Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
uyg5wye.2ihsfa.com | 88.218.92.148 | |
ip-api.com | 208.95.112.1 | |
iplogger.org | 88.99.66.31 | |
www.facebook.com | 157.240.215.35 |
- UDP Requests
-
-
192.168.56.101:54056 164.124.101.2:53
-
192.168.56.101:55450 164.124.101.2:53
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:59370 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
192.168.56.101:62449 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
https://www.facebook.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com
HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15552000; preload
content-security-policy: default-src * data: blob: 'self';script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;
Set-Cookie: fr=1lZkdA68hoKHBv2xn..Bgowa2.jk.AAA.0.0.Bgowa2.AWUtRwwfbhU; expires=Mon, 16-Aug-2021 00:13:41 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly; SameSite=None
Set-Cookie: sb=tgajYH_E0B16V07B9vn8C7fr; expires=Thu, 18-May-2023 00:13:42 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly; SameSite=None
X-Content-Type-Options: nosniff
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
x-fb-rlafr: 0
Content-Type: text/html; charset="utf-8"
X-FB-Debug: XJx9F3xhkPxv8+iY74fTNg6003C4ZjnuzcIJ/78FAt2mgt1H35h/wWCKaVZPJuBHO5RwntLqrGKGSQIMHU6ETw==
Date: Tue, 18 May 2021 00:13:42 GMT
Priority: u=3,i
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
GET
200
https://www.facebook.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com
HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15552000; preload
content-security-policy: default-src * data: blob: 'self';script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;
Set-Cookie: fr=11FlSrH2mrNJcP55y..Bgowa8.rQ.AAA.0.0.Bgowa8.AWWnJue5DVg; expires=Mon, 16-Aug-2021 00:13:47 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly; SameSite=None
Set-Cookie: sb=vAajYHKHxpuN0m3Mzc4g2tw1; expires=Thu, 18-May-2023 00:13:48 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly; SameSite=None
X-Content-Type-Options: nosniff
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
x-fb-rlafr: 0
Content-Type: text/html; charset="utf-8"
X-FB-Debug: 4NdgTk6I78f2mLAIk5H48C5CwCZtORe9UZNTiksrmzcxWzDGkaMBMRQEeQH59R4MvMjK2t1hJMPrz+30b3jApw==
Date: Tue, 18 May 2021 00:13:48 GMT
Priority: u=3,i
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
GET
200
https://iplogger.org/18hh57
REQUEST
RESPONSE
BODY
GET /18hh57 HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: iplogger.org
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 May 2021 00:13:54 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=gidc81phdh2l6v76meih0gji46; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=175.208.134.150; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=257751357; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: 58149afe84e6908d185d00c0e4340f3899f9bb38dcbdea3b271effc65ef0bb5a
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET
200
http://ip-api.com/json/
REQUEST
RESPONSE
BODY
GET /json/ HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: ip-api.com
HTTP/1.1 200 OK
Date: Tue, 18 May 2021 00:13:39 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 275
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
GET
200
http://uyg5wye.2ihsfa.com/api/fbtime
REQUEST
RESPONSE
BODY
GET /api/fbtime HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Host: uyg5wye.2ihsfa.com
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 May 2021 00:13:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.21
POST
200
http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928
REQUEST
RESPONSE
BODY
POST /api/?sid=292191&key=60099d26f09507c82251d7c25fada928 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uyg5wye.2ihsfa.com
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 May 2021 00:13:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.21
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49198 -> 208.95.112.1:80 | 2022082 | ET POLICY External IP Lookup ip-api.com | Device Retrieving External IP Address Detected |
TCP 192.168.56.101:49204 -> 157.240.215.35:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49209 -> 88.99.66.31:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49204 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com | 8a:d5:51:89:8f:00:98:8e:5b:0f:b8:07:6d:0d:43:18:89:c2:bb:d0 |
TLSv1 192.168.56.101:49209 88.99.66.31:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.iplogger.org | 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb |
Snort Alerts
No Snort Alerts