0% found this document useful (0 votes)
80 views64 pages

When Macs Get Hacked

The document discusses current threats to Mac systems, including malware such as Flashback, CoinThief/StealthBit, WireLurker, Crisis/Morcut, and KITM. It provides information on incident response for Mac systems, including collecting system information, network data, open files, memory collection/analysis, and internet history from sources like Safari caches and downloads. The document also covers Mac autoruns using login items, launch agents, launch daemons, and XPC services, as well as analyzing temporary files, Java caches, and email from Apple Mail.

Uploaded by

baudrier Bjod
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
80 views64 pages

When Macs Get Hacked

The document discusses current threats to Mac systems, including malware such as Flashback, CoinThief/StealthBit, WireLurker, Crisis/Morcut, and KITM. It provides information on incident response for Mac systems, including collecting system information, network data, open files, memory collection/analysis, and internet history from sources like Safari caches and downloads. The document also covers Mac autoruns using login items, launch agents, launch daemons, and XPC services, as well as analyzing temporary files, Java caches, and email from Apple Mail.

Uploaded by

baudrier Bjod
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 64

WHEN MACS GET Sarah Edwards

@iamevltwin

HACKED
[email protected]
mac4n6.com
CURRENT THREATS:

Suspicious Insider Data


Use Threat Exfiltration

Ad-Click Information
Keylogger
Malware Stealer

Commercial
Phishing Backdoors
Spyware

[email protected] | @iamevltwin | mac4n6.com


CURRENT THREATS:
FLASHBACK

¡ Infected 600,000+
systems
¡ $10,000/day ad-click
revenue for attackers
¡ Java Vulnerabilities
¡ Fake Adobe Flash
Installer
¡ Drive-by-Download
§  Compromised Wordpress
Blogs Image Source: http://www.cultofmac.com/124840/new-flashback-
os-x-trojan-is-in-the-wild-and-it-can-kill-os-xs-anti-malware-scams/

[email protected] | @iamevltwin | mac4n6.com


CURRENT THREATS:
COINTHEIF / STEALTHBIT

¡ Installed Browser
Extensions in Safari and
Chrome
¡ “Pop-Up Blocker”
¡ Snoops browser traffic
for Bitcoin credentials
(and other interesting
data)
¡ Sends data to C2 Server
Image Source: http://www.thesafemac.com/wp-content/uploads/
2014/02/CoinThief-extension.png

[email protected] | @iamevltwin | mac4n6.com


CURRENT THREATS:
WIRELURKER
¡  Repackaged & Trojanized 3 r d Party OS X Applications on
Maiyadi App Store (Chinese)
¡  Infects connected iOS devices via OS X using dynamically
generated malicious apps
§  Jailbroken and non-jailbroken
¡  Persistence via LaunchDaemon
¡  Uses Open Source Software libimobiledevice to monitor for USB
connections

Image Source: https://


www.paloaltonetworks.com/
content/dam/paloaltonetworks-
com/en_US/assets/pdf/reports/
Unit_42/unit42-wirelurker.pdf

[email protected] | @iamevltwin
CURRENT THREATS:
CRISIS / MORCUT
¡  Rootkit & Spyware
¡  Arrives as AdobeFlashPlayer.jar
§  WebEnhancer.class
¡  Cross-platform (Windows!)
¡  Backdoor Access: Screenshots, keylog, webcam, location,
microphone, files, IM data, etc.

http://nakedsecurity.sophos.com/2012/07/25/mac-malware-crisis-on-mountain-lion-eve/
[email protected] | @iamevltwin | mac4n6.com
CURRENT THREATS:
KITM
¡  Found on Angolan activist's system at Oslo Freedom Forum
¡  Backdoor
¡  Takes periodic screenshots
¡  Signed with Apple Developer ID

http://www.f-secure.com/weblog/archives/00002554.html
[email protected] | @iamevltwin | mac4n6.com
INCIDENT RESPONSE

What Why
¡ System Information ¡ Collect Volatile Data
¡ Network Data ¡ Triage Analysis
¡ Users Logged On ¡ Dead-Box Analysis
¡ Running Processes ¡ Encryption
¡ Open Files
¡ Memory Analysis

[email protected] | @iamevltwin | mac4n6.com


INCIDENT RESPONSE:
DATA COLLECTION COMMANDS
System Information
• date
• hostname
• uname –a – Kernel & Architecture Info
• sw_vers – OS X Version

Network Information
• ifconfig – Network Configuration
• netstat –an – Active network connections
• lsof –i – Network connections by process
• netstat –rn – Routing Table
• arp –an – ARP Table

Open Files – lsof

Logged on users – who -a, w

Process List – ps aux

[email protected] | @iamevltwin | mac4n6.com


INCIDENT RESPONSE:
SYSTEM INFORMATION

¡  system_profiler -xml -detaillevel full > /


Volume/IR_CASE/sys_prof_MBP.spx
¡  Open in “System Information.app”
¡  Contains:
§  Hardware Information
§  USB Information
§  Network Information
§  Firewall Settings
§  Mounted Volumes
§  System Information
§  Applications
§  Kernel Extensions
§  Log Data

[email protected] | @iamevltwin | mac4n6.com


MEMORY COLLECTION & ANALYSIS

Collection Analysis
OSXpmem Volatility
MacQuisition
Recon Rekall

[email protected] | @iamevltwin | mac4n6.com


MAC AUTORUNS
AUTORUNS:
LOGIN ITEMS

¡ L aunched when user logs into system via GUI


¡ L ocation:
§ ~/Library/Preferences/com.apple.loginitems.plist
§ <application>.app/Contents/Library/LoginItems/

[email protected] | @iamevltwin | mac4n6.com


AUTORUNS:
LOGIN ITEMS EXAMPLE

[email protected] | @iamevltwin | mac4n6.com


AUTORUNS:
LAUNCH AGENTS & DAEMONS

¡ P referred Method


¡ I ntroduced in 10.4 (w/launchd)
¡ P roperty List File
¡ P opular with current Mac malware
¡ R eference: TN2083

[email protected] | @iamevltwin | mac4n6.com


AUTORUNS:
LAUNCH AGENTS

¡ A gent – Background User Process


§ C an access user home directory
§ M ay have GUI (limited, if at all)
¡ L ocation:
§ / System/Library/LaunchAgents/
§ / Library/LaunchAgents/
§ ~ /Library/LaunchAgents

[email protected] | @iamevltwin | mac4n6.com


AUTORUNS:
LAUNCH AGENTS EXAMPLES

[email protected] | @iamevltwin | mac4n6.com


AUTORUNS:
LAUNCH AGENTS EXAMPLES

[email protected] | @iamevltwin | mac4n6.com


AUTORUNS:
LAUNCH DAEMONS

¡ D aemon – Background System Process


¡ L ocation:
§ /System/Library/LaunchDaemons
§ /Library/LaunchDaemons

[email protected] | @iamevltwin | mac4n6.com


AUTORUNS:
LAUNCH DAEMONS EXAMPLE

[email protected] | @iamevltwin | mac4n6.com


AUTORUNS:
XPC SERVICES

¡ P rivilege Separation & Stability


¡ S andboxed Environment
¡ R uns in user context
¡ S ervices a single application
¡ L ocation:
§ Application Bundle: /Contents/XPCServices/
§ /System/Library/XPCServices/

[email protected] | @iamevltwin | mac4n6.com


AUTORUNS:
XPC SERVICES EXAMPLE

[email protected] | @iamevltwin | mac4n6.com


AUTORUNS:
MALWARE EXAMPLES

Flashback • ~/Library/LaunchAgents/com.java.update.plist
• References .jupdate in user’s home directory.

• ~/Library/LaunchAgents/
CoinThief com.google.softwareUpdateAgent.plist
• References like-named executable in same directory.

KitM • Login Item to start macs.app Application

• With Admin Privileges…


Crisis • /System/Library/Frameworks/Foundation.framework/
XPCServices/com.apple.mdworker_server.xpc

Janicab • Entry in Crontab for runner.pyc

[email protected] | @iamevltwin | mac4n6.com


INTERNET HISTORY
INTERNET HISTORY:
SAFARI - DOWNLOADS

¡  ~/Library/Safari/Downloads.plist

[email protected] | @iamevltwin | mac4n6.com


INTERNET HISTORY:
SAFARI - HISTORY

¡  ~/Library/Safari/History.plist

[email protected] | @iamevltwin | mac4n6.com


INTERNET HISTORY:
SAFARI - CACHE
~/Library/Caches/com.apple.Safari/
Webpage Previews/
• Directory containing JPEG & PNG images of
webpages.
• May be used to see a webpage taken from a
snapshot in time.

~/Library/Caches/com.apple.Safari/
Cache.db
• SQLite Database
• Download Cache Files
• Originating Location
• Download Date
• May contain evidence of:
• Malicious code, redirects, phishing, etc.

[email protected] | @iamevltwin | mac4n6.com


TEMPORARY & CACHE
DIRECTORIES
TEMP & CACHE DIRECTORIES:
/TMP, JAVA TEMP & CACHE

¡ / tmp & /var/tmp


¡ / Users/<user>/Library/Caches/Java/tmp
¡ / Users/<user>/Library/Caches/Java/cache
§ IDX, JAR Files
§ Open Cache in /Applications/Utilities/Java
Preferences.app

[email protected] | @iamevltwin | mac4n6.com


BRIAN BASKIN’S (@BBASKIN)
IDX PARSER
¡  https://
github.com/Rurik/
Java_IDX_Parser
¡  Windows
Executable
¡  or…
¡  Python Script!

[email protected] | @iamevltwin | mac4n6.com


TEMP & CACHE FILES:
EXAMPLES

• Mach-O Binary – /tmp/.sysenter


• Java Cache Files
Flashback • rh-3.jar
• cl-3.jar

• /tmp/.mdworker
Imuler • /tmp/CurlUpload

• /tmp/launch-hs – Bash Script


MacControl • /tmp/launch-hse - Malware
• /tmp/file.doc – Decoy Word Doc

[email protected] | @iamevltwin | mac4n6.com


EMAIL
EMAIL:
APPLE MAIL

¡ ~ /Library/Mail/V2/MailData/
§ Accounts.plist – Mail Account Information

[email protected] | @iamevltwin | mac4n6.com


EMAIL:
APPLE MAIL

¡  Directories for each email


account.
§  Nested messages and
attachment directories.
§  File Types: mbox & emlx
¡  Mailboxes
§  ~/Library/Mail/V2/

[email protected] | @iamevltwin | mac4n6.com


EMAIL:
APPLE MAIL - ATTACHMENTS

“Saved”
•  ~/Downloads
“QuickLook”
• ~/Library/Mail Downloads/
Metadata (10.8-)
• ~/Library/Mail/V2/MailData/
OpenedAttachments.plist or
OpenedAttachmentsV2.plist

[email protected] | @iamevltwin | mac4n6.com


LOG ANALYSIS
LOG ANALYSIS:
APPLE SYSTEM LOGS

¡  Location: /private/var/log/asl/ (>10.5.6)


¡  syslog “replacement”
¡  View using Console.app or syslog command
¡  Filename Format: YYYY.MM.DD.[UID].[GID].asl

[email protected] | @iamevltwin | mac4n6.com


LOG ANALYSIS:
CONSOLE.APP

[email protected] | @iamevltwin | mac4n6.com


LOG ANALYSIS:
CONSOLE.APP

[email protected] | @iamevltwin | mac4n6.com


LOG ANALYSIS:
SYSLOG COMMAND

¡ s yslog –d asl/

[email protected] | @iamevltwin | mac4n6.com


LOG ANALYSIS:
syslog –T utc –F raw –d /asl
¡  [ASLMessageID 3555356] ¡  [Message DEAD_PROCESS:
¡  [Time 2012.05.28 908 ttys002]
19:39:32 UTC] ¡  [ut_user oompa]
¡  [TimeNanoSec 887175000] ¡  [ut_id s002]
¡  [Level 5] ¡  [ut_line ttys002]
¡  [PID 908] ¡  [ut_pid 908]
¡  [UID 0] ¡  [ut_type 8]
¡  [GID 20] ¡  [ut_tv.tv_sec
¡  [ReadGID 80] 1338233972]
¡  [Host byte] ¡  [ut_tv.tv_usec 886961]
¡  [Sender login] ¡  [ASLExpireTime
¡  [Facility 1369856372]
com.apple.system.utmpx]

[email protected] | @iamevltwin | mac4n6.com


LOG ANALYSIS:
AUDIT LOGS

¡ L ocation: /private/var/audit/


¡ B SM Audit Logs
¡ S tartTime.EndTime
¡ Y YYYMMDDHHMMSS.YYYYMMDDHHMMSS

[email protected] | @iamevltwin | mac4n6.com


LOG ANALYSIS:
praudit –xn /var/audit/*

¡ su Example:
<record version="11" event="user authentication" modifier="0"
time="Mon May 28 21:12:51 2012" msec=" + 41 msec" >
<subject audit-uid="501" uid="0" gid="20" ruid="501" rgid="20"
pid="552" sid="100004" tid="552 0.0.0.0" />
<text>Verify password for record type Users &apos;root&apos; node
&apos;/Local/Default&apos;</text>
<return errval="success" retval="0" />
</record>

<record version="11" event="user authentication" modifier="0"


time="Mon May 28 21:12:55 2012" msec=" + 449 msec" >
<subject audit-uid="501" uid="0" gid="20" ruid="501" rgid="20"
pid="554" sid="100004" tid="554 0.0.0.0" />
<text>Verify password for record type Users &apos;root&apos; node
&apos;/Local/Default&apos;</text>
<return errval="failure: Unknown error: 255" retval="5000" />
</record> [email protected] | @iamevltwin
LOG ANALYSIS:
USER LOGINS & LOGOUTS - /VAR/LOG/SYSTEM.LOG

Login Window
• May 28 12:42:23 byte loginwindow[66]: DEAD_PROCESS: 74 console
• May 28 14:28:04 byte loginwindow[66]: USER_PROCESS: 60 console

Local Terminal
• May 28 14:48:04 byte login[693]: USER_PROCESS: 693 ttys000
• May 28 14:48:07 byte login[698]: USER_PROCESS: 698 ttys001
• May 28 15:07:29 byte login[812]: USER_PROCESS: 812 ttys002
• May 28 15:07:51 byte login[812]: DEAD_PROCESS: 812 ttys002

SSH
• May 28 15:15:38 byte sshd[831]: USER_PROCESS: 842 ttys002
• May 28 15:15:52 byte sshd[831]: DEAD_PROCESS: 842 ttys002

Screen Sharing
• 5/28/12 3:31:33.675 PM screensharingd: Authentication:
SUCCEEDED :: User Name: Sarah Edwards :: Viewer Address:
192.168.1.101 :: Type: DH

[email protected] | @iamevltwin | mac4n6.com


LOG ANALYSIS:
PRIVILEGE ESCALATION - /VAR/LOG/SYSTEM.LOG

su
• 5/27/12 8:54:21.646 PM su: BAD SU oompa to
root on /dev/ttys001
• 5/28/12 8:57:44.032 PM su: oompa to root
on /dev/ttys000

sudo
• 5/27/12 8:48:15.790 PM sudo: oompa :
TTY=ttys000 ; PWD=/Users/oompa/Documents ;
USER=root ; COMMAND=/usr/bin/iosnoop
[email protected] | @iamevltwin | mac4n6.com
LOG ANALYSIS:
ACCOUNT CREATION

Audit Logs
• <record version="11" event="create user" modifier="0"
time="Mon May 28 21:25:49 2012" msec=" + 677 msec" >
<subject audit-uid="501" uid="501" gid="20" ruid="501"
rgid="20" pid="585" sid="100004" tid="585 0.0.0.0" />
<text>Create record type Users
&apos;supersecretuser&apos; node &apos;/Local/
Default&apos;</text>
<return errval="success" retval="0" />
</record>

secure.log
•  May 28 21:25:22 bit com.apple.SecurityServer[24]:
UID 501 authenticated as user oompa (UID 501) for
right 'system.preferences.accounts'
[email protected] | @iamevltwin | mac4n6.com
LOG ANALYSIS:
/VAR/LOG/INSTALL.LOG
May 27 11:59:03 MBP Installer[470]: logKext Installation Log
May 27 11:59:03 MBP Installer[470]: Opened from: /Users/oompa/
Downloads/logKext-2.3.pkg
May 27 11:59:03 MBP Installer[470]: Product archive /Users/oompa/
Downloads/logKext-2.3.pkg trustLevel=100
May 27 11:59:17 MBP Installer[470]: InstallerStatusNotifications
plugin loaded
May 27 11:59:26 MBP runner[477]: Administrator authorization
granted.
May 27 11:59:26 MBP Installer[470]:
===================================================================
May 27 11:59:26 MBP Installer[470]: User picked Standard Install
May 27 11:59:26 MBP Installer[470]: Choices selected for
installation:

May 27 12:01:34 MBP installd[481]: Installed "logKext" ()
May 27 12:01:35 MBP installd[481]: PackageKit: ----- End install
-----

[email protected] | @iamevltwin | mac4n6.com


VOLUME ANALYSIS
VOLUME ANALYSIS:
SYSTEM.LOG & DAILY.LOG

[email protected] | @iamevltwin | mac4n6.com


VOLUME ANALYSIS:
KERNEL.LOG (10.8+ - SYSTEM.LOG)

¡  Search for “USBMSC”


¡  Serial Number, Vendor ID, Product ID, Version

Apr 25 12:27:11 Pro kernel[0]: USBMSC Identifier (non-unique): 58A8120830AC8C5C 0x1e1d 0x1101 0x100
Apr 25 12:32:31 Pro kernel[0]: USBMSC Identifier (non-unique): 58A8120830AC8C5C 0x1e1d 0x1101 0x100
Apr 25 12:47:29 Pro kernel[0]: USBMSC Identifier (non-unique): 58A8120830AC8C5C 0x1e1d 0x1101 0x100
Apr 25 12:49:43 Pro kernel[0]: USBMSC Identifier (non-unique): 58A8120830AC8C5C 0x1e1d 0x1101 0x100
Apr 25 12:52:46 Pro kernel[0]: USBMSC Identifier (non-unique): FBF1011220504638 0x90c 0x1000 0x1100
Apr 25 12:53:37 Pro kernel[0]: USBMSC Identifier (non-unique): ABCDEF0123456789 0xe90 0x5 0x0
Apr 25 13:04:21 Pro kernel[0]: USBMSC Identifier (non-unique): 58A8120830AC8C5C 0x1e1d 0x1101 0x100
Apr 25 13:04:29 Pro kernel[0]: USBMSC Identifier (non-unique): FBF1011220504638 0x90c 0x1000 0x1100
Apr 26 12:36:05 Pro kernel[0]: USBMSC Identifier (non-unique): 58A8120830AC8C5C 0x1e1d 0x1101 0x100
Apr 27 09:02:59 Pro kernel[0]: USBMSC Identifier (non-unique): FBF1011220504638 0x90c 0x1000 0x1100
Apr 30 09:07:14 Pro kernel[0]: USBMSC Identifier (non-unique): FBF1011220504638 0x90c 0x1000 0x1100
May 3 05:43:05 Pro kernel[0]: USBMSC Identifier (non-unique): 58A8120830AC8C5C 0x1e1d 0x1101 0x100
May 3 06:24:05 Pro kernel[0]: USBMSC Identifier (non-unique): SWOC22905731 0x1199 0xfff 0x323
May 24 11:22:43 Pro kernel[0]: USBMSC Identifier (non-unique): 000000009833 0x5ac 0x8403 0x9833
May 24 11:53:25 Pro kernel[0]: USBMSC Identifier (non-unique): 0911201415f7f3 0x1e1d 0x165 0x100
May 25 12:48:38 Pro kernel[0]: USBMSC Identifier (non-unique): 0911201415f7f3 0x1e1d 0x165 0x100
May 30 06:50:01 Pro kernel[0]: USBMSC Identifier (non-unique): 0911201415f7f3 0x1e1d 0x165 0x100
May 31 13:10:09 Pro kernel[0]: USBMSC Identifier (non-unique): 0911201415f7f3 0x1e1d 0x165 0x100
Jun 1 07:16:03 Pro kernel[0]: USBMSC Identifier (non-unique): 0911201415f7f3 0x1e1d 0x165 0x100

[email protected] | @iamevltwin | mac4n6.com


VOLUME ANALYSIS:
~/LIBRARY/PREFERENCES/COM.APPLE.FINDER.PLIST

¡  FXDesktopVolumePositions
¡  FXRecentFolders (10 most recent)

[email protected] | @iamevltwin | mac4n6.com


ANTIVIRUS
ANTIVIRUS:
FILE QUARANTINE

¡ I ntroduced in 10.5


¡ Q uarantines downloaded files
¡ A pplications (Browsers, Email, etc)
¡ Weaknesses
§ Files on USB drives
§ Applications that do not implement File Quarantine

[email protected] | @iamevltwin | mac4n6.com


ANTIVIRUS:
FILE QUARANTINE EVENTS DATABASE

10.7+
• ~/Library/Preferences/
com.apple.LaunchServices.QuarantineEvents.V2

10.6
• ~/Library/Preferences/
com.apple.LaunchServices.QuarantineEvents

[email protected] | @iamevltwin | mac4n6.com


ANTIVIRUS:
FILE QUARANTINE

¡  Quarantine Events – LSQuarantineEvent Table


Key Example Data
LSQuarantineEventIdentifier 68F08939-EF7F-4326-BDA3-810542E43579
LSQuarantineTimeStamp 358820762.0
LSQuarantineAgentBundleIdentifier com.google.Chrome
LSQuarantineAgentName Google Chrome
LSQuarantineDataURLString http://ash.barebones.com/TextWrangler_4.0.dmg
LSQuarantineSenderName NULL
LSQuarantineSenderAddress NULL
LSQuarantineTypeNumber 0
LSQuarantineOriginTitle NULL
LSQuarantineOriginURLString http://www.barebones.com/products/textwrangler/
LSQuarantineOriginAlias NULL

[email protected] | @iamevltwin | mac4n6.com


ANTIVIRUS:
EXTENDED ATTRIBUTES

¡  Command: xattr


¡  Quarantine
¡  Metadata:
§  kMDItemWhereFroms
¡  Disk Images
¡  FinderInfo
¡  TextEncoding
¡  Preview UI State
¡  Resource Fork
¡  DropBox
¡  Etc.

[email protected] | @iamevltwin
ANTIVIRUS:
EXTENDED ATTRIBUTES

com.apple.quarantine Related Key in


QuarantineEvents Database
4fb2f41d LSQuarantineTimeStamp
Google Chrome LSQuarantineAgentName
68F08939-EF7F-4326-BDA3-810542E43579 LSQuarantineEventIdentifier
com.google.Chrome LSQuarantineAgentBundleIdentifier
com.apple.metadata:kMDItemWhereFroms
http://ash.barebones.com/ LSQuarantineDataURLString
TextWrangler_4.0.dmg
http://www.barebones.com/products/ LSQuarantineOriginURLString
textwrangler/

[email protected] | @iamevltwin | mac4n6.com


ANTIVIRUS:
XPROTECT

¡ /System/Library/CoreServices/
CoreTypes.bundle/Contents/Resources
§ XProtect.meta.plist
§  Last Update Date & Version
§ XProtect.plist
§  AV Signatures
¡ Weaknesses
§ Apple updates it, sometimes.
§ Very few signatures on blacklist
§ No Heuristics
§ Only checks “quarantined” files

[email protected] | @iamevltwin | mac4n6.com


ANTIVIRUS:
XPROTECT

[email protected] | @iamevltwin | mac4n6.com


ANTIVIRUS:
GATEKEEPER

¡ Introduced in 10.7.5
¡ Security Settings
§  Mac App Store
§  Users can only run apps from
the store.
§  Mac App Store & Identified
Developers
§  Default Setting
§  Users can only run software
signed using Apple
Developer ID
§  Anywhere
§  Users can run anything from
anywhere

[email protected] | @iamevltwin | mac4n6.com


OTHER FILES
OTHER FILES:
KERNEL EXTENSIONS

¡  Dynamically loaded executable code in kernel space


§  Low Level Device Drivers
§  Network Filters
§  File Systems
§  …keyloggers?

[email protected] | @iamevltwin | mac4n6.com


OTHER FILES: Command
Usage

BASH HISTORY
sudo/
su/root
¡ ~ /.bash_history
¡ F ile not written until session
File
logout Access

§ E ach terminal window is a login


session Directory
Access
¡ 5 00 Entries by default
¡ I ncident Response Tip: Volume
Access
§ Run the ‘history’ command for
the logged in user.
Network
Access
[email protected] | @iamevltwin | mac4n6.com
WHEN MACS GET Sarah Edwards
@iamevltwin

HACKED
[email protected]
mac4n6.com

You might also like