Always Look a Gift (Trojan) Horse In the Mouth with James Arndt | Hackers of CypherCon


Well alrighty. Thank you everybody for
coming and hang out for this two o’clock session here. Welcome to
always… ‘Always Look a Gift Trojan Horse in the Mouth’. And it just might be the
case that the king of Troy should have you know, been a bit more careful with
his security awareness training. But he certainly did not and the rest as they
say is history. Now besides the random credential harvesting phishing emails
that I get every day, a lot of them is just flat-out emUtech, all day all the
time. And that’s really what we’re talking
about here today. And the emutech it’s the malicious documents that are, that are
being downloaded and where people are clicking the fateful enable content.
And so what we’re gonna be talking about today is just how to rip those apart and
how to get the important indicators of compromise that can show hey, has did
somebody click the thing? Did they enable the content? Did and all the other bad
things happen? Did they happen? Now, all in all, it is really fun to click on things
that you know you shouldn’t. I can see why end-users do it but, it’s even better
to get paid for it. So let’s begin. Now of course as always it starts with an email
and pretty typical you know, whatever the theme is. I really don’t care about the
theme, I don’t track them that way. I really just oh it’s an invoice or it’s
AT&T bill or it’s whatever. To me or really doesn’t matter. I don’t focus on
that. But of course what’s the bad thing here? The bad thing here is that that’s
not really DocuSign, it’s really taking you to the Luxor club and the WP-content of course, right? And all in all that’s suspicious. But what’s on the other end? What would
happen if an end user actually did click on the thing? Well it would prompt you to download a document and if you open it up, it says
to enable content. Now before we get into the document itself, there are still some
important indicators of compromise that we can pull so far. One of them is who
it’s from, the subject and maybe even the originating IP address that it came from.
That’s information that you can go and give to your favorite email admin to say
hey, search for this, it’s bad and nuke all of them in the environment. Or
quarantine them however it works in your environment. Other things that are good
to know to, the URL itself you bet. Give to your favorite adsits or your favorite
firewall admin and they say hey, is there any traffic headed outbound to
there? If so, well then we’ve got a problem.
And finally, what about the name of the document itself they got downloaded or
even the document hash? Is that information that you could put into some
sort of endpoint detection and response tool that can search and calm your
environment or if it sees that it does drop on the endpoint there, it can
actually find that based on the hash or just the name. That’s all good stuff to
know, that’s all good stuff to know. So before I actually go and you know enable
content one thing that I was do is look to check hey let’s see if the neatly
content is evidence that there is a macro in it at all
well what I want to do first is to extract the macros and check them out to
see if they can give us any information there’s a couple tools that we can use
for them one of them is office mal scanner it’s a really simple tool you
just take the tool and you point it at the document and there you go now if
anybody is a picture taker yeah you can totally do that I hope everyone but at
the very end of this presentation I’ve got three slides that lists all the
tools where you can find them how to use them – so we’ll have plenty of time for
picture taking later if you like or do with that whatever folks are going but
office mal standard it’s really quite easy you just point it at it and office
mal scanner works really good for docx files and docx it’s really good on those
too and in this case it found three macros right there and it yank them out
and put the folder another really good tool is
Oh Ellie dumped a Python script here and this is a really good book because out
early is a good docx file stock X but Imhotep lately has been doing XML files
disguised as docx files office Mouse scanner can’t handle them so only dump
can again a really simple tool to use only dump pointed up document and you’re
gonna see that here all the macros listed out and if it has a capital M or
even a lowercase M next to it we want to extract those how do we do that well you
just choose the s choose the macro number like there’s number eight V for
verbose I’ll put it to a text file head there you go you’ve got through you’ve
got what you need well then now that haven’t done what
actually happens with the macro here they go here they are and yeah it looks
like pretty horrendous stuff but if you start filtering out the garbage and
actually looking at you know what’s useful you can really help too it helps
to filter out a lot of this now what I do then when I’m looking at this I just
look for something that looks like an actual word or something in English
rather than all this extra just gibberish right there once they do that
I start following the variables to see how they’re being used and we can see
here that auto open that means that when you enable content all of that is going
to run right away but here buried in this way icpo wdr sh e ll – e o power
show there we go now whatever this is doing it’s going to
toss it in that variable so that’s going to be important later but notice we’ve
got a whole bunch of more variables coming after that what are those ones
well it’s my know looking here we got you can see that – uh same power shell –
be right there and this variable that points to this function inside this much
we’ve got a whole bunch more garbage code but buried in here is this one
we’ve got a big long string of characters and another big long string
of characters and more and all of those get all put together in
or online that tossed and returned into that is interesting looking also there’s
another function of the same name here and what we can see is win MGMT s win32
processes tossed in there that variable is used here get object of this win MGMT
s win32 process start up and down here we’ve got another get object into crate
so all of those strings those big long strings are all being put together and
all being tossed into this mix right here and that is going to be assembled
once it is assembled it looks like this powershell – e in a whole big long
string of base64 now the question is how do you you get from here to where it is
going to be assembled how do we get this output of it having been assembled again
there’s a bunch of tools that can come up with them so to get from the macro to
the powershell we’re gonna be using a viper monkey another couple of behavior
analysis ones come and watch from cosmic security they got anybody heard of them
they’ve got a bunch of other tools out there that are useful process fire
control and process hacker itself let’s start with Viper monkey again another
very simple tool to use Viper monkey and he just pointed at the document and he
let it fly Viper monkey is an emulator it’s not actually going to enable
content or trigger or anything it just looks at it and says hey what’s going to
happen with it analyzes all the VBA code and once it is done and it does take a
little bit time it spits out at the end here hey
powershell – b and there is all of the base64 so they’re handy tool to use
another way of doing that though is actually you’re going to have to open
the document and enable content so when you do that in your analysis analysis
machine don’t have pointed out the real internet shut down the interface because
I’ve of course never infected my machine right talk to anybody who works with
malware and yes 50% of them will say oh of course
I’ve never ransomware to myself this is the one from County security this one
what it does is it looks for different processes to spawn command powershell
run dll 32 w script you click start open the document enable content and it
interrupts powershell in this case we’re opening it show as we hate her show was
called and here’s what it was here’s the command line that was spent to it so
that’s all way together cross the spot control is any way of doing that in
PowerShell you run this script powershell control our spots our
processes bomb control and on its gonna sit there and wait open the document
enable content and i’ll say hey this wants to run PowerShell run by the
parent process w my PR BSC you want to keep suspended but underneath here we’ve
got the new spawn process and here’s the command line that was fed to it so again
another way of doing this my preferred way really quick and dirty it’s not
complicated that is just have a process hacker open enable content watch and w
my peer he has a pair of the SE it once powershell opens up quick double click
it and they do get the properties of it and there you can find the command line
right down there yeah quick and dirty but it’s what you it’s which one so
however we got here now what we’ve got a whole bunch of basics before encoded
information what do we obviously want to do we want to I’m base64 it if that’s
the right way to put it what is cyber chef Tsai chef anybody here fans of it
yeah all right well this is perfect application for what we’re going to be
doing today cyber chef is great because you feed the
information into the top and then you pull in all these different operations
or recipes maybe ingredients because it’s like a chef Lucas anyway it takes
me to drag them over here and one of them is from base64 so here’s the input
you from base64 it’s gonna unto it and then we’re going to get the output here
so that mean kind of you know here’s the output from having it been on the base64
and we see a whole lot of English words that’s fine it’s still very tough to
read so then the next thing that we want to do is to use another recipe called
remove null pipes that’s made to be all these extra periods and things in there
and once we do that it’ll transform the data – this looks better but now we have
a bunch of these ‘ + across the board sky comas for some of you but we have a
whole bunch of those all over the place and so let’s give it of those well there
is the find/replace and let’s get rid of that replace it with nothing once we’re
done with that then here’s how to transform the data slightly better but
if we look at it carefully we can see that we’ve got a whole bit of line in
red here we’ve got a whole bunch of data but then surrounding that is memories
string convert from base pose so all of this is base 64 this is going 200 base64
and then wrapped around that is compression deflates stream well there
are cyber chef recipes to do that so we need to copy
the base64 we put it back at the top and then we use these two recipes from
basics before and then bra inflate and we get ten of this what do we see we see
it one two three four five URLs and we see a whole bunch of other commercial
commands down here let’s clean this up a little bit and we can see that yeah
mixing that web client and here in this variable we’ve got the five URLs they’re
split on the axonal we’ve got another interesting one right here 872 is
possible to that variable this one is pointing to that your user profile slash
872 is across right there exe and then for each of the items in this and that
variable right there it’s going to try to download the file to that location
rename it 872 vxe and then invoke it so we’ve got our five URLs that is now five
indicators of compromise that would be important too to hunt for the last two
things that you can do here if you really want to clean up your data even
more is just use these two recipes extract URLs and split on the accent
well then then you look at that nice lovely list of five lines that you can
take and copy paste on to wherever the heck you want us now what are other ways
that the attacker who have made over the past couple months what are other ways
that they have been encoding their powershot all over code right there well
in this case they were doing this for a while just to get to command exe and
they were do downtown slash dot dot slash windows and fine
as a way to just execute that this one was interesting though because we have a
huge long string of data right there and being taught getting tossed into xho
live and then for each character in there it’s going to start at character
497 count backwards and at zero well character 497 as this 1p go reverse
Oh wer sa peau so what this is doing is just reversing all of that tossing it
into that variable and then once it’s done calling it yeah and it gets my
stuff go figure this is an interesting one too there’s
been variations on this for a while now to the game you see that dot dot slash
dot dot slash command EMC we’ve got a big huge long string of characters right
here and then for each of these characters in this big one already I
don’t know the right words array might be the right thing
there’s dictionary I don’t know which one but anyway for each one of those 71
character number 71 that 756 character 56 character 30 character pretty simple
everything you need to know is right there but this is rearranging it all in
the correct order tossing it in this variable and then typing it into command
so that it will execute now to go through and undo all of that I’m not
going to do that by hand but what you can’t do is open up this is power show
right open up our shelf copy and paste from
set all the way down to right before the pipe so copy from the sent down right
before the pipe because all of that has to be mine scrambled before it gets to
the command well if you can copy and paste that toss it into PowerShell
command prompt power so we’ll do all the work for you then then spit out well the
decoded commands and then you’ll get your five URLs that way again don’t copy
and paste in the pipe today and that will be bad
it will actually do the things it’s trying to do five new reflux this one
was well really quite silly I mean we’ve got again a big long string of
characters but down here dot replace and what replacing any time you find the
triple zeros replaced it with whatever is in that variable well nothing is in
that variable but what we see here is a new object continent if you get rid of
all those zeros so end up with what HTTP there’s an IP address and all of that so
again before a cyber chef it’d be easy just copy and paste all of this they
have their Find and Replace recipe tossing the three zeros replaced with
nothing and you’ll get out the five URLs that you need it the JavaScript time
yeah that’s something that they’ve been doing much more recently this is one of
the first ones that they tried with you can see the 1 2 3 4 5 here where else
just plain this days sitting out there just to annoy everybody apparently and
that made it obvious say that JavaScript which is making this much much more
difficult because up here we’ve got a whole bunch of variables and you see
like the equals equal sign right there every single one of these strengths is
all base64 encoded oh I could just take each one individually and basics before
decoded no no no no because there’s another function down there that takes
what has been decoded runs its own one on encryption on the station script on
it there’s no easy way to do this so in this case what I’ve been doing then is
taking them and tossing it into an online sandbox are called any dot run is
everybody here familiar with them yes if you’re not familiar with it we’re going
to talk about it near the end of this presentation but if super awesome it’s
ok well quite a market anyway what it does is it actually
and the JavaScript and hey here’s the error that was buried in that JavaScript
code saying oh there’s an error my hope bummer
sorry about you but in the background it’s actually reaching out to the one
truth be it’s reaching out to the URLs and you can pick them up that way all
right so oh we’re not done this one is much
more recent too with the interesting thing about this is that here you can
see all of the jumbled about URLs and what’s happening here is that it’s going
to find the 30th one one two three four oh sorry zero one two three bla bla bla
bla bla find that one and it’s just rearranging all of these chunks into the
right order up there tossing it to mu 4 mu 4 D and down here it’s going to go
through them and invoke it and all the same commercial stuff that we’ve been
seeing this whole time so whatever way they’re doing it whatever way that
they’re going to end up doing it we’ve now added to our list of indicators
compromising that is these 5 URLs right there and also when is it going to be
landed on the end point itself that might change that’s why it’s important
to be able to do this manually so that you can see hey where is it going to be
if something is infected I might be able to find in at that location
well then at this point we pretty much done all we can with the document we’ve
got the URLs we know where it’s going to land now here comes the fun part go to
one of these websites and try to download the executable don’t download
and run it but just save it save it nothing this time again now that I’ve
made that assay but anyway what can we do with that executable we want to know
how it runs we want to know what it’s going to do well there’s some tools that
you can give us an idea of what’s going to happen one of them is called PE
studio and you just take the executable toss it in there and it runs just a
bunch of different checks on them they’re really
if one of them is you know he will give you the hem v5 hash or the sha-1 – to
say I don’t know whichever one it is and then we’ll give you that information
that’s good to know but the other thing that does is it comes from the
executable and it looks at the import address table to try to figure hey what
is this piece of software what’s this mail we’re going to borrow from the
operating system in order to function because not all the code is baked into
the malware it’s going to borrow something and we look at that address
table we can get an idea of what it might do well in this case here all the
different windows e things and it’s going to be to be pulling in like remove
directory interesting switch to fiber get current thread ID get process ID
okay create process none of this is really that I’m opening I mean we could
totally go to MSDN and search every single one good idea but it’s really not
that obvious which means that oh it’s a motive it’s probably package means it
has some sort of wrapper that’s going to run to make it tougher to analyze where
if weak so if we prepared well that what was being imported here with another one
look at this one let’s see what do we have here Oh registry open heat registry
close key registry said how are you okay so we don’t for sure that this one is
likely to do something to do you have a question all right
I thought you even had a double question because you’re raising both hands all
right all right all right anyway exit process ioo import see if an output
control side okay so this one certainly sounds a lot more like it’s going to be
it’s a bit more obvious what it’s going to be doing well think about this one is
that this one is from word for 2004 called dual juice and oh it’s a worm so
it makes sense then and it’s going to be doing some
if you know some psychic ones and it’s going to be messing with your registry
all that again we didn’t see that with the emo timeline oh well sometimes
you’re not always lucky but we did get a couple more of a bits of information
right here md5 of sha-256 that’s tough to know so that was our initial analysis
here now it’s time to click the thing double clear that excuse me
now all the fun is to be happy but the thing about malware is that Matt we’re
can’t hide but it must run and when it runs it’s going to do stuff and if we
can watch that stuff we can pay attention to it if you can see what it’s
writing and what it’s doing watch all the threads and the processes that is
opening that’s all the information that is good for us to know and how it
behaves and so there’s a bunch of different tools that we’re going to be
using for them one is read shocked read shine is nice as a simple tool all you
have to do is just before you run the malware all you do is you take a shot it
takes a shot with your registry complete shot of it that you run your malware
wait till it’s done doing its thing and maybe take my second shot of your
registry and it does a dip on them what’s changed
so we mean if it does change anything it really does stand out like this or much
output but you’ll see what has changed that’s good Wireshark
everybody’s favorite should be self-explanatory I hope network traffic
for those of you were going to pay should never traffic see what it’s doing
prospects me monitor this one is a beast you just turn it on and did one actually
have good notes here don’t know what is press this one interview oh yes monitors
all changes to the system so anything that has been written also covers
registry any new processes new threads it creates a ton of power in fact one of
them here yeah it was just running for like maybe 10 seconds and it created you
know 50,000 different events all in here and then the process hacker it’s your
marriage on steroids basically we can do so let’s look at process hacker here
once we start it we can see that 872 not the HD it makes a copy of itself okay
that’s interesting after does that then it creates the new one spawns off the
new process called EEP meet again exe and then it kills itself see how 872 is
gone that’s interesting so the parent process disappears the child process is
still there has its own process so it make it tough to find for that parent is
interesting well then what can we do with this just sitting here running well
if we double-click on it we can see the different properties here and one of
them is where it is running from so it’s 72 dot exe we know where that one was
going to land because that’s what the powershell script did and then we can
also see hey once it does run where is the trial process likely to be and it
would be that location right there that’s really good if you’re looking for
effective systems now another thing that you can do at this point is as this is
running there’s another tab here called memory that we click on that we can
start looking through all the different strings that it has a memory and what to
receive I appear here’s could be see to information or on
that a little bit but yeah this is just know that all the information is just
right there process monitor again watches your system and just gives you a
ton ton of output and in this case I haven’t filtered on PowerShell and you
created you have twenty thousand events after just you about 10 seconds of
beating on and yeah think about a process monitor is that it is completely
atrocious to comb through and try to find anything I mean it’s really bad so
there are lovely tools that we can use to show all this graphically one of them
being proc duct anyone familiar with this yeah yeah okay so what you can do
is you can take the output for process monitor save it as a CSV import it into
your Proctor and you give this lovely graph that they’re starting and doing
all the things that it did and a lovely graphical view so let me zoom in here a
little bit and we can see 872 creating its own
child process of itself and then this one ends up creating EAP me target right
there which is living at this address and then this one has threads in it
starts it looks like it’s changing some things to the registry so all this
information after click here again when you’re click on it don’t point it to the
Internet but all this information is all just you know right there as we’re
watching this behaviorally of course we can watch Wireshark and just turn it on
let it fly and you’ll see that after a little bit after a very regular
intervals it’s going to try to reach out to different IPS definitely its command
and control that c2 IP address and then swipe to go to if you get that list send
it to your favorite firewall or a smart person hey if you see any traffic up to
these IPS we’re gonna have a bad day okay science up so there now that has given
us a whole bunch more information what is that on the net point we can see
where a PAP target is going to end up being we can see that Y it can be time
that EMC also shares the same md5 in cash well because it was a copy of you
know the original and we’ve got a whole bunch of command control information
that we haven’t have gathered from this finally okay not complying I’m not done
yet but t-bucket say whatever cost anything into a disassembler and looked
at basics before I want to acknowledge your eyes oh I can see the pain in your
face right there yeah what would the value of this be if we’re to look at the
traffic the c2 traffic that no actually did take and pointed my VM to the actual
Internet and let Imhotep fly watch the traffic and you know trying to
look at what’s they actually doing of course it’s all encoded information they
don’t want people like me to see what it is that they’re sending back and forth
well in a disassembler or in a debugger it should make sense that the for emote
n actually sends out any information it has to collect it before it actually
encodes it encrypts of somehow it has to have it all gathered together it should
be possible then to intercept that point and actually look and see what it has
put together the medics about to send off that would give us a lot of
information well that’s the sort of thing that can be done if you’re good at
assembly and just walk through all this kind of interesting just to you know
walk through it very frustrating too but I did not do this because that goes
beyond the scope of this presentation which was going for it it’s really hard
so so yeah I mean without information is all in there and there’s been a lot of
different writes about that most recent one I saw is this guy right here a
person I met he did his own part to his part one was all about the analyzing the
document to the macro and stuff but that right there was him actually walking
through and his adventure in in dividing this and going through it seeing how it
all works when it’s spawned and all so fascinating reading
if you can’t post it now at this point we have now crawled from the mouth of
the Trojan horse all the way through and we’ve emerged up the other end here and
it might be the case that at this point you still may have no idea what you do
anything that’s fine there’s help there’s help online analysis is just
easy way for have someone else to do all the work and of course there’s
everyone’s favorite virustotal really useful just giving a thumbs-up
thumbs-down depending upon if it’s really well known or not and that’s not
all I can really say my virustotal this that’s all too important all right
another sandbox on line I like this one a lot of hybrid analysis it gives just
choose on it and it gives a really good graphical output a whole lot of
information about what it’s doing you know the different
it reports some ideas that I ran out to where it’s actually going what all the
different functions that it imported before it ran the different mutants that
it created it just gives you a whole bunch of information and this one was my
favorite until any run any run it is amazing every time there’s free version
of the pay for the free version is amazing
any time you toss it something I expense up a brand new VM and get watches and
it’s beautiful it is so beautiful so here’s the vio right here and here we’ve
got we were word up you can totally see that I know you can but down here got
windward is calling powershell 872 and all the processes afterwards and
afterwards and the town here we’ve got all let me just zoom in here if we’re
gonna click on any one of these is it a pop-up or you can see PowerShell very
bad block well because it’s not all this basics before that’s the same basics
before that we saw you copy and paste that and analyze it all of it right
there and then we go to the next process there’s 872 running which calls if you’d
be talking right there what is it – we can see that it ends up just missing
with the windows microsoft windows currentversion run a registry key oh
that’s the persistence mechanism right there that’s cool that’s all that
information was all right there and then afterwards this one ran long enough
where even I actually called back on @c to channel and then downloaded what came
after you know temp which in this case was trip up now what was trip out to the
trick by it ran a bunch of commands that work on stop when defense off Windows
Defender delete windows Mad Max cool set preferences disable real time monitor
and true and all of that so all this information was just brought to the
surface just just wonderful wonderful sandbox here we can also see here’s the
request to access press dot Rd Sarkar comm were in other word
go figure and here’s all of the c2 traffic all this information is brought
up but there is a danger to rely only on these online sandboxes right there
that’s one out of the five URLs if I was only relying on this I said oh there’s
the one that’s bad but no there are still four more you have to be able to
do this by hand you have to be able to do this manually so that you’re able to
catch everything every indicator of compromise possible so fair warning be
careful of it yes yes they can yes the question was isn’t something
malware trying to be aware that it is running from inside the sandbox and yeah
they totally can I think there’s I can’t speak specifically on that because of a
secretive thing I just can’t remember but yeah you’re right some of them do
and if some cases sometimes they’ll just wait a long time any doubt run is nice
because you can keep adding minutes on to it for the free version it’s not
defined but really care too much tax rewrite that in there but anyway yeah
you’re definitely right so if you get no results maybe try it different online
sandbox we have no very good question very good
question last word here is King and very similar to any run or the hybrid
analysis one however one thing that they toss on here is that if they detects
that the binary of tops up there is in 110 it’s actually going to extract the
RSA public key that it used and all of the c2 URLs so that’s just you know less
work that you have to do on the front door the middle end it just has it all
right there and what they base that off was their
work from this hour right there door d0 0 RT he was writing his own you know
reversing the Packer surrounding it really interesting stop check it out
if that’s a thing or just use it here in Cape I think Kate may have modified that
since that point and adjusted it for them but anyway well we have now come to
a presentation wherever you’d like to take pictures feel free again myself
that I’m using is just VMware Workstation on top of the windows
windows 10 analysis machine that’s where I do all my stuff using Microsoft Office
again completely off my corporate network this doesn’t touch anything and
so that’s why I offense my pipe to all the people that exist what did I use to
extract mangroves that would be off smell scanner oh hell the dump you can
find them right there now office mouse care has been a long time since it’s
been updated I think 2013 it still works really well as a discipline yes I would
yes he does have some sort of display or saying it still works when you need it
holy dump it’s really nice deep your Steven sees those a lot on the Aria side
of things and it’s his work good too what about that macro analysis we had
Viper monkey that was the actually it did actually execute the document he
just combed through it it was an emulated all vbscript command watcher
process climate control interrupted those process hacker was the quick and
dirty way it’s also just a handy tool to have and then a little cyber chef which
everyone loves also behavioral analysis what is it that
we did again malware has to run when it runs it does step so process after
process monitor knock down that shot Wireshark all those things really good
to have on your reverse engineering platform and then for the analyze
executables themselves de stereo xx before debug NSA had their release of I
get dry I think it’s called naps that our
gruesome check platform I’ve messed around with it
yeah it’s a thing cuz it works I think it’s gonna get better and then finally
an analysis that’s where all those are used now there’s a whole lot of people
out who do work specifically on Hewitt and
releasing this information that they analyzed one of them is the crypto give
us one account on Twitter that’s run by four people units Ron and Jay Bruce and
PS six to 60 K and M no you know I wasn’t my head same dev no loop but no
it’s Devon all no up yeah but you get your money yeah those are the four guys
behind that account that account right there spits out so much information
really quick up-to-date information on what’s the latest URLs that you my pet
is using and also keeps track of a lot of the c2 infrastructure it was these
guys who noticed that oh there seems to be one big group of c2 infrastructure
over here and then another one it’s only those two and then maybe your labor you
have can’t remember who was they wrote an article saying oh we notice that
there are two different you know groups that you can test using in these guys
like no okay reduce all the guys and great plants everything that they dump
all those bio seeds especially when it comes to downloading and executable or
downloading a religious document is this place URL house abuse eh if you really
want up to date they have malware that can be downloaded for anywhere that’s
the place long ago senior security engineer from American transmission
company I’m also stands mentor and I’ve taught
classes here in Milwaukee and Chicago area and are there any questions
I’ve never done that totally yes sir my own network
I already mean my own corporate network or I have yeah I read somewhere to
myself I just let something flying like oh that’s interesting I was typing
and that wire train was running off some Chinese of traffic oh this is
interesting right yeah I swear myself that that’s why
we’re going to be answered that’s why you work out of the empty
anything else otherwise thank you thank you very much you

Leave a Reply

Your email address will not be published. Required fields are marked *