Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| raw.githubusercontent.com | 185.199.111.133 | |
| rootpass.top | 8.209.69.171 | |
| api.ipify.org | 54.235.190.106 |
- TCP Requests
-
-
192.168.56.102:49797 172.217.25.14:443
-
192.168.56.102:49808 185.199.108.133:443raw.githubusercontent.com
-
192.168.56.102:49809 185.199.108.133:443raw.githubusercontent.com
-
192.168.56.102:49810 185.199.108.133:443raw.githubusercontent.com
-
192.168.56.102:49812 54.235.175.90:443api.ipify.org
-
192.168.56.102:49817 8.209.69.171:443rootpass.top
-
- UDP Requests
-
-
192.168.56.102:50839 164.124.101.2:53
-
192.168.56.102:57660 164.124.101.2:53
-
192.168.56.102:61459 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:56752 239.255.255.250:1900
-
192.168.56.102:56754 239.255.255.250:3702
-
192.168.56.102:56756 239.255.255.250:3702
-
192.168.56.102:56758 239.255.255.250:3702
-
GET
200
https://api.ipify.org/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: api.ipify.org
HTTP/1.1 200 OK
Server: Cowboy
Connection: keep-alive
Content-Type: text/plain
Vary: Origin
Date: Wed, 16 Jun 2021 00:50:58 GMT
Content-Length: 15
Via: 1.1 vegur
POST
200
https://rootpass.top/update.php
REQUEST
RESPONSE
BODY
POST /update.php HTTP/1.1
Connection: Keep-Alive
Accept: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
sode: smack
thatsuser: 25528BB7-B449-A342-B397-00D24064AA0D
version: 1506
Content-Length: 0
Host: rootpass.top
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 16 Jun 2021 00:51:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
Set-Cookie: PHPSESSID=5l5gprf30lfqc4i6mjp8m0nml7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
POST
200
https://rootpass.top/update.php
REQUEST
RESPONSE
BODY
POST /update.php HTTP/1.1
Connection: Keep-Alive
Accept: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
sode: smack
thatsuser: 25528BB7-B449-A342-B397-00D24064AA0D
version: 1506
Content-Length: 0
Host: rootpass.top
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 16 Jun 2021 00:51:36 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
Set-Cookie: PHPSESSID=ccp6cl4r17hu417lkig8f0ktt4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
POST
200
https://rootpass.top/update.php
REQUEST
RESPONSE
BODY
POST /update.php HTTP/1.1
Connection: Keep-Alive
Accept: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
sode: smack
thatsuser: 25528BB7-B449-A342-B397-00D24064AA0D
version: 1506
Content-Length: 0
Host: rootpass.top
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 16 Jun 2021 00:51:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
Set-Cookie: PHPSESSID=r6l8a68rqmrhtmqfgu6iiho5d4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
POST
200
https://rootpass.top/update.php
REQUEST
RESPONSE
BODY
POST /update.php HTTP/1.1
Connection: Keep-Alive
Accept: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
sode: smack
thatsuser: 25528BB7-B449-A342-B397-00D24064AA0D
version: 1506
Content-Length: 0
Host: rootpass.top
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 16 Jun 2021 00:51:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
Set-Cookie: PHPSESSID=6tv9goc94n6q8csrr7vf8esj26; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
POST
200
https://rootpass.top/update.php
REQUEST
RESPONSE
BODY
POST /update.php HTTP/1.1
Connection: Keep-Alive
Accept: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
sode: smack
thatsuser: 25528BB7-B449-A342-B397-00D24064AA0D
version: 1506
Content-Length: 0
Host: rootpass.top
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 16 Jun 2021 00:52:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
Set-Cookie: PHPSESSID=meh5hm372g3vnv2ku4m0uekua6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
POST
200
https://rootpass.top/update.php
REQUEST
RESPONSE
BODY
POST /update.php HTTP/1.1
Connection: Keep-Alive
Accept: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
sode: smack
thatsuser: 25528BB7-B449-A342-B397-00D24064AA0D
version: 1506
Content-Length: 0
Host: rootpass.top
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 16 Jun 2021 00:52:21 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
Set-Cookie: PHPSESSID=ib3vsa8hlh6fl32uckoce00da0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
POST
200
https://rootpass.top/update.php
REQUEST
RESPONSE
BODY
POST /update.php HTTP/1.1
Connection: Keep-Alive
Accept: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
sode: smack
thatsuser: 25528BB7-B449-A342-B397-00D24064AA0D
version: 1506
Content-Length: 0
Host: rootpass.top
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 16 Jun 2021 00:52:33 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
Set-Cookie: PHPSESSID=lr5fuh8t2g46mnj5topkqoc362; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
POST
200
https://rootpass.top/update.php
REQUEST
RESPONSE
BODY
POST /update.php HTTP/1.1
Connection: Keep-Alive
Accept: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
sode: smack
thatsuser: 25528BB7-B449-A342-B397-00D24064AA0D
version: 1506
Content-Length: 0
Host: rootpass.top
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 16 Jun 2021 00:52:44 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
Set-Cookie: PHPSESSID=2nhcn1nr3pklh440nai6q8p1f2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49809 -> 185.199.108.133:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49812 -> 54.235.175.90:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 185.199.108.133:443 -> 192.168.56.102:49810 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
| UDP 192.168.56.102:50839 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
| TCP 192.168.56.102:49808 -> 185.199.108.133:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49817 -> 8.209.69.171:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49812 54.235.175.90:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.ipify.org | 6f:de:ae:2b:9f:c6:cd:5b:7f:5c:d0:69:fa:c8:8b:62:19:fd:56:ad |
|
TLSv1 192.168.56.102:49817 8.209.69.171:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=rootpass.top | 5e:5a:24:82:a1:85:f6:7e:56:9b:cd:b3:d9:8b:2a:4f:9d:1a:5c:f6 |
Snort Alerts
No Snort Alerts