Let’s Learn: Deep Dive Into Magniber Ransomware PEB Traversal Function

Goal: Reverse the latest Magniber ransomware with the focus on its PEB traversal function resolving APIs to hardcoded hashes.
Original infector: a4100b682b2b63374e4ed2fc937d9b96
Decoded payload: f51a5b8ee6a5f25aa293911702a37a34
Background:

  • The ransomware served by Magnitude Exploit Kit (EK), named “Magniber,” specifically targets individuals in the Republic of Korea. Magniber checks that the potential victim’s system default language is Korean (code: 0x0412) via GetSystemDefaultUILanguage; if it is, the ransomware will terminate. Magniber generates a unique command-and-control (C2) server and ransom note website for each victim, only giving a valid response if the victim’s public IP address is located in South Korea.

https://platform.twitter.com/widgets.js
Malwarebytes’ @hasherezade and FireEye researchers previously extensively covered some of the Magniber ransomware cryptography and basic functionality. The scope of the blog is to unpack the ransomware with the focus on its PEB traversal function resolving APIs to hardcoded hashes.
Outline:

I. Unpacking Magniber ransomware
II. Victim ID generation function
III. The PEB traversal function resolving hashes to API
IV. Indicators of compromise

I. Unpacking malware
Extract the first-layer Magniber ransomware payload after it decodes and injects itself via  WriteProcessMemory. This process is rather trivial, and it includes simply dumping the buffer in OllyDbg.

II. Victim ID generation function

The very first function the Magniber ransomware performs right after the “start,” which is the main entry, is the DWORD victim ID generation function iterating from 0-9 in one function and from a-z in another one. The passed argument to the function is 19, which signifies the length of the returned bot ID generation function. It is a pretty interesting way to generate victim IDs leveraging GetTickCount Windows API calls iterating through [0-9a-z] characters until it reaches the count of 19 characters.
The C++ function is as follows:
_WORD *__cdecl generator_19_victim_id_string(int a1)
{
  HANDLE v1; 
  _WORD *v3; 
  int i;

  v1 = GetProcessHeap();
  v3 = HeapAlloc(v1, 8u, 2 * a1 + 2);
  for ( i = 0; i < a1; ++i )
  {
    if ( get_tick_count_func(0, 1) )
      v3[i] = get_tick_count_func(‘0’, ‘9’);
    else
      v3[i] = get_tick_count_func(‘a’, ‘z’);
  }
  v3[a1] = 0;
  return v3;

III. The PEB traversal code resolving hashes to APIs

Here, we observe interesting Magniber ransomware technique for traversing the Process Environment Block (PEB) data. 

PEB is a user-mode data structure that can be used by applications  to get information such as the list of loaded modules, process startup arguments, heap address amongst other useful capabilities. From MSDN more on the PEB structure, read here.
The malware traverses PEB structure to search for module hash match obtaining access to PEB via __readfsdword( 0x30 ) [fs:30h] iterating through loaded modules looking for pFunctionName and matching it with hash via ROTR macro implementing the logic of a rotate right operation.
By and large, this PEB traversal function is used to load hashes and to avoid usual sequence of LoadLibrary and GetProcAddress API from anti-virus basic detection. In this case, the ransomware resolves all Advapi32 cryptography, registry and Internet API calls.
Notably, this PEB traversal is almost an exact copy of the GitHub code belonging to the project “Position Independent Code Bindshell.”

The function C++ code works as follows:

int __cdecl resolve_api_by_hash(int a1)
{
  int pFunctionName; 
  int v3;
  int v4; 
  int v5; 
  _DWORD *pdwFunctionNameBase;
  int v7;
  int v8;
  unsigned int dwFunctionHash; 
  int dwModuleHash; 
  int v11;
  _BYTE *pTempChar;
  _BYTE *pTempChar_;
  unsigned int i;
  unsigned int j;

  v7 = *(_DWORD *)(*(_DWORD *)(__readfsdword(0x30) + 0xC) + 0xC);// 0x30 = PEB; 0x0C = InLoadOrderModuleList
  while ( *(_DWORD *)(v7 + 0x18) )             
// while (pDataTableEntry->DllBase != NULL))
  {
    dwModuleHash = 0;                           
    v8 = *(_DWORD *)(v7 + 0x18);                
// pDataTableEntry->DllBase
    v3 = *(_DWORD *)(v7 + 0x2C);                
// pDataTableEntry->BaseDllName
    v4 = *(_DWORD *)(v7 + 0x30);                
// pNTHeader
    v5 = *(_DWORD *)(*(_DWORD *)(v8 + 0x3C) + v8 + 0x78);

/*pNTHeader >OptionalHeader.DataDirectory[0].VirtualAddress;dwExportDirRVA
*/
    v7 = *(_DWORD *)v7;
    if ( v5 )                                   
// dwExportDirRVA != 0
    {
      for ( i = 0; i < HIWORD(v3); ++i )        
// calculate module hash
      {
        pTempChar = (_BYTE *)(i + v4);          // pTempChar
        v11 = (dwModuleHash <> 13);
// dwModuleHash = ROTR32( dwModuleHash, 13 )
        if ( (signed int)*(_BYTE *)(i + v4) < ‘a’ )
// if ( *pTempChar >= 0x61 )
          dwModuleHash = v11 + *pTempChar;      
// dwModuleHash += *pTempChar
        else
          dwModuleHash = v11 + *pTempChar – ‘ ‘;
// dwModuleHash += *pTempChar – 0x20
      }
      pdwFunctionNameBase = (_DWORD *)(*(_DWORD *)(v5 + v8 + 0x20) + v8);
// pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames)
      for ( j = 0; j < *(_DWORD *)(v5 + v8 + 0x18); ++j )// for (i = 0; i < dwNumFunctions; i++)
      {
        dwFunctionHash = 0;
        pFunctionName = v8 + *pdwFunctionNameBase;
// (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase)
        ++pdwFunctionNameBase;
        pTempChar_ = (_BYTE *)pFunctionName;
        do
          dwFunctionHash = ((dwFunctionHash <> 13)) + *pTempChar_++;
// dwFunctionHash = ROTR32( dwFunctionHash, 13 )
        while ( *(pTempChar_ – 1) );
        if ( dwModuleHash + dwFunctionHash == a1 )
          return *(_DWORD *)(*(_DWORD *)(v5 + v8 + 28) + v8 + 4 * *(_WORD *)(*(_DWORD *)(v5 + v8 + 36) + v8 + 2 * j))
               + v8;
      }
    }
  }
  return 0;

}

The PEB traversal function leveraged 18 times to import and resolve the following hashes to their respective functions as follows:

Function Location Hash Resolved API
crypto_func+B 0x42131B45 CryptAcquireContextW
crypto_func+1B 0x56622BD6 CryptDestroyHash
crypto_func+2B 0x24FFC058 CryptImportKey
crypto_func+3B 0xCFD1BDA1 CryptSetKeyParam
crypto_func+4B 0xCFB9BDA1 CryptGenKeyParam
extension_match_process+55 0xED7C652 CryptEncrypt
extension_match_process+65 0xE95AC43 CryptDestroyKey
extension_match_process+75 0x56622BD6 CryptReleaseContent
extension_match_process+85 0x2733D478 CryptReleaseContent
http_resolver+96 0xA829563A InternetOpenW
http_resolver+A6 0xF12A8777 InternetOpenUrlW
http_resolver+B6 0xB6B67072 HttpQueryInfoW
http_resolver+C6 0xE2899612 InternetReadFile
http_resolver+D6 0xD46E6BD3 InternetCloseHandle
shadow_copy+505 0x7FEF6E25 RegCreateKeyW
shadow_copy+518 0xBA2A6615 RegSetValueExW
shadow_copy+52B 0x31E0C5ED RegCloseKey
start+526 0xE33D73B4 lstrcpyW
start+536 0xEF53E1DF GetSystemDefaultUILanguage
IV. Indicators of Compromise
Default AES_KEY:
rpa7A7464MovZ807

Initialization vector:

fKwJ97sQ63y1D309

The list of the decoded subdomains is as follows:

piruns[.]racing
sawchip[.]life
oneking[.]space
Tor Domain:
r6zhyjiytkramynl[.]onion
The list of whitelisted directories is as follows:
[‘:\\\\documents and settings\\\\all users\\\\’, ‘:\\\\documents and settings\\\\default user\\\\’, ‘:\\\\documents and settings\\\\localservice\\\\’, ‘:\\\\documents and settings\\\\networkservice\\\\’, ‘\\\\appdata\\\\local\\\\’, ‘\\\\appdata\\\\locallow\\\\’, ‘\\\\appdata\\\\roaming\\\\’, ‘\\\\local settings\\\\’, ‘\\\\public\\\\music\\\\sample music\\\\’, ‘\\\\public\\\\pictures\\\\sample pictures\\\\’, ‘\\\\public\\\\videos\\\\sample videos\\\\’, ‘\\\\tor browser\\\\’, ‘\\\\$recycle.bin’, ‘\\\\$windows.~bt’, ‘\\\\$windows.~ws’, ‘\\\\boot’, ‘\\\\intel’, ‘\\\\msocache’, ‘\\\\perflogs’, ‘\\\\program files (x86)’, ‘\\\\program files’, ‘\\\\programdata’, ‘\\\\recovery’, ‘\\\\recycled’, ‘\\\\recycler’, ‘\\\\system volume information’, ‘\\\\windows.old’, ‘\\\\windows10upgrade’, ‘\\\\windows’, ‘\\\\winnt’]
Targeted extensions:
[‘doc’, ‘docx’, ‘xls’, ‘xlsx’, ‘ppt’, ‘pptx’, ‘pst’, ‘ost’, ‘msg’, ’em’, ‘vsd’, ‘vsdx’, ‘csv’, ‘rtf’, ‘123’, ‘wks’, ‘wk1’, ‘pdf’, ‘dwg’, ‘onetoc2’, ‘snt’, ‘docb’, ‘docm’, ‘dot’, ‘dotm’, ‘dotx’, ‘xlsm’, ‘xlsb’, ‘xlw’, ‘xlt’, ‘xlm’, ‘xlc’, ‘xltx’, ‘xltm’, ‘pptm’, ‘pot’, ‘pps’, ‘ppsm’, ‘ppsx’, ‘ppam’, ‘potx’, ‘potm’, ‘edb’, ‘hwp’, ‘602’, ‘sxi’, ‘sti’, ‘sldx’, ‘sldm’, ‘vdi’, ‘vmx’, ‘gpg’, ‘aes’, ‘raw’, ‘cgm’, ‘nef’, ‘psd’, ‘ai’, ‘svg’, ‘djvu’, ‘sh’, ‘class’, ‘jar’, ‘java’, ‘rb’, ‘asp’, ‘php’, ‘jsp’, ‘brd’, ‘sch’, ‘dch’, ‘dip’, ‘p’, ‘vb’, ‘vbs’, ‘ps1’, ‘js’, ‘asm’, ‘h’, ‘pas’, ‘cpp’, ‘c’, ‘cs’, ‘suo’, ‘sln’, ‘ldf’, ‘mdf’, ‘ibd’, ‘myi’, ‘myd’, ‘frm’, ‘odb’, ‘dbf’, ‘db’, ‘mdb’, ‘accdb’, ‘sq’, ‘sqlitedb’, ‘sqlite3’, ‘asc’, ‘lay6’, ‘lay’, ‘mm’, ‘sxm’, ‘otg’, ‘odg’, ‘uop’, ‘std’, ‘sxd’, ‘otp’, ‘odp’, ‘wb2’, ‘slk’, ‘dif’, ‘stc’, ‘sxc’, ‘ots’, ‘ods’, ‘3dm’, ‘max’, ‘3ds’, ‘uot’, ‘stw’, ‘sxw’, ‘ott’, ‘odt’, ‘pem’, ‘p12’, ‘csr’, ‘crt’, ‘key’, ‘pfx’, ‘der’, ‘1cd’, ‘cd’, ‘arw’, ‘jpe’, ‘eq’, ‘adp’, ‘odm’, ‘dbc’, ‘frx’, ‘db2’, ‘dbs’, ‘pds’, ‘pdt’, ‘dt’, ‘cf’, ‘cfu’, ‘mx’, ‘epf’, ‘kdbx’, ‘erf’, ‘vrp’, ‘grs’, ‘geo’, ‘st’, ‘pff’, ‘mft’, ‘efd’, ‘rib’, ‘ma’, ‘lwo’, ‘lws’, ‘m3d’, ‘mb’, ‘obj’, ‘x’, ‘x3d’, ‘c4d’, ‘fbx’, ‘dgn’, ‘4db’, ‘4d’, ‘4mp’, ‘abs’, ‘adn’, ‘a3d’, ‘aft’, ‘ahd’, ‘alf’, ‘ask’, ‘awdb’, ‘azz’, ‘bdb’, ‘bib’, ‘bnd’, ‘bok’, ‘btr’, ‘cdb’, ‘ckp’, ‘clkw’, ‘cma’, ‘crd’, ‘dad’, ‘daf’, ‘db3’, ‘dbk’, ‘dbt’, ‘dbv’, ‘dbx’, ‘dcb’, ‘dct’, ‘dcx’, ‘dd’, ‘df1’, ‘dmo’, ‘dnc’, ‘dp1’, ‘dqy’, ‘dsk’, ‘dsn’, ‘dta’, ‘dtsx’, ‘dx’, ‘eco’, ‘ecx’, ’emd’, ‘fcd’, ‘fic’, ‘fid’, ‘fi’, ‘fm5’, ‘fo’, ‘fp3’, ‘fp4’, ‘fp5’, ‘fp7’, ‘fpt’, ‘fzb’, ‘fzv’, ‘gdb’, ‘gwi’, ‘hdb’, ‘his’, ‘ib’, ‘idc’, ‘ihx’, ‘itdb’, ‘itw’, ‘jtx’, ‘kdb’, ‘lgc’, ‘maq’, ‘mdn’, ‘mdt’, ‘mrg’, ‘mud’, ‘mwb’, ‘s3m’, ‘ndf’, ‘ns2’, ‘ns3’, ‘ns4’, ‘nsf’, ‘nv2’, ‘nyf’, ‘oce’, ‘oqy’, ‘ora’, ‘orx’, ‘owc’, ‘owg’, ‘oyx’, ‘p96’, ‘p97’, ‘pan’, ‘pdb’, ‘pdm’, ‘phm’, ‘pnz’, ‘pth’, ‘pwa’, ‘qpx’, ‘qry’, ‘qvd’, ‘rctd’, ‘rdb’, ‘rpd’, ‘rsd’, ‘sbf’, ‘sdb’, ‘sdf’, ‘spq’, ‘sqb’, ‘stp’, ‘str’, ‘tcx’, ‘tdt’, ‘te’, ‘tmd’, ‘trm’, ‘udb’, ‘usr’, ‘v12’, ‘vdb’, ‘vpd’, ‘wdb’, ‘wmdb’, ‘xdb’, ‘xld’, ‘xlgc’, ‘zdb’, ‘zdc’, ‘cdr’, ‘cdr3’, ‘abw’, ‘act’, ‘aim’, ‘ans’, ‘apt’, ‘ase’, ‘aty’, ‘awp’, ‘awt’, ‘aww’, ‘bad’, ‘bbs’, ‘bdp’, ‘bdr’, ‘bean’, ‘bna’, ‘boc’, ‘btd’, ‘cnm’, ‘crw’, ‘cyi’, ‘dca’, ‘dgs’, ‘diz’, ‘dne’, ‘docz’, ‘dsv’, ‘dvi’, ‘dx’, ‘eio’, ‘eit’, ’emlx’, ‘epp’, ‘err’, ‘etf’, ‘etx’, ‘euc’, ‘faq’, ‘fb2’, ‘fb’, ‘fcf’, ‘fdf’, ‘fdr’, ‘fds’, ‘fdt’, ‘fdx’, ‘fdxt’, ‘fes’, ‘fft’, ‘flr’, ‘fodt’, ‘gtp’, ‘frt’, ‘fwdn’, ‘fxc’, ‘gdoc’, ‘gio’, ‘gpn’, ‘gsd’, ‘gthr’, ‘gv’, ‘hbk’, ‘hht’, ‘hs’, ‘htc’, ‘hz’, ‘idx’, ‘ii’, ‘ipf’, ‘jis’, ‘joe’, ‘jp1’, ‘jrtf’, ‘kes’, ‘klg’, ‘knt’, ‘kon’, ‘kwd’, ‘lbt’, ‘lis’, ‘lit’, ‘lnt’, ‘lp2’, ‘lrc’, ‘lst’, ‘ltr’, ‘ltx’, ‘lue’, ‘luf’, ‘lwp’, ‘lyt’, ‘lyx’, ‘man’, ‘map’, ‘mbox’, ‘me’, ‘mel’, ‘min’, ‘mnt’, ‘mwp’, ‘nfo’, ‘njx’, ‘now’, ‘nzb’, ‘ocr’, ‘odo’, ‘of’, ‘oft’, ‘ort’, ‘p7s’, ‘pfs’, ‘pjt’, ‘prt’, ‘psw’, ‘pu’, ‘pvj’, ‘pvm’, ‘pwi’, ‘pwr’, ‘qd’, ‘rad’, ‘rft’, ‘ris’, ‘rng’, ‘rpt’, ‘rst’, ‘rt’, ‘rtd’, ‘rtx’, ‘run’, ‘rzk’, ‘rzn’, ‘saf’, ‘sam’, ‘scc’, ‘scm’, ‘sct’, ‘scw’, ‘sdm’, ‘sdoc’, ‘sdw’, ‘sgm’, ‘sig’, ‘sla’, ‘sls’, ‘smf’, ‘sms’, ‘ssa’, ‘sty’, ‘sub’, ‘sxg’, ‘tab’, ‘tdf’, ‘tex’, ‘text’, ‘thp’, ‘tlb’, ‘tm’, ‘tmv’, ‘tmx’, ‘tpc’, ‘tvj’, ‘u3d’, ‘u3i’, ‘unx’, ‘uof’, ‘upd’, ‘utf8’, ‘utxt’, ‘vct’, ‘vnt’, ‘vw’, ‘wbk’, ‘wcf’, ‘wgz’, ‘wn’, ‘wp’, ‘wp4’, ‘wp5’, ‘wp6’, ‘wp7’, ‘wpa’, ‘wpd’, ‘wp’, ‘wps’, ‘wpt’, ‘wpw’, ‘wri’, ‘wsc’, ‘wsd’, ‘wsh’, ‘wtx’, ‘xd’, ‘xlf’, ‘xps’, ‘xwp’, ‘xy3’, ‘xyp’, ‘xyw’, ‘ybk’, ‘ym’, ‘zabw’, ‘zw’, ‘abm’, ‘afx’, ‘agif’, ‘agp’, ‘aic’, ‘albm’, ‘apd’, ‘apm’, ‘apng’, ‘aps’, ‘apx’, ‘art’, ‘asw’, ‘bay’, ‘bm2’, ‘bmx’, ‘brk’, ‘brn’, ‘brt’, ‘bss’, ‘bti’, ‘c4’, ‘ca’, ‘cals’, ‘can’, ‘cd5’, ‘cdc’, ‘cdg’, ‘cimg’, ‘cin’, ‘cit’, ‘colz’, ‘cpc’, ‘cpd’, ‘cpg’, ‘cps’, ‘cpx’, ‘cr2’, ‘ct’, ‘dc2’, ‘dcr’, ‘dds’, ‘dgt’, ‘dib’, ‘djv’, ‘dm3’, ‘dmi’, ‘vue’, ‘dpx’, ‘wire’, ‘drz’, ‘dt2’, ‘dtw’, ‘dv’, ‘ecw’, ‘eip’, ‘exr’, ‘fa’, ‘fax’, ‘fpos’, ‘fpx’, ‘g3’, ‘gcdp’, ‘gfb’, ‘gfie’, ‘ggr’, ‘gih’, ‘gim’, ‘spr’, ‘scad’, ‘gpd’, ‘gro’, ‘grob’, ‘hdp’, ‘hdr’, ‘hpi’, ‘i3d’, ‘icn’, ‘icon’, ‘icpr’, ‘iiq’, ‘info’, ‘ipx’, ‘itc2’, ‘iwi’, ‘j’, ‘j2c’, ‘j2k’, ‘jas’, ‘jb2’, ‘jbig’, ‘jbmp’, ‘jbr’, ‘jfif’, ‘jia’, ‘jng’, ‘jp2’, ‘jpg2’, ‘jps’, ‘jpx’, ‘jtf’, ‘jw’, ‘jxr’, ‘kdc’, ‘kdi’, ‘kdk’, ‘kic’, ‘kpg’, ‘lbm’, ‘ljp’, ‘mac’, ‘mbm’, ‘mef’, ‘mnr’, ‘mos’, ‘mpf’, ‘mpo’, ‘mrxs’, ‘my’, ‘ncr’, ‘nct’, ‘nlm’, ‘nrw’, ‘oc3’, ‘oc4’, ‘oc5’, ‘oci’, ‘omf’, ‘oplc’, ‘af2’, ‘af3’, ‘asy’, ‘cdmm’, ‘cdmt’, ‘cdmz’, ‘cdt’, ‘cmx’, ‘cnv’, ‘csy’, ‘cv5’, ‘cvg’, ‘cvi’, ‘cvs’, ‘cvx’, ‘cwt’, ‘cxf’, ‘dcs’, ‘ded’, ‘dhs’, ‘dpp’, ‘drw’, ‘dxb’, ‘dxf’, ‘egc’, ’emf’, ‘ep’, ‘eps’, ‘epsf’, ‘fh10’, ‘fh11’, ‘fh3’, ‘fh4’, ‘fh5’, ‘fh6’, ‘fh7’, ‘fh8’, ‘fif’, ‘fig’, ‘fmv’, ‘ft10’, ‘ft11’, ‘ft7’, ‘ft8’, ‘ft9’, ‘ftn’, ‘fxg’, ‘gem’, ‘glox’, ‘hpg’, ‘hpg’, ‘hp’, ‘idea’, ‘igt’, ‘igx’, ‘imd’, ‘ink’, ‘lmk’, ‘mgcb’, ‘mgmf’, ‘mgmt’, ‘mt9’, ‘mgmx’, ‘mgtx’, ‘mmat’, ‘mat’, ‘ovp’, ‘ovr’, ‘pcs’, ‘pfv’, ‘plt’, ‘vrm’, ‘pobj’, ‘psid’, ‘rd’, ‘scv’, ‘sk1’, ‘sk2’, ‘ssk’, ‘stn’, ‘svf’, ‘svgz’, ‘tlc’, ‘tne’, ‘ufr’, ‘vbr’, ‘vec’, ‘vm’, ‘vsdm’, ‘vstm’, ‘stm’, ‘vstx’, ‘wpg’, ‘vsm’, ‘xar’, ‘ya’, ‘orf’, ‘ota’, ‘oti’, ‘ozb’, ‘ozj’, ‘ozt’, ‘pa’, ‘pano’, ‘pap’, ‘pbm’, ‘pc1’, ‘pc2’, ‘pc3’, ‘pcd’, ‘pdd’, ‘pe4’, ‘pef’, ‘pfi’, ‘pgf’, ‘pgm’, ‘pi1’, ‘pi2’, ‘pi3’, ‘pic’, ‘pict’, ‘pix’, ‘pjpg’, ‘pm’, ‘pmg’, ‘pni’, ‘pnm’, ‘pntg’, ‘pop’, ‘pp4’, ‘pp5’, ‘ppm’, ‘prw’, ‘psdx’, ‘pse’, ‘psp’, ‘ptg’, ‘ptx’, ‘pvr’, ‘px’, ‘pxr’, ‘pz3’, ‘pza’, ‘pzp’, ‘pzs’, ‘z3d’, ‘qmg’, ‘ras’, ‘rcu’, ‘rgb’, ‘rgf’, ‘ric’, ‘riff’, ‘rix’, ‘rle’, ‘rli’, ‘rpf’, ‘rri’, ‘rs’, ‘rsb’, ‘rsr’, ‘rw2’, ‘rw’, ‘s2mv’, ‘sci’, ‘sep’, ‘sfc’, ‘sfw’, ‘skm’, ‘sld’, ‘sob’, ‘spa’, ‘spe’, ‘sph’, ‘spj’, ‘spp’, ‘sr2’, ‘srw’, ‘wallet’, ‘jpeg’, ‘jpg’, ‘vmdk’, ‘arc’, ‘paq’, ‘bz2’, ‘tbk’, ‘bak’, ‘tar’, ‘tgz’, ‘gz’, ‘7z’, ‘rar’, ‘zip’, ‘backup’, ‘iso’, ‘vcd’, ‘bmp’, ‘png’, ‘gif’, ‘tif’, ‘tiff’, ‘m4u’, ‘m3u’, ‘mid’, ‘wma’, ‘flv’, ‘3g2’, ‘mkv’, ‘3gp’, ‘mp4’, ‘mov’, ‘avi’, ‘asf’, ‘mpeg’, ‘vob’, ‘mpg’, ‘wmv’, ‘fla’, ‘swf’, ‘wav’, ‘mp3’]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s