Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
nbnbtwowsdydebateqgh.dns.army | 103.133.106.100 |
- UDP Requests
-
-
192.168.56.101:54056 164.124.101.2:53
-
192.168.56.101:55450 164.124.101.2:53
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62325 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
192.168.56.101:62449 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
8.8.8.8:53 192.168.56.101:59369
-
8.8.8.8:53 192.168.56.101:61479
-
GET
200
http://nbnbtwowsdydebateqgh.dns.army/documenst/winlog.exe
REQUEST
RESPONSE
BODY
GET /documenst/winlog.exe HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: ko-KR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: nbnbtwowsdydebateqgh.dns.army
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 06 May 2021 07:31:29 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
Last-Modified: Wed, 05 May 2021 22:49:57 GMT
ETag: "2561d-5c19d0398712e"
Accept-Ranges: bytes
Content-Length: 153117
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
GET
200
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
REQUEST
RESPONSE
BODY
GET /IE9CompatViewList.xml HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: ie9cvlist.ie.microsoft.com
If-Modified-Since: Thu, 21 Nov 2019 19:37:08 GMT
If-None-Match: 0x8D76EBA32AF0BC3
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Encoding: gzip
Age: 1358
Cache-Control: max-age=21600
Content-MD5: Ho7x5OFxPmXuon/IucKh7g==
Content-Type: text/xml
Date: Thu, 06 May 2021 07:32:24 GMT
Etag: 0x8D90364ECB23BC5
Last-Modified: Mon, 19 Apr 2021 18:57:05 GMT
Server: ECAcc (tka/897A)
Vary: Accept-Encoding
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 273d7c42-001e-0008-1046-42f671000000
x-ms-version: 2009-09-19
Content-Length: 13706
ICMP traffic
Source | Destination | ICMP Type | Data |
---|---|---|---|
192.168.56.101 | 164.124.101.2 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49211 -> 117.18.232.200:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 117.18.232.200:443 -> 192.168.56.101:49212 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
TCP 192.168.56.101:49205 -> 103.133.106.100:80 | 2017679 | ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download | A Network Trojan was detected |
TCP 103.133.106.100:80 -> 192.168.56.101:49205 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TCP 192.168.56.101:49210 -> 117.18.232.200:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts