Edit tour

macOS Analysis Report
Install FxFactory 8.0.15.pkg

Overview

General Information

Sample name:	Install FxFactory 8.0.15.pkg
Analysis ID:	1427954
MD5:	d0b6dea52fb7260db0ad4eeb0398756a
SHA1:	d0b0ba9d4e6c33f1e42f6655e53eab5630cd93e3
SHA256:	12d8180c4b86515d7229c3abc7f1dd0e2a14c11d1fab7a975ca3cd5d81142f51
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false

Signatures

Reads hardware related sysctl values

Reads the systems OS release and/or type

Reads the systems hostname

Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Uses Security framework containing interfaces for system-level user authentication and authorization

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427954
Start date and time:	2024-04-18 11:33:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Sample name:	Install FxFactory 8.0.15.pkg
Detection:	CLEAN
Classification:	clean2.macPKG@0/3@3/0

Warnings

Excluded IPs from analysis (whitelisted): 17.137.170.2, 23.62.177.105, 17.253.83.197, 17.253.83.195, 23.62.128.29, 17.57.21.63, 17.253.83.204, 17.253.83.203, 17.253.83.206
Excluded domains from analysis (whitelisted): e11408.d.akamaiedge.net, mesu-cdn.apple.com.akadns.net, updates.cdn-apple.com.akadns.net, e673.dsce9.akamaiedge.net, lcdn-locator-usms11.apple.com.akadns.net, help-ar.apple.com.edgekey.net, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, mesu-cdn.origin-apple.com.akadns.net, lcdn-locator.apple.com.akadns.net, help.origin-apple.com.akadns.net, radarsubmissions.apple.com.akadns.net, lcdn-locator.apple.com, mesu.g.aaplimg.com, updates.g.aaplimg.com, radarsubmissions.apple.com, itunes.apple.com.edgekey.net, help.apple.com, mesu.apple.com, init.itunes.apple.com, init-cdn.itunes-apple.com.akadns.net

Runtime Messages

Command:	open "/Users/bernard/Desktop/Install FxFactory 8.0.15.pkg"
PID:	621
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is macvm-mojave

mono-sgen32 New Fork (PID: 621, Parent: 537)

open (MD5: 34bd93241fa5d2aee225941b1ca14fa4) Arguments: /usr/bin/open /Users/bernard/Desktop/Install FxFactory 8.0.15.pkg

xpcproxy New Fork (PID: 622, Parent: 1)

Installer (MD5: 50c84168359b295c12427b3461315322) Arguments: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer

xpcproxy New Fork (PID: 635, Parent: 1)

nsurlstoraged (MD5: 321b0a40e24b45f0af49ba42742b3f64) Arguments: /usr/libexec/nsurlstoraged --privileged

xpcproxy New Fork (PID: 653, Parent: 1)

installd (MD5: 4a55e40799072bad8663cf8f5d2d845a) Arguments: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd

cleanup

Yara Signatures

⊘No yara matches

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49349 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49380 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49403 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49404 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.18
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.16
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.16
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.193.16
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: apis.apple.map.fastly.net

Source: Install FxFactory 8.0.15.pkg	String found in binary or memory: http://crl.apple.com/applerootcag3.crl0
Source: Install FxFactory 8.0.15.pkg	String found in binary or memory: http://crl.apple.com/root.crl0
Source: Install FxFactory 8.0.15.pkg	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: Install FxFactory 8.0.15.pkg	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootcag307
Source: Install FxFactory 8.0.15.pkg	String found in binary or memory: http://ocsp.apple.com/ocsp03-asica4020
Source: Install FxFactory 8.0.15.pkg	String found in binary or memory: http://ocsp.apple.com/ocsp03-devid070
Source: Install FxFactory 8.0.15.pkg	String found in binary or memory: http://www.apple.com/appleca0
Source: Install FxFactory 8.0.15.pkg	String found in binary or memory: http://www.apple.com/certificateauthority/0
Source: Install FxFactory 8.0.15.pkg	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49403
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49402
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown	Network traffic detected: HTTP traffic on port 49397 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49380
Source: unknown	Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49403 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49380 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49397
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49371
Source: unknown	Network traffic detected: HTTP traffic on port 49371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49349
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49327
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49404

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49349 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49380 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49403 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49404 version: TLS 1.2

Source: classification engine

Classification label: clean2.macPKG@0/3@3/0

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)

CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist

Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)

Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist

Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: Install FxFactory 8.0.15.pkg, Payload

Binary or memory string: ThGfs

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl read request: hw.cpu_freq (6.15)	Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl read request: hw.ncpu (6.3)	Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl read request: hw.memsize (6.24)	Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)

Sysctl requested: kern.hostname (1.10)

Jump to behavior

Source: /usr/bin/open (PID: 621)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 622)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	31 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
apis.apple.map.fastly.net	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
apis.apple.map.fastly.net	151.101.3.6	true	false	0%, Virustotal, Browse	unknown
updates.cdn-apple.com	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.3.6	apis.apple.map.fastly.net	United States	54113	FASTLYUS	false
151.101.131.6	unknown	United States	54113	FASTLYUS	false
151.101.67.6	unknown	United States	54113	FASTLYUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
151.101.3.6	Arc12645415	Get hash	malicious	Unknown	Browse
	SME.dmg	Get hash	malicious	Unknown	Browse
	https://pub.marq.com/Downloadiiii-Fileee/	Get hash	malicious	Unknown	Browse
	todoist-setup.dmg	Get hash	malicious	Unknown	Browse
	http://marketplace-item-details-98756222.zya.me	Get hash	malicious	Unknown	Browse
	Diogenes	Get hash	malicious	Unknown	Browse
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c139e8bc-e6cf-46e4-b94b-c8b5dea21199	Get hash	malicious	Unknown	Browse
	http://nextnovatech.com	Get hash	malicious	Unknown	Browse
	http://api.statisticsong.com/	Get hash	malicious	Unknown	Browse
	B8rrKspvSE.sample	Get hash	malicious	DDosia	Browse
151.101.131.6	Arc12645415	Get hash	malicious	Unknown	Browse
	https://www.flazio.com/server.html	Get hash	malicious	Unknown	Browse
	https://pub.marq.com/Downloadiiii-Fileee/	Get hash	malicious	Unknown	Browse
	todoist-setup.dmg	Get hash	malicious	Unknown	Browse
	Diogenes	Get hash	malicious	Unknown	Browse
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c139e8bc-e6cf-46e4-b94b-c8b5dea21199	Get hash	malicious	Unknown	Browse
	Phoenix5b.ipa	Get hash	malicious	Unknown	Browse
	B8rrKspvSE.sample	Get hash	malicious	DDosia	Browse
151.101.67.6	Arc12645415	Get hash	malicious	Unknown	Browse
	3MVd1q7ygy.macho	Get hash	malicious	Unknown	Browse
	https://www.flazio.com/server.html	Get hash	malicious	Unknown	Browse
	http://marketplace-item-details-98756222.zya.me	Get hash	malicious	Unknown	Browse
	ztfzDO15sO.dmg	Get hash	malicious	AMOS Stealer	Browse
	http://api.statisticsong.com/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
apis.apple.map.fastly.net	Arc12645415	Get hash	malicious	Unknown	Browse	151.101.131.6
	SME.dmg	Get hash	malicious	Unknown	Browse	151.101.3.6
	3MVd1q7ygy.macho	Get hash	malicious	Unknown	Browse	151.101.131.6
	https://www.flazio.com/server.html	Get hash	malicious	Unknown	Browse	151.101.3.6
	https://pub.marq.com/Downloadiiii-Fileee/	Get hash	malicious	Unknown	Browse	151.101.3.6
	todoist-setup.dmg	Get hash	malicious	Unknown	Browse	151.101.131.6
	http://marketplace-item-details-98756222.zya.me	Get hash	malicious	Unknown	Browse	151.101.195.6
	Diogenes	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c139e8bc-e6cf-46e4-b94b-c8b5dea21199	Get hash	malicious	Unknown	Browse	151.101.131.6
	http://nextnovatech.com	Get hash	malicious	Unknown	Browse	151.101.3.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	http://gamma.app/docs/Adobe-1098-uanmwmhgl6i90tc?mode=doc	Get hash	malicious	Unknown	Browse	151.101.129.140
	https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1	Get hash	malicious	Unknown	Browse	151.101.130.27
	http://ranchpools.com	Get hash	malicious	Unknown	Browse	151.101.192.176
	https://groun-93ed.ehajdranrsuw.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://17apmic5.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	151.101.1.192
	https://statesborozga.cfd/Proten/	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://i18usgwgwrtjcshghwg.z13.web.core.windows.net/Win08ShDMeEr0887/index.html?phone=%201-844-324-0016	Get hash	malicious	TechSupportScam	Browse	151.101.66.137
	https://wumanchi.s3.eu-north-1.amazonaws.com/control_dbanty.html?page=_popup&pcnt=3	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://mfaauthentication-zipreviewaccessmydocument.us-southeast-1.linodeobjects.com/zi-review.html#	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/EcczDXj2MNxGvMjrD3G-fs8BPFPEwegwwlCuPeGrToxzeg?e=l7POTP	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
FASTLYUS	http://gamma.app/docs/Adobe-1098-uanmwmhgl6i90tc?mode=doc	Get hash	malicious	Unknown	Browse	151.101.129.140
	https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1	Get hash	malicious	Unknown	Browse	151.101.130.27
	http://ranchpools.com	Get hash	malicious	Unknown	Browse	151.101.192.176
	https://groun-93ed.ehajdranrsuw.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://17apmic5.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	151.101.1.192
	https://statesborozga.cfd/Proten/	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://i18usgwgwrtjcshghwg.z13.web.core.windows.net/Win08ShDMeEr0887/index.html?phone=%201-844-324-0016	Get hash	malicious	TechSupportScam	Browse	151.101.66.137
	https://wumanchi.s3.eu-north-1.amazonaws.com/control_dbanty.html?page=_popup&pcnt=3	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://mfaauthentication-zipreviewaccessmydocument.us-southeast-1.linodeobjects.com/zi-review.html#	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/EcczDXj2MNxGvMjrD3G-fs8BPFPEwegwwlCuPeGrToxzeg?e=l7POTP	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
FASTLYUS	http://gamma.app/docs/Adobe-1098-uanmwmhgl6i90tc?mode=doc	Get hash	malicious	Unknown	Browse	151.101.129.140
	https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1	Get hash	malicious	Unknown	Browse	151.101.130.27
	http://ranchpools.com	Get hash	malicious	Unknown	Browse	151.101.192.176
	https://groun-93ed.ehajdranrsuw.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://17apmic5.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	151.101.1.192
	https://statesborozga.cfd/Proten/	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://i18usgwgwrtjcshghwg.z13.web.core.windows.net/Win08ShDMeEr0887/index.html?phone=%201-844-324-0016	Get hash	malicious	TechSupportScam	Browse	151.101.66.137
	https://wumanchi.s3.eu-north-1.amazonaws.com/control_dbanty.html?page=_popup&pcnt=3	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://mfaauthentication-zipreviewaccessmydocument.us-southeast-1.linodeobjects.com/zi-review.html#	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/EcczDXj2MNxGvMjrD3G-fs8BPFPEwegwwlCuPeGrToxzeg?e=l7POTP	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5c118da645babe52f060d0754256a73c	Arc12645415	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.131.6 151.101.67.6
	SME.dmg	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.131.6 151.101.67.6
	3MVd1q7ygy.macho	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.131.6 151.101.67.6
	https://www.flazio.com/server.html	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.131.6 151.101.67.6
	https://pub.marq.com/Downloadiiii-Fileee/	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.131.6 151.101.67.6
	todoist-setup.dmg	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.131.6 151.101.67.6
	http://marketplace-item-details-98756222.zya.me	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.131.6 151.101.67.6
	Diogenes	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.131.6 151.101.67.6
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c139e8bc-e6cf-46e4-b94b-c8b5dea21199	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.131.6 151.101.67.6
	http://nextnovatech.com	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.131.6 151.101.67.6

Dropped Files

⊘No context

Created / dropped Files

/dev/null

Download File

Process:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
File Type:	ASCII text
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.722678031846025
Encrypted:	false
SSDEEP:	3:tRJEFUBRoiBX2XWcZVRWOv:uNgXVcZOA
MD5:	30EF4A0151F1213634D37AB9FE0E418B
SHA1:	D99A03E77D2F982AD2C4A7BEC8F1C107115E4292
SHA-256:	6022AD1AE993BAC4FFB613D1B158A5A4A4AD2BBA2536F32045553464EAD7C74A
SHA-512:	98E5B6A6342B48F6E5C0DF1D1F32E4117AC4BE3CEFDFA8DD890B23D2867336AFBC24D5AEB4D2EECF64DB7C0FF3104D0CC516BC3A85D7D5BA5115DFC49B62596D
Malicious:	false
Reputation:	low
Preview:	2024-04-18 11:34:32.906 Installer[622:4909] ApplePersistence=NO.

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsDirectory.db_

Download File

Process:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533814637805397
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGB5pBfbouR6/chQOnGqwc2U+v+h/:8MdGleOhpBouRwchQOnGqwc2U+v+h/
MD5:	0E4A0D1CEB2AF6F0F8D0167CE77BE2D3
SHA1:	414BA4C1DC5FC8BF53D550E296FD6F5AD669918C
SHA-256:	CCA093BCFC65E25DD77C849866E110DF72526DFFBE29D76E11E29C7D888A4030
SHA-512:	1DC5282D27C49A4B6F921BA5DFC88B8C1D32289DF00DD866F9AC6669A5A8D99AFEDA614BFFC7CF61A44375AE73E09CD52606B443B63636977C9CD2EF4FA68A20
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsObject.db_

Download File

Process:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	4404
Entropy (8bit):	3.5110922853353324
Encrypted:	false
SSDEEP:	24:mFkXs98w/mBr53CEb9ujBbCYoVeA7uBEUMy733Ka2VCneWHrUZRJkWnJI4FNMOQS:m6Xsh+CLjL3Pe3T5FFEfEn8xiYuuSsS
MD5:	D3A1859E6EC593505CC882E6DEF48FC8
SHA1:	F8E6728E3E9DE477A75706FAA95CEAD9CE13CB32
SHA-256:	3EBAFA97782204A4A1D75CFEC22E15FCDEAB45B65BAB3B3E65508707E034A16C
SHA-512:	EA2A749B105759EA33408186B417359DEFFB4A3A5ED0533CB26B459C16BB3524D67EDE5C9CF0D5098921C0C0A9313FB9C2672F1E5BA48810EDA548FA3209E818
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

Static File Info

General

File type:	xar archive compressed TOC: 5487, SHA-1 checksum
Entropy (8bit):	7.993203991758305
TrID:	Safari Extension (4004/1) 80.00% ZLIB compressed file (1001/1) 20.00%
File name:	Install FxFactory 8.0.15.pkg
File size:	32'980'468 bytes
MD5:	d0b6dea52fb7260db0ad4eeb0398756a
SHA1:	d0b0ba9d4e6c33f1e42f6655e53eab5630cd93e3
SHA256:	12d8180c4b86515d7229c3abc7f1dd0e2a14c11d1fab7a975ca3cd5d81142f51
SHA512:	b7ebe46be07bdca7bc04b2734067c64a23b904477eefe1c0f0cc1dd8313c11fef418bd216e56bebc79205684f88ebb84ffd9deb09fdd6e71e4da916f25260030
SSDEEP:	786432:nNzH358QkhGUUB4uOQ/PogfBO5XcgRqpchOK9a5Yz7rWlZT:15FGLUT/PoaO5sggpe9mYz7yT
TLSH:	F377338C3D65716BBD434372214EA3EEAF01663FC41384B93181C1E5EB9CD91A98B6B7
File Content Preview:	xar!...........o......R.....x..\i..0......z?..8.^M.*.I.....o..B.$..._.faf.....^i>T...m.....$..........Q......_....{Q...:6[.........._./.e..?_n..o...oe...A..o....&.......bO...Z.nRl._....?.....Z.\|......_....Si....o..E..v.................!..#E?v......,......

Archive PKG

Archived Files

File Path	File Attributes	File Size
Distribution		4'571 bytes
FxFactory.pkg	D	bytes
FxFactory.pkg/Bom		344'202 bytes
FxFactory.pkg/PackageInfo		2'911 bytes
FxFactory.pkg/Payload		32'831'018 bytes
FxFactory.pkg/Scripts	D	bytes
FxFactory.pkg/Scripts/postinstall		6'480 bytes
Resources	D	bytes
Resources/background		17'083 bytes
Resources/en.lproj	D	bytes
Resources/en.lproj/Localizable.strings		488 bytes
Resources/en.lproj/license.html		15'275 bytes
Resources/en.lproj/welcome.html		646 bytes

Extracted Files

Distribution

File path:	Distribution
File size:	4'571 bytes
File type:	XML 1.0 document, ASCII text

FxFactory.pkg/Bom

File path:	FxFactory.pkg/Bom
File size:	344'202 bytes
File type:	Mac OS X bill of materials (BOM) file

FxFactory.pkg/PackageInfo

File path:	FxFactory.pkg/PackageInfo
File size:	2'911 bytes
File type:	ASCII text

FxFactory.pkg/Payload

File path:	FxFactory.pkg/Payload
File size:	32'831'018 bytes
File type:	gzip compressed data, from Unix, original size modulo 2^32 81285120

Resources/background

File path:	Resources/background
File size:	17'083 bytes
File type:	ISO Media, HEIF Image HEVC Main or Main Still Picture Profile

FxFactory.pkg/Scripts/postinstall

File path:	FxFactory.pkg/Scripts/postinstall
File size:	6'480 bytes
File type:	POSIX shell script, ASCII text executable, with very long lines (331)

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 11:34:22.889929056 CEST	443	49348	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:22.889993906 CEST	443	49348	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:22.890897989 CEST	49348	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:22.917459965 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:22.918231010 CEST	49349	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:22.919075966 CEST	49349	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.084171057 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.085832119 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.085918903 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.085985899 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.086049080 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.086097956 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.086144924 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.086193085 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.086240053 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.087794065 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.087857008 CEST	49349	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.088064909 CEST	49349	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.088123083 CEST	49349	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.088206053 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.088896990 CEST	49349	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.094763041 CEST	49349	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.125895977 CEST	49351	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.157072067 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.157390118 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.157460928 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.157742023 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.159651041 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.259783030 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.259886980 CEST	443	49349	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.260471106 CEST	49349	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.290842056 CEST	443	49351	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.291768074 CEST	49351	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.294044971 CEST	49351	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.426006079 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.426076889 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.426124096 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.426172972 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.426790953 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.427345037 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.435655117 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.436722994 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.445199013 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.445991039 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.454729080 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.459188938 CEST	443	49351	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.460642099 CEST	443	49351	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.460721970 CEST	443	49351	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.460779905 CEST	443	49351	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.460833073 CEST	443	49351	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.460875034 CEST	443	49351	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.462126970 CEST	49351	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.462198019 CEST	49351	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.462198019 CEST	49351	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.462486029 CEST	49351	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.464013100 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.464632034 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.472333908 CEST	49351	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.473722935 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.474564075 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.483220100 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.492598057 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.494693995 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.502219915 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.503139019 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.511710882 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.521199942 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.522365093 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.530684948 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.531882048 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.540218115 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.549668074 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.550441027 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.559250116 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.560923100 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.568366051 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.578015089 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.579847097 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.637023926 CEST	443	49351	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.637041092 CEST	443	49351	151.101.67.6	192.168.11.12
Apr 18, 2024 11:34:23.637742996 CEST	49351	443	192.168.11.12	151.101.67.6
Apr 18, 2024 11:34:23.695368052 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.696053982 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.700076103 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.709566116 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.711016893 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:23.719096899 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:23.721013069 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:24.808665037 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:24.897469044 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:24.907401085 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:25.077553988 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:25.166241884 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:25.167248011 CEST	49347	443	192.168.11.12	17.248.193.18
Apr 18, 2024 11:34:25.176111937 CEST	443	49347	17.248.193.18	192.168.11.12
Apr 18, 2024 11:34:25.412791014 CEST	49327	443	192.168.11.12	17.248.193.16
Apr 18, 2024 11:34:25.414182901 CEST	49327	443	192.168.11.12	17.248.193.16
Apr 18, 2024 11:34:25.680476904 CEST	443	49327	17.248.193.16	192.168.11.12
Apr 18, 2024 11:34:25.681354046 CEST	49327	443	192.168.11.12	17.248.193.16
Apr 18, 2024 11:34:25.681677103 CEST	443	49327	17.248.193.16	192.168.11.12
Apr 18, 2024 11:35:00.020555019 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.020673990 CEST	443	49368	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:00.021240950 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.026819944 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.026897907 CEST	443	49368	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:00.390997887 CEST	443	49368	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:00.391628981 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.391809940 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.457684040 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.457911015 CEST	443	49368	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:00.458496094 CEST	443	49368	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:00.458647966 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.459131956 CEST	49368	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.558309078 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.558361053 CEST	443	49371	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:00.559006929 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.560467005 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.560489893 CEST	443	49371	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:00.897871971 CEST	443	49371	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:00.898691893 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.898843050 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.965780973 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.965972900 CEST	443	49371	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:00.966474056 CEST	443	49371	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:00.966608047 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:00.967211962 CEST	49371	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:02.328109026 CEST	49380	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:02.328246117 CEST	443	49380	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:02.329252958 CEST	49380	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:02.330203056 CEST	49380	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:02.330329895 CEST	443	49380	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:02.677438974 CEST	443	49380	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:02.678423882 CEST	49380	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:02.678472996 CEST	49380	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:02.686642885 CEST	49380	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:02.686896086 CEST	443	49380	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:02.687444925 CEST	443	49380	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:02.687606096 CEST	49380	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:02.688242912 CEST	49380	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.310648918 CEST	49397	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.310771942 CEST	443	49397	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:23.311609030 CEST	49397	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.312625885 CEST	49397	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.312719107 CEST	443	49397	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:23.656649113 CEST	443	49397	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:23.657465935 CEST	49397	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.657465935 CEST	49397	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.662887096 CEST	49397	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.663032055 CEST	443	49397	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:23.663311005 CEST	443	49397	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:23.663588047 CEST	49397	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.663958073 CEST	49397	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.678303003 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.678389072 CEST	443	49398	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:23.679157019 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.679934978 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:23.679970980 CEST	443	49398	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.023823023 CEST	443	49398	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.024660110 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.024660110 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.032589912 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.032877922 CEST	443	49398	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.033534050 CEST	443	49398	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.033554077 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.034233093 CEST	49398	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.156994104 CEST	49399	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.157114983 CEST	443	49399	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.158092976 CEST	49399	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.159723043 CEST	49399	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.159816027 CEST	443	49399	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.512145996 CEST	443	49399	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.513103008 CEST	49399	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.513103008 CEST	49399	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.521817923 CEST	49399	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.522103071 CEST	443	49399	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.522772074 CEST	443	49399	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.522782087 CEST	49399	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.523324013 CEST	49399	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.549139023 CEST	49400	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.549262047 CEST	443	49400	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.550414085 CEST	49400	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.551522970 CEST	49400	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.551615953 CEST	443	49400	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.890553951 CEST	443	49400	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.891496897 CEST	49400	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.891496897 CEST	49400	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.904675007 CEST	49400	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.904797077 CEST	443	49400	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.905010939 CEST	443	49400	151.101.3.6	192.168.11.12
Apr 18, 2024 11:35:24.905663013 CEST	49400	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:35:24.905663013 CEST	49400	443	192.168.11.12	151.101.3.6
Apr 18, 2024 11:36:28.606481075 CEST	49401	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:28.606620073 CEST	443	49401	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:28.607460022 CEST	49401	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:28.608167887 CEST	49401	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:28.608273983 CEST	443	49401	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:28.951687098 CEST	443	49401	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:28.952553988 CEST	49401	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:28.952653885 CEST	49401	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:28.970700026 CEST	49401	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:28.970940113 CEST	443	49401	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:28.971537113 CEST	443	49401	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:28.971636057 CEST	49401	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:28.972598076 CEST	49401	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.022799015 CEST	49402	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.022939920 CEST	443	49402	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:29.023741007 CEST	49402	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.025476933 CEST	49402	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.025588036 CEST	443	49402	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:29.374275923 CEST	443	49402	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:29.375263929 CEST	49402	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.375263929 CEST	49402	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.385977983 CEST	49402	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.386272907 CEST	443	49402	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:29.386894941 CEST	49402	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.402746916 CEST	49403	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.402868032 CEST	443	49403	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:29.403825045 CEST	49403	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.404771090 CEST	49403	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.404884100 CEST	443	49403	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:29.749994993 CEST	443	49403	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:29.750783920 CEST	49403	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.750817060 CEST	49403	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.759984970 CEST	49403	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.760266066 CEST	443	49403	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:29.760838032 CEST	49403	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.779764891 CEST	49404	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.779864073 CEST	443	49404	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:29.780859947 CEST	49404	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.781747103 CEST	49404	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:29.781861067 CEST	443	49404	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:30.124685049 CEST	443	49404	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:30.125557899 CEST	49404	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:30.125557899 CEST	49404	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:30.130681992 CEST	49404	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:30.130748987 CEST	443	49404	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:30.130858898 CEST	443	49404	151.101.131.6	192.168.11.12
Apr 18, 2024 11:36:30.131413937 CEST	49404	443	192.168.11.12	151.101.131.6
Apr 18, 2024 11:36:30.131413937 CEST	49404	443	192.168.11.12	151.101.131.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 11:34:43.885720015 CEST	53	52458	1.1.1.1	192.168.11.12
Apr 18, 2024 11:34:59.841782093 CEST	55762	53	192.168.11.12	1.1.1.1
Apr 18, 2024 11:35:00.007544041 CEST	53	55762	1.1.1.1	192.168.11.12
Apr 18, 2024 11:35:03.842838049 CEST	137	137	192.168.11.12	192.168.11.255
Apr 18, 2024 11:35:03.843257904 CEST	137	137	192.168.11.12	192.168.11.255
Apr 18, 2024 11:35:05.712007999 CEST	55483	53	192.168.11.12	1.1.1.1
Apr 18, 2024 11:36:28.434896946 CEST	57691	53	192.168.11.12	1.1.1.1
Apr 18, 2024 11:36:28.601254940 CEST	53	57691	1.1.1.1	192.168.11.12

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 18, 2024 11:35:07.019207001 CEST	192.168.11.12	1.1.1.1	3a3d	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 11:34:59.841782093 CEST	192.168.11.12	1.1.1.1	0xa7d1	Standard query (0)	apis.apple.map.fastly.net	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:35:05.712007999 CEST	192.168.11.12	1.1.1.1	0x68c	Standard query (0)	updates.cdn-apple.com	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:36:28.434896946 CEST	192.168.11.12	1.1.1.1	0x15fa	Standard query (0)	apis.apple.map.fastly.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 11:35:00.007544041 CEST	1.1.1.1	192.168.11.12	0xa7d1	No error (0)	apis.apple.map.fastly.net		151.101.3.6	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:35:00.007544041 CEST	1.1.1.1	192.168.11.12	0xa7d1	No error (0)	apis.apple.map.fastly.net		151.101.67.6	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:35:00.007544041 CEST	1.1.1.1	192.168.11.12	0xa7d1	No error (0)	apis.apple.map.fastly.net		151.101.195.6	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:35:00.007544041 CEST	1.1.1.1	192.168.11.12	0xa7d1	No error (0)	apis.apple.map.fastly.net		151.101.131.6	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:35:05.879187107 CEST	1.1.1.1	192.168.11.12	0x68c	No error (0)	updates.cdn-apple.com	updates.cdn-apple.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 18, 2024 11:36:28.601254940 CEST	1.1.1.1	192.168.11.12	0x15fa	No error (0)	apis.apple.map.fastly.net		151.101.131.6	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:36:28.601254940 CEST	1.1.1.1	192.168.11.12	0x15fa	No error (0)	apis.apple.map.fastly.net		151.101.67.6	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:36:28.601254940 CEST	1.1.1.1	192.168.11.12	0x15fa	No error (0)	apis.apple.map.fastly.net		151.101.3.6	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:36:28.601254940 CEST	1.1.1.1	192.168.11.12	0x15fa	No error (0)	apis.apple.map.fastly.net		151.101.195.6	A (IP address)	IN (0x0001)	false

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 18, 2024 11:34:23.085985899 CEST	151.101.67.6	443	192.168.11.12	49349	CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 27 22:00:02 CET 2023 Wed Apr 29 14:54:50 CEST 2020	Sat May 25 23:10:02 CEST 2024 Thu Apr 11 01:59:59 CEST 2030	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,0	5c118da645babe52f060d0754256a73c
Apr 18, 2024 11:34:23.085985899 CEST	151.101.67.6	443	192.168.11.12	49349	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 29 14:54:50 CEST 2020	Thu Apr 11 01:59:59 CEST 2030		5c118da645babe52f060d0754256a73c
Apr 18, 2024 11:34:23.460779905 CEST	151.101.67.6	443	192.168.11.12	49351	CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 27 22:00:02 CET 2023 Wed Apr 29 14:54:50 CEST 2020	Sat May 25 23:10:02 CEST 2024 Thu Apr 11 01:59:59 CEST 2030	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,0	5c118da645babe52f060d0754256a73c
Apr 18, 2024 11:34:23.460779905 CEST	151.101.67.6	443	192.168.11.12	49351	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 29 14:54:50 CEST 2020	Thu Apr 11 01:59:59 CEST 2030		5c118da645babe52f060d0754256a73c

System Behavior

Analysis Process: mono-sgen32 PID: 621, Parent PID: 537

General

Start time (UTC):	09:34:32
Start date (UTC):	18/04/2024
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: open PID: 621, Parent PID: 537

General

Start time (UTC):	09:34:32
Start date (UTC):	18/04/2024
Path:	/usr/bin/open
Arguments:	/usr/bin/open /Users/bernard/Desktop/Install FxFactory 8.0.15.pkg
File size:	105952 bytes
MD5 hash:	34bd93241fa5d2aee225941b1ca14fa4

Chronological Activities

Analysis Process: xpcproxy PID: 622, Parent PID: 1

General

Start time (UTC):	09:34:32
Start date (UTC):	18/04/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: Installer PID: 622, Parent PID: 1

General

Start time (UTC):	09:34:32
Start date (UTC):	18/04/2024
Path:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
Arguments:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
File size:	294864 bytes
MD5 hash:	50c84168359b295c12427b3461315322

Chronological Activities

Analysis Process: xpcproxy PID: 635, Parent PID: 1

General

Start time (UTC):	09:34:46
Start date (UTC):	18/04/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: nsurlstoraged PID: 635, Parent PID: 1

General

Start time (UTC):	09:34:46
Start date (UTC):	18/04/2024
Path:	/usr/libexec/nsurlstoraged
Arguments:	/usr/libexec/nsurlstoraged --privileged
File size:	246624 bytes
MD5 hash:	321b0a40e24b45f0af49ba42742b3f64

Chronological Activities

Analysis Process: xpcproxy PID: 653, Parent PID: 1

General

Start time (UTC):	09:35:34
Start date (UTC):	18/04/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: installd PID: 653, Parent PID: 1

General

Start time (UTC):	09:35:34
Start date (UTC):	18/04/2024
Path:	/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
Arguments:	/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
File size:	24768 bytes
MD5 hash:	4a55e40799072bad8663cf8f5d2d845a

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report Install FxFactory 8.0.15.pkg

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/null

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsDirectory.db_

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/mds/mdsObject.db_

Static File Info

General

Archive PKG

Archived Files

Extracted Files

Distribution

FxFactory.pkg/Bom

FxFactory.pkg/PackageInfo

FxFactory.pkg/Payload

Resources/background

FxFactory.pkg/Scripts/postinstall

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTPS Connections

System Behavior

Analysis Process: mono-sgen32 PID: 621, Parent PID: 537

General

Chronological Activities

Analysis Process: open PID: 621, Parent PID: 537

General

Chronological Activities

Analysis Process: xpcproxy PID: 622, Parent PID: 1

General

Chronological Activities

Analysis Process: Installer PID: 622, Parent PID: 1

General

macOS Analysis Report
Install FxFactory 8.0.15.pkg