Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
- UDP Requests
-
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62325 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
192.168.56.101:62449 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
https://115.73.211.230/lib95/TEST22-PC_W617601.17CBB1F79387D3BF80BB1A2B3BA9BB75/5/kps/
REQUEST
RESPONSE
BODY
| : | GET /lib95/TEST22-PC_W617601.17CBB1F79387D3BF80BB1A2B3BA9BB75/5/kps/ HTTP/1.1 |
| Connection: | Keep-Alive |
| User-Agent: | curl/7.76.0 |
| Host: | 115.73.211.230 |
| : | HTTP/1.1 200 OK |
| Server: | nginx/1.10.3 |
| Date: | Fri, 07 May 2021 02 |
| Content-Type: | application/octet-stream |
| Content-Length: | 224 |
| Connection: | keep-alive |
GET
200
https://117.54.250.246/lib95/TEST22-PC_W617601.17CBB1F79387D3BF80BB1A2B3BA9BB75/5/kps/
REQUEST
RESPONSE
BODY
| : | GET /lib95/TEST22-PC_W617601.17CBB1F79387D3BF80BB1A2B3BA9BB75/5/kps/ HTTP/1.1 |
| Connection: | Keep-Alive |
| User-Agent: | curl/7.76.0 |
| Host: | 117.54.250.246 |
| : | HTTP/1.1 200 OK |
| Server: | nginx/1.10.3 |
| Date: | Fri, 07 May 2021 02 |
| Content-Type: | application/octet-stream |
| Content-Length: | 224 |
| Connection: | keep-alive |
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49205 -> 181.176.161.143:443 | 2404307 | ET CNC Feodo Tracker Reported CnC Server group 8 | A Network Trojan was detected |
| TCP 192.168.56.101:49205 -> 181.176.161.143:443 | 2028401 | ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex | Unknown Traffic |
| TCP 192.168.56.101:49203 -> 115.73.211.230:443 | 2028401 | ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex | Unknown Traffic |
| TCP 192.168.56.101:49204 -> 117.54.250.246:443 | 2028401 | ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex | Unknown Traffic |
| TCP 117.54.250.246:443 -> 192.168.56.101:49204 | 2011540 | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) | Not Suspicious Traffic |
| TCP 115.73.211.230:443 -> 192.168.56.101:49203 | 2011540 | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) | Not Suspicious Traffic |
| TCP 181.176.161.143:443 -> 192.168.56.101:49206 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49203 115.73.211.230:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | bb:48:e9:a1:55:37:8d:d3:de:c1:26:8f:7a:43:8c:19:5e:bb:da:25 |
|
TLSv1 192.168.56.101:49204 117.54.250.246:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | bb:48:e9:a1:55:37:8d:d3:de:c1:26:8f:7a:43:8c:19:5e:bb:da:25 |
Snort Alerts
No Snort Alerts
