Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| zya3ig.sn.files.1drv.com |
CNAME
sn-files.fe.1drv.com
CNAME
l-0003.l-msedge.net
|
13.107.42.12 |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21106&authkey=ABWUN04e3lg3neg
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21106&authkey=ABWUN04e3lg3neg HTTP/1.1
User-Agent: zipo
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://zya3ig.sn.files.1drv.com/y4mJJ5fYOJj8MPGeOKGqQ1KM13fmel2Ir5INpKatMQNhtn-MFo22uJXG-NxHGQW_rIE_QimVyEKqc1UAQnleBjY5UihcDrpL6Eb2Ifa9I_Ol5syVmMwJVuBJjBf1MYv7UrCewNZWHZNelLV4zk5t7MMv7dryPakEqTM3AMwvnh0KRMGP3mPCri2oJ3PakOXO5685tSRfDtd09gIy5zXW-F5cA/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
Set-Cookie: E=P:xMtfnwRT2Yg=:UXxCwhI+gVflAOFpVo/q4GE7raQZpyyrfwuuUYRehzU=:F; domain=.live.com; path=/
Set-Cookie: xid=937ebc54-ce81-42a0-99aa-04fc044b8bd5&&RD0004FFA75BA0&254; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Fri, 30-Jul-2021 01:09:16 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Fri, 06-Aug-2021 02:49:17 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD0004FFA75BA0
X-ODWebServer: canadaeast1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 6596614D0B1E4E8C8FA02C210511356B Ref B: SLAEDGE1006 Ref C: 2021-07-30T02:49:16Z
Date: Fri, 30 Jul 2021 02:49:17 GMT
Content-Length: 0
GET
200
https://zya3ig.sn.files.1drv.com/y4mJJ5fYOJj8MPGeOKGqQ1KM13fmel2Ir5INpKatMQNhtn-MFo22uJXG-NxHGQW_rIE_QimVyEKqc1UAQnleBjY5UihcDrpL6Eb2Ifa9I_Ol5syVmMwJVuBJjBf1MYv7UrCewNZWHZNelLV4zk5t7MMv7dryPakEqTM3AMwvnh0KRMGP3mPCri2oJ3PakOXO5685tSRfDtd09gIy5zXW-F5cA/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mJJ5fYOJj8MPGeOKGqQ1KM13fmel2Ir5INpKatMQNhtn-MFo22uJXG-NxHGQW_rIE_QimVyEKqc1UAQnleBjY5UihcDrpL6Eb2Ifa9I_Ol5syVmMwJVuBJjBf1MYv7UrCewNZWHZNelLV4zk5t7MMv7dryPakEqTM3AMwvnh0KRMGP3mPCri2oJ3PakOXO5685tSRfDtd09gIy5zXW-F5cA/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1 HTTP/1.1
User-Agent: zipo
Host: zya3ig.sn.files.1drv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 582144
Content-Type: application/octet-stream
Content-Location: https://zya3ig.sn.files.1drv.com/y4mrYC84379gtgLZVLOPAhahB1YOKbMdC9x599X-N6qxvOXTilD4xLEV_5kWaRuAQpxYSXSH8Grnqol47nSoJ3AjM9R-3kyj0040jNbtjbI1PDLEUhsAhKI11tvYsisRwPRCr3HB0CB46QX2p0flk9AgkP8sS7b1HjnwU7gnwZR56e90YSo_qsQweUzUv0Jsw7c
Expires: Thu, 28 Oct 2021 02:49:17 GMT
Last-Modified: Wed, 28 Jul 2021 15:12:15 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!106.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN4PPF81DF7EC8B
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: gW24T55PBUefzxcPsiABMw.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITEwNi4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Boplulwvphysvkdwcittsyporhfrcui"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.716.706.2005
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: AC2B132E587C4713A795F98AAFB96BBD Ref B: SLAEDGE1007 Ref C: 2021-07-30T02:49:17Z
Date: Fri, 30 Jul 2021 02:49:17 GMT
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21106&authkey=ABWUN04e3lg3neg
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21106&authkey=ABWUN04e3lg3neg HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:xMtfnwRT2Yg=:UXxCwhI+gVflAOFpVo/q4GE7raQZpyyrfwuuUYRehzU=:F; xid=937ebc54-ce81-42a0-99aa-04fc044b8bd5&&RD0004FFA75BA0&254; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://zya3ig.sn.files.1drv.com/y4md6gQPdIz35OSr1CP2N4-V0otIFa4eVa0izCLdmOuJBlLjvqOKL1As6rYQnYlPRdOKogUyQE7YlWy1lWOD4q-yUycJQpPxTSjhLp1ipDwl2VxJzzfz4_HgHLeaZnxv5_IXieI4bUFSOayiOt7gTLafGswW8XOo0GN6ewIHl1Xv5d3ZoJJCQW6vuIZ2DO7Z-CXZhd8Pay1cNIMOtYXsZ6jSw/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
Set-Cookie: E=P:I1gaoART2Yg=:xwkPRkLO8Hc51iC43dFFmztwvglRL1HSf200rr12p+A=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Fri, 30-Jul-2021 01:09:18 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Fri, 06-Aug-2021 02:49:18 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D5E85B8
X-ODWebServer: canadaeast1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: B5F23440505C445C84341ED1445D794E Ref B: SLAEDGE1007 Ref C: 2021-07-30T02:49:17Z
Date: Fri, 30 Jul 2021 02:49:17 GMT
Content-Length: 0
GET
200
https://zya3ig.sn.files.1drv.com/y4md6gQPdIz35OSr1CP2N4-V0otIFa4eVa0izCLdmOuJBlLjvqOKL1As6rYQnYlPRdOKogUyQE7YlWy1lWOD4q-yUycJQpPxTSjhLp1ipDwl2VxJzzfz4_HgHLeaZnxv5_IXieI4bUFSOayiOt7gTLafGswW8XOo0GN6ewIHl1Xv5d3ZoJJCQW6vuIZ2DO7Z-CXZhd8Pay1cNIMOtYXsZ6jSw/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4md6gQPdIz35OSr1CP2N4-V0otIFa4eVa0izCLdmOuJBlLjvqOKL1As6rYQnYlPRdOKogUyQE7YlWy1lWOD4q-yUycJQpPxTSjhLp1ipDwl2VxJzzfz4_HgHLeaZnxv5_IXieI4bUFSOayiOt7gTLafGswW8XOo0GN6ewIHl1Xv5d3ZoJJCQW6vuIZ2DO7Z-CXZhd8Pay1cNIMOtYXsZ6jSw/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1 HTTP/1.1
User-Agent: aswe
Host: zya3ig.sn.files.1drv.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 582144
Content-Type: application/octet-stream
Content-Location: https://zya3ig.sn.files.1drv.com/y4mrYC84379gtgLZVLOPAhahB1YOKbMdC9x599X-N6qxvOXTilD4xLEV_5kWaRuAQpxYSXSH8Grnqol47nSoJ3AjM9R-3kyj0040jNbtjbI1PDLEUhsAhKI11tvYsisRwPRCr3HB0CB46QX2p0flk9AgkP8sS7b1HjnwU7gnwZR56e90YSo_qsQweUzUv0Jsw7c
Expires: Thu, 28 Oct 2021 02:49:18 GMT
Last-Modified: Wed, 28 Jul 2021 15:12:15 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!106.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN3PPF92F017E35
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: qtJRsZlTWkC7F01BJcqX8g.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITEwNi4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Boplulwvphysvkdwcittsyporhfrcui"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.716.706.2005
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 868A35A943974A8BAC78F4DBDAC77D73 Ref B: SLAEDGE1118 Ref C: 2021-07-30T02:49:18Z
Date: Fri, 30 Jul 2021 02:49:18 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49163 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49165 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49164 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49166 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49163 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | CN=onedrive.com | 24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de |
|
TLSv1 192.168.56.102:49165 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | CN=onedrive.com | 24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de |
|
TLSv1 192.168.56.102:49164 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49 |
|
TLSv1 192.168.56.102:49166 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49 |
Snort Alerts
No Snort Alerts