Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.google.com | 142.250.196.132 | |
| www.epcdiagnostic.com |
CNAME
epcdiagnostic.com
|
185.221.202.118 |
- TCP Requests
-
-
192.168.56.102:49161 142.250.199.68:443www.google.com
-
192.168.56.102:49166 185.221.202.118:80www.epcdiagnostic.com
-
192.168.56.102:49167 185.221.202.118:443www.epcdiagnostic.com
-
192.168.56.102:49168 185.221.202.118:443www.epcdiagnostic.com
-
192.168.56.102:49169 185.221.202.118:443www.epcdiagnostic.com
-
192.168.56.102:49171 185.221.202.118:80www.epcdiagnostic.com
-
192.168.56.102:49163 204.79.197.200:443
-
GET
200
https://www.google.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 05 Aug 2021 00:45:06 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2021-08-05-00; expires=Sat, 04-Sep-2021 00:45:06 GMT; path=/; domain=.google.com; Secure
Set-Cookie: NID=220=vHy7_3PYJRf1eV1AXkO1tDIQV-kArnrN0wS2wr1VZ0Ya-5nBW-OVBFkIDjXCGNa2PVLcqnJ5Qne0zUQl1xJbUDuQh7E-t9K2Qgf1x6jj1rb9Ttp0Kmyh_qx8OJzJvm6Jubsw75Y24-xHWmdeZqHDxwHxxEOsOTherOSIZpyWB28; expires=Fri, 04-Feb-2022 00:45:06 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET
200
https://www.bing.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Host: www.bing.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND"
Set-Cookie: MUID=0E2D44CFAEF06ADC3B265445AFBB6B85; domain=.bing.com; expires=Tue, 30-Aug-2022 00:45:06 GMT; path=/; secure; SameSite=None
Set-Cookie: MUIDB=0E2D44CFAEF06ADC3B265445AFBB6B85; expires=Tue, 30-Aug-2022 00:45:06 GMT; path=/
Set-Cookie: _EDGE_S=F=1&SID=28825994B3E96698091B491EB2A2674A; domain=.bing.com; path=/
Set-Cookie: _EDGE_V=1; domain=.bing.com; expires=Tue, 30-Aug-2022 00:45:06 GMT; path=/
Set-Cookie: SRCHD=AF=NOFORM; domain=.bing.com; expires=Sat, 05-Aug-2023 00:45:06 GMT; path=/
Set-Cookie: SRCHUID=V=2&GUID=163F4B5C16934D2FA71E96C740E3165B&dmnchg=1; domain=.bing.com; expires=Sat, 05-Aug-2023 00:45:06 GMT; path=/
Set-Cookie: SRCHUSR=DOB=20210805; domain=.bing.com; expires=Sat, 05-Aug-2023 00:45:06 GMT; path=/
Set-Cookie: SRCHHPGUSR=SRCHLANG=ko; domain=.bing.com; expires=Sat, 05-Aug-2023 00:45:06 GMT; path=/
Set-Cookie: _SS=SID=28825994B3E96698091B491EB2A2674A; domain=.bing.com; path=/
Set-Cookie: ULC=; domain=.bing.com; expires=Wed, 04-Aug-2021 00:45:06 GMT; path=/
Set-Cookie: _HPVN=CS=eyJQbiI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiUCJ9LCJTYyI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiSCJ9LCJReiI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiVCJ9LCJBcCI6dHJ1ZSwiTXV0ZSI6dHJ1ZSwiTGFkIjoiMjAyMS0wOC0wNVQwMDowMDowMFoiLCJJb3RkIjowLCJEZnQiOm51bGwsIk12cyI6MCwiRmx0IjowLCJJbXAiOjF9; domain=.bing.com; expires=Sat, 05-Aug-2023 00:45:06 GMT; path=/
X-SNR-Routing: 1
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 12874D33BBC746709BB172512BBDE8B1 Ref B: SLAEDGE0311 Ref C: 2021-08-05T00:45:06Z
Date: Thu, 05 Aug 2021 00:45:06 GMT
POST
301
http://www.epcdiagnostic.com/wp-content/rem/cach/index.php
REQUEST
RESPONSE
BODY
POST /wp-content/rem/cach/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: www.epcdiagnostic.com
Content-Length: 89
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Date: Thu, 05 Aug 2021 00:45:18 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location: https://www.epcdiagnostic.com/wp-content/rem/cach/index.php
Content-Length: 0
Content-Type: text/html; charset=UTF-8
POST
0
http://www.epcdiagnostic.com/wp-content/rem/cach/index.php
REQUEST
RESPONSE
BODY
POST /wp-content/rem/cach/index.php HTTP/1.0
Host: www.epcdiagnostic.com
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 89
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49161 -> 142.250.199.68:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49163 -> 204.79.197.200:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49167 -> 185.221.202.118:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49168 -> 185.221.202.118:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 185.221.202.118:443 -> 192.168.56.102:49169 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
| TCP 192.168.56.102:49166 -> 185.221.202.118:80 | 2025885 | ET MALWARE AZORult Variant.4 Checkin M2 | Malware Command and Control Activity Detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49161 142.250.199.68:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com | 9f:0e:42:2d:88:e4:7b:df:08:66:47:16:63:48:02:84:a4:89:de:8e |
|
TLSv1 192.168.56.102:49163 204.79.197.200:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | CN=www.bing.com | e6:d6:8f:e4:5e:31:2c:7f:a5:1a:6c:d5:bb:5c:15:c6:54:47:bf:47 |
Snort Alerts
No Snort Alerts