ID: 568 Sample Name: TheUnarchiver.dmg Cookbook: defaultmacfilecookbook.jbs Time: 11:00:53 Date: 13/04/2021 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report TheUnarchiver.dmg 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Yara Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 7 General Information 7 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 9 Dropped Files 9 Runtime Messages 9 Created / dropped Files 9 Static File Info 11 General 11 Network Behavior 11 Network Port Distribution 11 TCP Packets 12 UDP Packets 12 DNS Queries 12 DNS Answers 12 HTTPS Packets 12 System Behavior 12 Analysis Process: xpcproxy PID: 582 Parent PID: 1 12 General 13 File Activities 13 File Read 13 Directory Created 13 Analysis Process: The Unarchiver PID: 582 Parent PID: 1 13 General 13 File Activities 13 File Created 13 File Deleted 13 File Read 13 File Written 13 File Moved 13 Directory Enumerated 13 Directory Attributes Enumerated Bulk 13 Directory Created 13 Permission Modified 13 Copyright Joe Security LLC 2021 Page 2 of 14 Analysis Process: defaults PID: 584 Parent PID: 582 13 General 13 File Activities 13 File Created 14 File Read 14 File Written 14 File Moved 14 Directory Enumerated 14

Copyright Joe Security LLC 2021 Page 3 of 14 Analysis Report TheUnarchiver.dmg

Overview

General Information Detection Signatures Classification

Sample TheUnarchiver.dmg Name: EExxeeccuuttteess ttthhee """ddeefffaauullltttss""" ccoommaanndd uu…

Analysis ID: 568 RERexeeaacddusst ehhsaa rrrtdhdwew aa"rdrreee frrraeeulllaalttttsee"dd c ssoyymsscmctttllal vvnaadlllu uueess MD5: dabcf8ecfbd8382… RReeaaddss llhlaaauurnndccwhhassreerrr vvrieiiccleaestse pdpll liiissyttt sfffiicillleetls svalues Ransomware SHA1: be80f3fdcd6cb5d… Miner Spreading RReeaaddss ttlthaheue n sscyyhsssccetttllrl vssiaacffefees b bpooloiosttt vvfiaalellluusee (((pprrr… SHA256: 92c4ccf6b952ca4… mmaallliiiccciiioouusss RReeaaddss ttthhee ssyyssttcteetml sssa fOeS Sb orrreoelltlee vaaassleue e aa n(npddr///… malicious Evader Phishing Infos: sssuusssppiiiccciiioouusss suspicious RReeaaddss ttthhee ssyyssttteemss hOhooSss tttrnneaalemaeese and/ RReeaaddss tthhee ssyysstteemss hhoossttnnaamee cccllleeaann Most interesting Screenshot: clean

URUseseaesds sCC tFFhNNee estttywwsooterrrkkm bbsuu hnnoddsllleetn ccaoomnnetttaaiiinniiinngg iii… Exploiter Banker

Uses CFNetwork bundle containing i

Spyware Trojan / Bot

Adware

Score: 3 Range: 0 - 100 Whitelisted: false

Startup

System is macvm-highsierra xpcproxy New Fork (PID: 582, Parent: 1) The Unarchiver (MD5: 1dca9cb2696011a7b13ffa6b9932affe) Arguments: /Volumes/The Unarchiver/The Unarchiver.app/Contents/MacOS/The Unarchiver defaults New Fork (PID: 584, Parent: 582) cleanup

Yara Overview

No yara matches

Signature Overview

• Compliance • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Copyright Joe Security LLC 2021 Page 4 of 14 There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Plist Plist Direct OS Security Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Modification 1 Modification 1 Volume Credential Software Services Local Over Other Channel 1 Insecure Track Device System Instrumentation Access Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Logon Boot or Logon Rootkit LSASS System Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Initialization Initialization Memory Information Desktop Removable Over Application Redirect Phone Wipe Data Lockout Scripts Scripts Discovery 5 1 Protocol Media Bluetooth Layer Calls/SMS Without Protocol 1 Authorization Domain At (Linux) Logon Script Logon Script Obfuscated Security Query Registry SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) (Windows) Files or Account Admin Shares Network Exfiltration Layer Track Device Device Device Information Manager Shared Protocol 2 Location Cloud Data Drive Backups

Behavior Graph

Hide Legend Legend: Process Behavior Graph Signature ID: 568 Created File Sample: TheUnarchiver.dmg DNS/IP Info Startdate: 13/04/2021 Is Dropped Architecture: MAC Number of created Files Score: 3 Shell

Is malicious

Internet 104.76.200.212, 49248, 80 17.171.27.65, 443, 49238 HINETDataCommunicationBusinessGroupTW APPLE-ENGINEERINGUS 2 other IPs or domains started United States United States

xpcproxy The Unarchiver

4

started

defaults

1

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 5 of 14 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link TheUnarchiver.dmg 0% Virustotal Browse TheUnarchiver.dmg 0% ReversingLabs

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://app.hello.devmate.com/reportPOSTHTTP_Tracking_Sender: 0% Avira URL Cloud safe https://updates.devmate.com/% 0% Avira URL Cloud safe https://issues.devmate.com/reportreportTypeTQ 0% Avira URL Cloud safe https://feedbacks.devmate.com/reportTQ 0% Avira URL Cloud safe www.andymatuschak.org/xml-namespaces/sparkle- 0% Avira URL Cloud safe

Copyright Joe Security LLC 2021 Page 6 of 14 Source Detection Scanner Label Link https://sparkle-project.org/documentation/app-transport-security/WARNING: 0% Avira URL Cloud safe www.aladdinsys.com/StuffIt/ 0% Avira URL Cloud safe https://feedbacks.devmate.com/report 0% Avira URL Cloud safe https://sparkle-project.org/documentation/app-transport-security/ 0% Avira URL Cloud safe https://devmate.io/gostore 0% Avira URL Cloud safe https://app.hello.devmate.com/report 0% Avira URL Cloud safe www.andymatuschak.org/xml-namespaces/sparkle 0% Avira URL Cloud safe https://issues.devmate.com/report 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation cdn.theunarchiver.com 13.225.87.113 true false high

URLs from Memory and Binaries

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 17.253.57.204 unknown United States 6185 APPLE-AUSTINUS false 17.171.27.65 unknown United States 714 APPLE-ENGINEERINGUS false 13.225.87.113 cdn.theunarchiver.com United States 16509 AMAZON-02US false 104.76.200.212 unknown United States 3462 HINETDataCommunicationB false usinessGroupTW

General Information

Copyright Joe Security LLC 2021 Page 7 of 14 Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 568 Start date: 13.04.2021 Start time: 11:00:53 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 8m 47s Hypervisor based Inspection enabled: false Report type: light Sample file name: TheUnarchiver.dmg Cookbook file name: defaultmacfilecookbook.jbs Analysis system description: Virtual Machine, High Sierra (Office 2016 v16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099) Analysis Mode: default Detection: CLEAN Classification: clean3.macDMG@0/5@1/0 Warnings: Show All

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 13.225.87.113 https://navyfederal-org.uc.r.appspot.com Get hash malicious Browse 104.76.200.212 Player.app.zip Get hash malicious Browse SkilledRecord.dp Get hash malicious Browse SkilledRecorddd Get hash malicious Browse main Get hash malicious Browse Installer.8SO9iCo3 Get hash malicious Browse AdobeFlashPlayer.dmg Get hash malicious Browse sogou_mac_601a.app.zip Get hash malicious Browse Bytecode-Viewer-2.9.22.jar Get hash malicious Browse fonedog-powermymac.dmg Get hash malicious Browse AdobeFlashPlayerInstaller.dmg Get hash malicious Browse AdobeFlashPlayerInstaller.dmg Get hash malicious Browse AdobeFlashPlayer.dmg Get hash malicious Browse d6bc1dc7da4ed54a62b93b5d0f1cc40c.swf.swf Get hash malicious Browse diskdrill.dmg Get hash malicious Browse

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context AMAZON-02US ntpxrxZCfL.exe Get hash malicious Browse 3.13.255.157 Ug6Q3IejBj.exe Get hash malicious Browse 52.84.150.39 OrSxEMsYDA.exe Get hash malicious Browse 3.13.255.157 Shipping-Documents.xlsx Get hash malicious Browse 52.59.165.42 shipping documents. CI PL.xlsx Get hash malicious Browse 52.59.165.42 Original Invoice-COAU7229898130.xlsx Get hash malicious Browse 18.184.197.212 NEW ORDER.xlsx Get hash malicious Browse 18.184.197.212 INV#609-005.PDF.exe Get hash malicious Browse 52.221.6.123 swift note.xlsx Get hash malicious Browse 52.59.165.42 RFQ3936.xlsx Get hash malicious Browse 52.59.165.42 Invoice-SRP0047459188e.xlsx Get hash malicious Browse 52.59.165.42 BANKINV28032021VBNSINO.xlsx Get hash malicious Browse 52.59.165.42 tmkfdBpwAx.exe Get hash malicious Browse 3.22.15.135 ArcadeSafariGames (2).exe Get hash malicious Browse 52.58.78.16 March Financial Reports & Statements.html Get hash malicious Browse 52.218.183.112 TAX INVOICE pdf.exe Get hash malicious Browse 52.58.78.16 Copyright Joe Security LLC 2021 Page 8 of 14 Match Associated Sample Name / URL SHA 256 Detection Link Context u87sEvt9v3.exe Get hash malicious Browse 52.58.78.16 _RFQ_Hongjin_.xlsx Get hash malicious Browse 18.184.197.212 March Financial Reports & Statements.html Get hash malicious Browse 52.218.232.64 Customer ID 2199201992001.xlsx Get hash malicious Browse 3.125.17.227 HINETDataCommunicationBusinessGro Player.app.zip Get hash malicious Browse 104.76.200.212 upTW Invoice_23323_1266896570470_xls.xls Get hash malicious Browse 210.65.244.174 Sales_Receipt 8723_xls.xls Get hash malicious Browse 210.65.244.174 z3K7aKrxnY.dll Get hash malicious Browse 210.65.244.174 eQUaXC2xcX.dll Get hash malicious Browse 210.65.244.174 Xge8NNaMlp.dll Get hash malicious Browse 210.65.244.174 S7Q7IHtI7P.dll Get hash malicious Browse 210.65.244.174 Li6CdVD4Fk.dll Get hash malicious Browse 210.65.244.174 P3oc9jifnU.dll Get hash malicious Browse 210.65.244.174 lxMd2OQ9QZ.dll Get hash malicious Browse 210.65.244.174 ajTb3RB2ou.dll Get hash malicious Browse 210.65.244.174 3LA8Qgt0UO.dll Get hash malicious Browse 210.65.244.174 X4uDihapth.dll Get hash malicious Browse 210.65.244.174 Sales_Receipt 5576.xls Get hash malicious Browse 210.65.244.174 Payment_Receipt 1726.xls Get hash malicious Browse 210.65.244.174 invoice.xls Get hash malicious Browse 210.65.244.174 Doc_841213_7440493012242.xls Get hash malicious Browse 210.65.244.174 i1grN6m67U.dll Get hash malicious Browse 210.65.244.174 848o9nyjWs.dll Get hash malicious Browse 210.65.244.174 FXnQGP41Ah.dll Get hash malicious Browse 210.65.244.174

JA3 Fingerprints

Match Associated Sample Name / URL SHA 256 Detection Link Context 1fbe5382f9d8430fe921df747c46d95f Zoom.pkg Get hash malicious Browse 13.225.87.113 xSf Get hash malicious Browse 13.225.87.113

Dropped Files

No context

Runtime Messages

Command: open "/Volumes/The Unarchiver/The Unarchiver.app" --args Exit Code: 0 Exit Code Info: Killed: False Standard Output: Standard Error:

Created / dropped Files

/Users/berri/Library/Caches/SentryCrash/The Unarchiver/Data/CrashState.json Process: /Volumes/The Unarchiver/The Unarchiver.app/Contents/MacOS/The Unarchiver File Type: ASCII text Category: dropped Size (bytes): 200 Entropy (8bit): 4.414019509198819 Encrypted: false SSDEEP: 3:A2SmJv//HGXeo5gpvE3AHa3pHF9HvOcVa3pHF9JEsZ3w/HWAWLK8a34Y:lS+eXeugpc6a3k3sy3Fn7a34Y MD5: A4B122C08D58AD42E1FF5D584D10D6E6 SHA1: DAB7024CFE84A3A24C4F03C94805E07E6868CC7E SHA-256: DC7F10B0E8C4586D93DBBE88F528DFCEF902F36A7F1B33A8E129B786423884F4 SHA-512: BC1B0A62A9F29F3248CCE84710C76393D5ABDEF78EADD496164EFF682EF377A79C0C5993BB737C37294A1C9460B4E28A8D4EB4EB4AF3B189B5947E4DD32CBF AD Malicious: false Reputation: low Copyright Joe Security LLC 2021 Page 9 of 14 /Users/berri/Library/Caches/SentryCrash/The Unarchiver/Data/CrashState.json Preview: {. "version": 1,. "crashedLastLaunch": false,. "activeDurationSinceLastCrash": 0,. "backgroundDurationSinceLastCrash": 0,. "launchesSinceLastCrash": 1,. "sessionsSinceLastCrash": 1.}

/dev/null Process: /Volumes/The Unarchiver/The Unarchiver.app/Contents/MacOS/The Unarchiver File Type: ASCII text Category: dropped Size (bytes): 151 Entropy (8bit): 4.903626009096355 Encrypted: false SSDEEP: 3:tUI7poXMg7XZq7vVVJ1WOVRpoXvkHXwXZq79pAk4tCv:mMpKMyXZavO6RpK8wXZa9uJs MD5: FC869A1C913C6360F93F4A9D8C1F26E5 SHA1: 95026582EE14BC10032A201AAD878A1BB553187F SHA-256: 535F4EEC37F379D0915CA2083CA9E5BBF4075C2A453237960A6571357548D364 SHA-512: F7BAEA0D29D9177AA775E28B057F421BD3449C814FC5994EEB7A1A8F9A1F3FF6DEE786C33B5211A8831B9F8294B1FC3E5CA80B055DD42038734C47D1F883561A Malicious: false Reputation: low Preview: 2021-04-13 13:02:27.875 The Unarchiver[582:6040] ApplePersistence=NO.2021-04-13 13:02:35.504 The Unarchiver[582:6040] Sentry Started -- Version: 4.5.0.

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsDirectory.db_ Process: /Volumes/The Unarchiver/The Unarchiver.app/Contents/MacOS/The Unarchiver File Type: Mac OS X Keychain File Category: dropped Size (bytes): 48908 Entropy (8bit): 3.533948990143748 Encrypted: false SSDEEP: 384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGBOmBfbouR6/chQOnGqwc2U+v+h/:8MdGleOGmBouRwchQOnGqwc2U+v+h/ MD5: 09070E01FA6ED1973D94FAD50C35E3ED SHA1: 7546663E66F9889EE3365A7A0BE372300C6022CA SHA-256: 2E6EC437A97DD88F9067B2E99AC64789670D9B9C1FC50B2856E392E66163211F SHA-512: 621399FF832F1A8352E5E9A54984B878C7D3432156D9CF9986A1A5B75662E92D9A00FA1BA6714D679286BB49E71916F72655AADA2B99880A2806FAFC6F86E7F3 Malicious: false Reputation: moderate, very likely benign file Preview: kych...... `...X...p..S0..SX..Th..T...T...[...^h...... L...X...... T...... d...... t...... t...... <...... P...... 0...... $...p...... l...... X...... @...... !...%...... CSSM_DL_DB_SCHEMA_INFO.....D...... !...%...... CSSM_DL_DB_SCHEMA_ATTRIBUTES...D...... !...%...... CSSM_D L_DB_SCHEMA_INDEXES...... H...... !...%...... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D...... !...%@...... MDS_CDSADIR_CSSM _RECORDTYPE....D...... !...%@...... MDS_CDSADIR_KRMM_RECORDTYPE....D...... !...%@...... MDS_CDSADIR_EMM_RECORDTYPE.....L...... !...%@...... "MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H...... !...%@...... MDS_CDSADIR_COMMON_RECORDTYPE...... L...... !...%@...... "MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P...... !...%@...... %MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/C/mds/mdsObject.db_ Process: /Volumes/The Unarchiver/The Unarchiver.app/Contents/MacOS/The Unarchiver File Type: Mac OS X Keychain File Category: dropped Size (bytes): 4404 Entropy (8bit): 3.5113078915037033 Encrypted: false SSDEEP: 48:m6Xsh+CLjL3Pe3T5FFKfEuyu+iYxGv4sS:3X6LjLfe3wEuyu9YxGQX MD5: D487F899A14AE98519B46D51BC810F1B SHA1: 64877ECFBE47ED66EED545B2449BBE8B22B775D0 SHA-256: 4835899C464487946E281D535381D4CAB8BC90EC08CD00A6A0ECB97854E9321D SHA-512: EB4FABD61B4FD2B9EF3C9E93793CA5F11353A1F81EA4DA22E0F79ED45D89180B77469B9E5DCD5350AE650B31DE9018743DA7716EFA7B5CDDFC3FA7A13C476F 40 Malicious: false Reputation: moderate, very likely benign file Preview: kych...... d...... 0...... 0...p...... @...@...... !...%...... CSSM_DL_DB_SCHEMA_INFO.....D...... !...%...... CSSM_DL_DB_SCHEMA_ATTRIBUTES...D...... !...%...... CSSM_DL_DB_SCHEMA_INDEXES...... H...... !...%...... CSSM_DL_DB_SCHEMA_PARSIN G_MODULE...@...... !...%@...... MDS_OBJECT_RECORDTYPE...... h...... `...... @...... -...1...5...9...=@...... X...... P...... p...... l...... d...... P...... H...... ,...... h...... P...... 1...5...9...=...... M...... RelationID...... P...... 1...5...9...=...... M ...... RelationName...... P...... 1...5...9...=...... M...... RelationID...... P...... 1...5...9...=...... M...... AttributeID...... X....

/private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/.dat.nosync0248.LroQSS Process: /usr/bin/defaults File Type: Apple binary property list Category: dropped Copyright Joe Security LLC 2021 Page 10 of 14 /private/var/folders/ql/8wfqxrtx52n95h35b6cz4nyw0000gn/T/.dat.nosync0248.LroQSS Size (bytes): 42 Entropy (8bit): 2.0265834865936085 Encrypted: false SSDEEP: 3:NPXNtslE:NP9tEE MD5: CE7F5B3D4BFC7B4B0DA6A06DCCC515F2 SHA1: CE657A52A052A3AAF534ECFBF7CBDDE4EE334C10 SHA-256: 9261ECCEDA608EF174256E5FDC774C1E6E3DCF533409C1BC393D490D01C713F1 SHA-512: DB9DE6AFA0E14C347AA0988A985B8A453EF133A2413C03BAE0FAB48BDA34D4F9A488DB104837A386BB65C393E8F11B1ED4856B211C1C186423649C147D6AABF B Malicious: false Reputation: low Preview: bplist00......

Static File Info

General File type: zlib compressed data Entropy (8bit): 7.9963980668609365 TrID: Disk Image (Macintosh), zlib, GPT (10001/1) 66.65% Pixlr layered image (2002/1) 13.34% Pivot stickfigure animation (2002/1) 13.34% XMill compressed XML (1001/1) 6.67% File name: TheUnarchiver.dmg File size: 14390173 MD5: dabcf8ecfbd8382373653b87e7bafc0e SHA1: be80f3fdcd6cb5d0dbdff8aa9a6e3e781d0ac152 SHA256: 92c4ccf6b952ca4f1e7bfe7047baedc02ac52e96d7d61ffd a36e946a16192558 SHA512: 2578f95866a07f42863133673e4a9dc52a615ee7b8c21df 4de50d0e192afe0daf5e127c68b1d0d34f672c6db5d77ce 26a0982ec5069fea40cb63aa419c46ae6d SSDEEP: 393216:R4dTPGtrlNrrNxDBIqmhO+1fB/WnKmXyy:q1Gt rltTmqyB1BWnKA File Content Preview: x.c`..C...... 3.....$k.]...-.7x.su.T.p..a``d.a``x.Sm...<...... |=(.. ...E?;....uV..Qb..7@.!..0-.`...... x...... @.....D... ..D...@ .....=l....i.....~.M..+.h..c.*...}w..C.....f)...!..3.~J.6M...... |.....x.....UU...u...... E..FD"D$DDEDDDD"%.C...

Network Behavior

Network Port Distribution

Total Packets: 25 • 53 (DNS) • 443 (HTTPS) • 80 (HTTP)

Copyright Joe Security LLC 2021 Page 11 of 14 TCP Packets

UDP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Apr 13, 2021 11:02:36.375998020 CEST 192.168.11.11 1.1.1.1 0x4b02 Standard query cdn.theuna A (IP address) IN (0x0001) (0) rchiver.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Apr 13, 2021 1.1.1.1 192.168.11.11 0x4b02 No error (0) cdn.theuna 13.225.87.113 A (IP address) IN (0x0001) 11:02:36.402185917 rchiver.com CEST Apr 13, 2021 1.1.1.1 192.168.11.11 0x4b02 No error (0) cdn.theuna 13.225.87.122 A (IP address) IN (0x0001) 11:02:36.402185917 rchiver.com CEST Apr 13, 2021 1.1.1.1 192.168.11.11 0x4b02 No error (0) cdn.theuna 13.225.87.107 A (IP address) IN (0x0001) 11:02:36.402185917 rchiver.com CEST Apr 13, 2021 1.1.1.1 192.168.11.11 0x4b02 No error (0) cdn.theuna 13.225.87.114 A (IP address) IN (0x0001) 11:02:36.402185917 rchiver.com CEST

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Apr 13, 2021 13.225.87.113 443 192.168.11.11 49249 CN=theunarchiver.com CN=Amazon, Tue Jan Thu Feb 771,49196-49195- 1fbe5382f9d8430fe921df7 11:02:36.430824041 CN=Amazon, OU=Server OU=Server CA 1B, 26 24 49188-49187- 47c46d95f CEST CA 1B, O=Amazon, C=US O=Amazon, C=US 01:00:00 00:59:59 49162-49161- CN=Amazon Root CA 1, CN=Amazon Root CET CET 52393-49200- O=Amazon, C=US CA 1, O=Amazon, 2021 2022 49199-49192- CN=Starfield Services Root C=US CN=Starfield Thu Oct Sun Oct 49191-49172- Certificate Authority - G2, Services Root 22 19 49171- O="Starfield Technologies, Certificate Authority 02:00:00 02:00:00 52392,65281-0-23- Inc.", L=Scottsdale, - G2, O="Starfield CEST CEST 13-5-13172-18-16- ST=Arizona, C=US Technologies, Inc.", 2015 2025 11-10,29-23-24,0 L=Scottsdale, Mon Thu Dec ST=Arizona, C=US May 25 31 OU=Starfield Class 14:00:00 02:00:00 2 Certification CEST CET Authority, 2015 2037 O="Starfield Wed Wed Technologies, Inc.", Sep 02 Jun 28 C=US 02:00:00 19:39:16 CEST CEST 2009 2034 CN=Amazon, OU=Server CN=Amazon Root Thu Oct Sun Oct CA 1B, O=Amazon, C=US CA 1, O=Amazon, 22 19 C=US 02:00:00 02:00:00 CEST CEST 2015 2025 CN=Amazon Root CA 1, CN=Starfield Mon Thu Dec O=Amazon, C=US Services Root May 25 31 Certificate Authority 14:00:00 02:00:00 - G2, O="Starfield CEST CET Technologies, Inc.", 2015 2037 L=Scottsdale, ST=Arizona, C=US CN=Starfield Services Root OU=Starfield Class Wed Wed Certificate Authority - G2, 2 Certification Sep 02 Jun 28 O="Starfield Technologies, Authority, 02:00:00 19:39:16 Inc.", L=Scottsdale, O="Starfield CEST CEST ST=Arizona, C=US Technologies, Inc.", 2009 2034 C=US

System Behavior

Analysis Process: xpcproxy PID: 582 Parent PID: 1

Copyright Joe Security LLC 2021 Page 12 of 14 General

Start time: 11:02:27 Start date: 13/04/2021 Path: /usr/libexec/xpcproxy Arguments: n/a File size: 43488 bytes MD5 hash: d1bb9a4899f0af921e8188218b20d744

File Activities

File Read

Directory Created

Analysis Process: The Unarchiver PID: 582 Parent PID: 1

General

Start time: 11:02:27 Start date: 13/04/2021 Path: /Volumes/The Unarchiver/The Unarchiver.app/Contents/MacOS/The Unarchiver Arguments: /Volumes/The Unarchiver/The Unarchiver.app/Contents/MacOS/The Unarchiver File size: 836160 bytes MD5 hash: 1dca9cb2696011a7b13ffa6b9932affe

File Activities

File Created

File Deleted

File Read

File Written

File Moved

Directory Enumerated

Directory Attributes Enumerated Bulk

Directory Created

Permission Modified

Analysis Process: defaults PID: 584 Parent PID: 582

General

Start time: 11:02:28 Start date: 13/04/2021 Path: /usr/bin/defaults Arguments: n/a File size: 39472 bytes MD5 hash: 831678c94c2d9c647bf3d283b1861bda

File Activities Copyright Joe Security LLC 2021 Page 13 of 14 File Created

File Read

File Written

File Moved

Directory Enumerated

Copyright Joe Security LLC 2021

Copyright Joe Security LLC 2021 Page 14 of 14