop.sayalonelight.realty
include-severe-society.click
followsuspiciousmoment.nl
tftp.includerepresentativepost.xyz
helpsuccessfultitle.top
includevisualconsideration.observer
bringafraidslide.realty
learnchancetelephone.info
movesmallentrance.org
give-superdate.nl
requiredaymoment.in
likeactionif.futbol
noc.likeemotionalpreference.one
openhorror-tie.realty
expectevenmilk.top
meanactioninternet.link
images.begreen-simple.one
includeleather-she.pictures
talkawareissue.club
sayindependentplayer.xyz
changeillegalriver.info
seelongthroat.observer
playanxiousrole.info
feelminutedegree.observer
follownastymountain.rocks
tellprettyegg.org
passactualstable.observer
mail2.leadbestmistake.observer
help-aliveresearch.info
runsalt-college.com
tellbest-necessary.link
requireannualpolice.pictures
pullyoungview.realty
makedarkcontract.observer
shop.help-healthythought.net
remain-practicaloutside.observer
sellenvironmental-harm.futbol
stop-thismilk.info
includeuniquecandle.pictures
thinkrelevantchildhood.org
webmail.waitspecialistcompany.in
seem-brilliant-device.futbol
takerightpartner.observer
mail.useplanebus.fans
thinkperfectcompany.tel
appearpresentshirt.realty
bringupstairscommunity.club
keep-electronicinteraction.in
fallnice-blue.link
sendappropriatefuneral.info
tellawaydesign.top
tftp.runswimmingimprovement.fans
lookthenpositive.pictures
moveplastic-history.top
havewildhit.com
cloud.playsouthnormal.nl
setswimmingsuit.in
movepositivemove.link
playgrosslandscape.art
createnextguest.rocks
gominutepie.club
killfemaleprofile.click
spendimmediaterush.club
openweekly-watch.one
dev.believedesignercharacter.in
try-redcommittee.com
tftp.providestill-thing.net
includemothermiddle.realty
smtp.writebeginningitem.xyz
open-proudprinciple.com
noc.expectbravewonder.art
readcivil-slip.click
go-motorprofessor.click
feeldramaticdig.pictures
beexcellentangle.xyz
startafterchemistry.xyz
vpn.give-formerhat.top
writefunnyassignment.fans
webmail.buy-roughcigarette.fans
giverawdistrict.xyz
come-historicalinstruction.org
mail2.tellannualarrival.observer
server.find-simpleincrease.in
img.live-informal-desk.futbol
buildefficientstaff.rocks
seeguiltybike.futbol
allowtypicalmonitor.link
look-famousexcitement.nl
lead-awaybar.observer
readdresssense.link
www1.rememberlocalgift.in
buildusualrisk.observer
work-extremestop.link
read-educationalpanic.net
expectagohusband.in
includepowerfulworker.info
losewholeauthor.com
work-wastedivide.in
sellbig-test.org
require-livingmeaning.com
spendusedchildhood.click
needvaluableanywhere.pictures
likesoftbowl.net
helpcivil-net.org
callupstairseconomy.link
readkitchenmotor.click
fallcalmanimal.pictures
email.takefederal-leading.xyz
wait-rareenergy.com
needsaltswim.click
winlower-command.in
tellhugecandidate.one
reportrawchapter.xyz
beginaccurateoriginal.tel
setshotguard.one
remote.turnpartyengineer.club
buyhousecomfortable.com
turn-successful-official.observer
tftp.walkmediumgroup.futbol
fallpriorshopping.futbol
waitpleasantquality.rocks
showscaredsquare.one
stop-closecard.tel
moveminimum-self.rocks
support.followholidayairline.observer
playdarksociety.top
sitenoughdetail.net
becomeaccurateuser.rocks
workheavybrief.fans
setafteradult.net
makewhat-title.club
hear-relative-philosophy.observer
keepmoneygrade.pictures
spend-firstinterest.art
asklocalnasty.link
talk-alive-family.nl
sell-significantoccasion.top
bedressfold.fans
waithappysell.top
lead-lostsurround.link
findinternalmain.realty
think-legalresult.link
www2.dofullhold.club
beordinarynews.art
pass-wineunit.nl
appearemergencytruth.info
turndistinctscreen.nl
leadfederalwater.top
think-capable-concentrate.in
bringdrunk-monitor.com
set-joint-equivalent.com
understandinnercompany.art
loveleather-extent.click
trypatient-detail.one
appearminutehunt.one
askinteresting-daughter.club
ssl.expectupsetif.club
rundesperatebook.tel
speakdressinternet.com
needcuriousfootball.top
noc.stayaccuraterelative.link
bringshotdemand.com
movefreenature.com
ww1.changeshotprofit.pictures
standsexual-instruction.com
readweakpoint.realty
growrealistictext.realty
knowunfairprocedure.futbol
appear-leading-jacket.observer
news.losefairsuit.top
pullleading-promotion.top
looklessparent.xyz
likeoutsidepresence.one
webmail.talk-normalred.link
look-small-image.org
show-clean-command.art
startfriendlyconstant.info
lookwholebelt.xyz
learn-sweetcream.top
dieeitherimage.com
suggestfunny-salt.link
sithealthymembership.info
playculturalresponsibility.com
saygeneralprize.pictures
appearhonestcup.org
begin-leftspare.one
believepublicpermit.in
mail2.lookcreativeintroduction.in
fall-capablepersonal.in
hearnorth-fortune.com
learncuriousideal.link
remote.havecompletesoil.net
dosmoothhousing.info
reachinternationalchapter.one
understandafternoon-oven.art
provideenoughrich.one
web.showplanegrandfather.in
report-existinginstruction.tel
dodecent-entry.in
becomestreetnose.info
video.gomaterialcap.realty
killtemporarybrush.com
th.lookpracticalteacher.one
hear-basiccrew.realty
talkexpertbirthday.realty
mail2.get-evenversion.art
comeadultfamily.art
smtp.understandillegal-great.one
img.addangrylip.in
stopsilvernews.nl
continue-mentaleffort.xyz
dieafternoonvisual.click
trywhite-juice.club
ask-betterequipment.nl
go-awareinflation.rocks
provideeducationaltie.link
loveunfairlow.org
buildnational-preference.realty
readvariousengineer.one
learndry-possible.click
expectunlikelygrand.info
raise-weekly-till.net
take-rare-figure.xyz
seeplasticbeing.click
leavekindeducation.club
includecorrectmembership.futbol
continueinitialgrocery.realty
workrelevant-tackle.observer
feelinternal-grandfather.link
playsafeunion.link
know-deep-brick.nl
offerillegaldrink.fans
writeoldpolice.one
offerdowntown-stand.top
spendopeningchart.realty
losefewmouth.org
staymaterialcash.observer
sitpastgirl.futbol
providetraditionalanybody.realty
buildnicelake.one
www2.killnumerousdriver.nl
haveappropriatewhite.realty
dovegetableguard.tel
mail.sendconsistentsafety.info
remember-independentstorm.net
startequivalentship.org
think-leftcapital.pictures
work-basicexpert.info
considerhonest-north.nl
a.callresponsible-difference.observer
walktimefuneral.one
allowroundminute.xyz
gounable-administration.tel
th.sendsilverscale.link
pull-particular-trainer.net
movegreengrowth.futbol
rununhappysecretary.fans
leaveangryextreme.link
loseeast-possibility.pictures
live-prettyhalf.fans
images.cutnegativeentrance.club
beginslight-application.nl
understandboring-drink.click
secure.askafterjoin.realty
learnstillintroduction.click
comegladsalt.realty
sitgrandbench.art
watcheducationalcloset.nl
appearoldboss.tel
remainmaximumrepublic.fans
buyavailablestay.net
play-happyrefrigerator.tel
understand-leftnet.tel
spendgamenurse.tel
add-localmuscle.art
understandvisiblefire.rocks
www.runjuniorstress.observer
runold-response.art
continuepracticalswitch.observer
sellextension-fall.click
start-negativecourse.com
spendlegalrepeat.com
diecornerconsideration.click
leadresident-drive.futbol
www.payforeignglad.club
play-logical-unit.net
become-used-grass.pictures
cutsubstantialdeal.rocks
standfinalbid.art
leaddependenttale.futbol
die-used-back.in
play-flatambition.nl
raiseagent-pressure.art
openthenmouse.top
readobviouscow.info
useresidentfunction.tel
standafterpicture.observer
raise-proofmight.xyz
needfarking.club
showseriousback.art
smtp.sitprizerelative.observer
raiseextensionmuscle.art
know-financiallecture.rocks
lookdeepmake.com
providenewexamination.click
keep-constantfinish.click
feelconnectconcert.link
noc.buildacceptablewait.futbol
openexactanimal.one
send-bestweb.one
expectstrangeprocedure.realty
passsevereconfidence.club
x.setentire-cup.pictures
server.thinkpurplerepeat.info
download.paytightcomparison.top
goagent-read.in
sendcapital-recording.xyz
follow-femaleside.nl
likecoldclient.net
happen-sparelay.click
makedecent-individual.net
waitwhite-bit.nl
sellwestreport.fans
work-realisticdevelopment.art
goworkingprize.rocks
do-plenty-cross.realty
takethink-force.observer
suggestsevereblood.art
meandirtybox.nl
admin.loveeastfood.org
staymental-energy.xyz
go-local-gap.club
email.servepoliticalhighway.org
callnorthkiss.club
email.takesilver-impact.rocks
sellweirdsensitive.club
staydifferentobject.nl
writesilverstruggle.net
server.allowdrunkabuse.com
livestatusnail.in
movetimething.nl
reportresponsibleswitch.tel
writeseparateliterature.com
sitnearby-tackle.nl
addpsychologicalbuilding.org
buy-moremarch.click
serveofficialpoint.art
comesmartfeeling.one
ww1.be-lostwindow.net
addavailablekind.xyz
bringupstairs-adult.realty
set-consistent-property.one
watchaggressivecategory.info
begin-both-branch.futbol
th.runroutineinvite.net
stopproofcommission.info
play-culturalplate.nl
www2.read-incident-branch.net
comeeitherhelp.tel
appearlegalprocedure.net
seemmiddledelay.tel
meancreativecommittee.org
www1.believesimilar-thing.futbol
expectsouthinevitable.futbol
seemdress-homework.top
happen-homewave.rocks
addpuretop.art
tellreasonabledocument.click
growminimumtelevision.net
pop.come-awareyard.net
understandvisualstation.tel
secure.giveglad-city.art
likenearbystomach.realty
losecoolanalysis.fans
getoriginaltrash.click
includefamousdrag.fans
spendfamiliar-gather.tel
workmanychampionship.futbol
learnanother-inside.tel
sitbrightrope.com
openunhappypicture.futbol
www.trywide-principle.futbol
changeminor-march.futbol
workgeneraltrick.info
add-criticalvoice.art
buystraightdeep.fans
sayintelligentaspect.click
liveplasticcounty.click
decideillegalquality.top
feelgold-series.pictures
bbs.dodrunkanything.com
remainbothfeel.fans
bringeasttruck.com
createobviouspeople.top
considerproperproduct.com
adddeepresolve.link
help-recentspeech.pictures
happen-southcountry.art
servecorner-strength.com
email.likemobilelocation.click
readborn-access.pictures
a.takeuglyparent.com
meanmountainpride.click
believe-headrise.club
runaccordingload.nl
th.winrealpriority.rocks
hearnewnegative.observer
includedifferentdetail.observer
buildchickentraffic.fans
use-physicaldepression.tel
considerpowerfulfruit.observer
test.buy-timeshoulder.com
playsuddenbird.in
killseveral-city.one
takesignalincident.in
work-reasonablebreak.pictures
besadenvironment.art
showeastyard.one
seeprettyinspector.in
buygladexchange.art
raiseeastbedroom.xyz
letmad-juice.in
expecthappydrop.nl
begin-ordinarystupid.rocks
goaggressivenasty.xyz
writegloballandscape.in
putenvironmentalimagination.futbol
wantbrightear.one
consider-culturalmenu.net
pay-cornerfat.one
suggest-relativereputation.tel
cam.lookfewnewspaper.nl
turn-everybitter.net
find-cooloutcome.info
continueexpertcontract.tel
holdthickshift.observer
helpdeepsnow.click
trybitter-twist.pictures
pop.offersingle-preparation.in
seemsingleroof.observer
bbs.requireobviouscandle.xyz
turnroughcandy.net
hearnextchest.pictures
openhardmanagement.com
think-exactstroke.top
beginannualgirl.in
providechemical-release.top
th.usebestpull.com
www.dolatefruit.org
providebasicmiddle.org
secure.lookstupidvaluable.click
thinkrelevant-sail.nl
givelogical-brain.net
watchpotentialinitial.info
startinternalgolf.net
www.happen-openingcake.club
tftp.pullleastbeing.art
helpsaferepeat.com
thinksmartfact.net
cloud.let-specialcomparison.net
vpn.sellroughswitch.pictures
go-hungrycarpet.art
follownaturalmeasurement.futbol
stand-inevitabletradition.info
server.speakgooddog.futbol
feelsexualisland.observer
understandinternationalphrase.art
sellnativeself.nl
love-perfecthealth.link
a.waitloud-currency.observer
secure.raise-illdeparture.futbol
knowenvironmentalambition.observer
cam.believesaltleading.observer
thinkdeadsurprise.fans
offerfalse-education.observer
remainactive-beach.pictures
www1.raisefederalclimate.club
watchworkhalf.observer
serveokfinish.info
www2.reportcuriouswait.link
run-classicspray.tel
meetpastaccident.tel
playplasticaccount.club
standvaluablestay.com
runtraditionalmess.in
dev.move-significant-assignment.club
considercompletequality.one
addbornticket.one
ftp.createsorrymembership.nl
providefriendlycity.net
ssl.lovegreatglad.realty
wanteconomywash.net
gw.setusualdouble.realty
openminorboot.tel
becivilappearance.rocks
support.callactualsimple.click
rememberbasicsuggestion.one
saycompetitiveseat.in
lovefast-check.link
learnsouthern-art.rocks
considerprofessionalowner.tel
meanspecificclassroom.nl
bring-fewspare.xyz
read-obvious-stress.org
stand-eastappointment.art
killacceptabledump.click
happentypicalweather.one
email.stayupstairswave.top
webmail.doevening-literature.realty
admin.passbravesleep.observer
addboth-league.realty
raiseplastictowel.club
comelittlebit.org
gw.continuechoicelink.club
happenpopularfamiliar.fans
allow-classicscale.net
expecttightimagination.rocks
noc.beginonlypromise.art
serveappropriatebutton.one
usesillypermission.top
include-eachpension.pictures
remembertrainingpermit.rocks
understandfemale-equipment.pictures
dieresponsible-brief.link
tftp.offer-corner-border.one
saybriefgreat.realty
tellkindkeep.pictures
hold-tough-farmer.top
passnationaldifference.net
shop.send-deep-month.pictures
buystrictconsist.observer
offerremarkabledress.com
buycomprehensiveopening.tel
fall-appropriate-employee.art
seemheadchip.observer
sendremarkablesock.pictures
sell-psychological-board.club
meanimportantmarriage.in
stayconstanta.nl
knowfatmedium.one
providecriticalplay.click
beparkingtechnology.futbol
speakcuriousextension.futbol
www.speakwooden-evening.realty
allowcomplexleather.futbol
setaggressivewall.realty
leadchemicalsuccess.nl
createpracticalimportance.tel
likeremoteinitial.info
m.setsuddendesign.in
killmaintransportation.com
playcapitalsad.org
tftp.learnsorrytype.nl
keepwrongphone.futbol
let-emergencysinger.observer
offerafterbrick.link
seemcharactermixture.club
expectwild-concept.rocks
makesome-tower.click
sayasleepresource.art
remainyellowregular.tel
mean-lastoutside.org
www1.movestock-nose.nl
followemergency-camp.nl
offernoveloutside.xyz
looknicenorth.top
lovetrainingtoe.observer
leadwrongactor.in
th.consider-immediate-specialist.top
raiseslight-win.club
seemlonely-quality.info
tftp.buildappropriatevast.club
followalonewonder.rocks
web.growstillscreen.art
rememberprofessionalpresentation.rocks
requirestrongchip.pictures
tryanotherunique.club
decideopenwriting.com
helpunusual-daughter.pictures
email.followsmalldeparture.link
rememberbeautiful-test.top
send-searecipe.info
buypersonallife.xyz
createkitchenchild.click
havemuch-page.pictures
expectbackgroundaddition.observer
leavequietmarket.org
starthismix.link
movepresentinternational.realty
dointeresting-control.futbol
ww1.remainsoutherncity.pictures
usecarproduce.one
raiseeveningcorner.art
believesecret-female.net
happenlivingtill.one
shop.loseeaststill.xyz
decidefineentry.info
openphysicalsympathy.info
lovevisualdebate.nl
tryopeningwhile.link
have-plasticdrawer.top
news.tellpregnantratio.one
changeunhappysecond.observer
reportkitchen-formal.one
trypopularreplacement.click
trymaster-self.pictures
wantsecretdevice.rocks
feelwideestate.xyz
email.killcheap-poetry.futbol
letparkingbuddy.art
do-sensitivesex.info
cutmanymine.xyz
build-comprehensivepick.club
followdirty-reach.club
th.getunfairscene.futbol
changeintelligentdeep.com
considerhisreputation.nl
buildcurrentlesson.one
cloud.set-thinkpattern.one
bringdeep-revolution.one
askeducationalsuggestion.futbol
dopretendgear.com
ftp.pull-topsector.fans
bringbrightpull.in
work-afraidyard.art
standtalltarget.in
set-slight-proof.futbol
vpn.diefreeyesterday.futbol
liveequalbook.tel
learnpretendtechnology.net
startseparateopening.nl
find-yellownational.fans
callmedium-son.one
happenexternal-candy.click
stoptraditionalfuel.futbol
raisetotalapplication.art
spend-accordingwill.rocks
pullnearbywall.tel
talkeitherjuice.fans
continueunablebet.observer
img.cutwonderfulcheek.observer
followobviouscode.club
waitlonelygift.nl
passaggressivedefinition.pictures
ssl.putsea-people.club
killleadingexam.realty
waitotherwiserequirement.fans
feelpure-conference.rocks
stayoriginalprocess.fans
pulltimeswitch.observer
leadlevelcomfortable.xyz
startbriefeffective.net
sayembarrassed-maintenance.fans
wantrelevantbar.pictures
knowbornoutside.click
do-innerpen.club
tryresponsible-injury.click
webmail.remembersafehang.art
raisefewmix.in
holdstatus-forever.net
change-distinctrecording.net
comeplasticpermission.futbol
suggestgreatstudio.top
email.bringpretty-guide.org
changesouth-preference.org
wantseverebread.futbol
sellbettermail.observer
decideawayad.futbol
staymassive-yellow.xyz
www1.understandusefulpaint.org
workcheap-disaster.nl
letpatientunique.link
watchfair-bug.nl
holdasleepstructure.observer