Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| cliente13.vetcarebahia.com | 107.161.183.42 | |
| main.bgsr.site | ||
| makolet.nsmatrix3.com | 185.104.45.26 |
- TCP Requests
-
-
104.21.19.200:443 192.168.56.102:49812
-
192.168.56.102:49812 107.161.183.42:443cliente13.vetcarebahia.com
-
192.168.56.102:49813 107.161.183.42:443cliente13.vetcarebahia.com
-
192.168.56.102:49814 107.161.183.42:443cliente13.vetcarebahia.com
-
192.168.56.102:49797 172.217.25.14:443
-
192.168.56.102:49816 185.104.45.26:443makolet.nsmatrix3.com
-
- UDP Requests
-
-
192.168.56.102:50839 164.124.101.2:53
-
192.168.56.102:57660 164.124.101.2:53
-
192.168.56.102:61459 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:56752 239.255.255.250:1900
-
192.168.56.102:56754 239.255.255.250:3702
-
192.168.56.102:56756 239.255.255.250:3702
-
192.168.56.102:56758 239.255.255.250:3702
-
GET
200
https://makolet.nsmatrix3.com/wp-content/plugins/woocommerce/templates/auth/gnq4mYeZYgL4dN.php
REQUEST
RESPONSE
BODY
GET /wp-content/plugins/woocommerce/templates/auth/gnq4mYeZYgL4dN.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Host: makolet.nsmatrix3.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 08 Jun 2021 07:15:54 GMT
Content-Type: application/octet-stream
Content-Length: 49152
Connection: keep-alive
Accept-Ranges: bytes
Content-Transfer-Encoding: Binary
X-User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
x-ray: p15931:0.632/wn20030:0.630/wa20030:D=627279
Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 107.161.183.42:443 -> 192.168.56.102:49814 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
| TCP 192.168.56.102:49812 -> 107.161.183.42:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49813 -> 107.161.183.42:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49816 -> 185.104.45.26:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49816 185.104.45.26:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=makolet.nsmatrix3.com | 50:67:b8:26:93:10:29:9e:8f:74:28:b0:48:5f:c2:1b:11:b6:e1:87 |
Snort Alerts
No Snort Alerts