Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| sanctam.net | 185.65.135.248 | |
| bitbucket.org | 104.192.141.1 | |
| pool.hashvault.pro | 131.153.76.130 |
- UDP Requests
-
-
192.168.56.101:54056 164.124.101.2:53
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62327 239.255.255.250:1900
-
192.168.56.101:62329 239.255.255.250:3702
-
192.168.56.101:62331 239.255.255.250:3702
-
192.168.56.101:62333 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
https://bitbucket.org/Sanctam/sanctam/raw/d2123dc19ea65d0fdce7b5d17328d978c42b18cc/includes/xmrig
REQUEST
RESPONSE
BODY
GET /Sanctam/sanctam/raw/d2123dc19ea65d0fdce7b5d17328d978c42b18cc/includes/xmrig HTTP/1.1
Host: bitbucket.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Security-Policy-Report-Only: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com https://d301sr5gafysq2.cloudfront.net; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net sentry.io bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net; object-src about:; base-uri 'self'
Server: nginx
X-Usage-Quota-Remaining: 997152.151
Vary: Authorization, Accept-Language, Origin
X-Usage-Request-Cost: 2882.07
Cache-Control: max-age=900
Content-Type: application/octet-stream
X-B3-TraceId: 9b83a6c6421157f7
X-Usage-Output-Ops: 0
X-Dc-Location: Micros
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Sun, 15 Aug 2021 03:30:22 GMT
X-Usage-User-Time: 0.071096
X-Usage-System-Time: 0.015366
X-Served-By: 67235d2a14ff
Content-Language: en
X-View-Name: bitbucket.apps.repo2.views.filebrowse_raw
Accept-Ranges: bytes
ETag: "7f16ee0c324c7567525274efed11a720"
X-Static-Version: 6cb6a737050b
X-Render-Time: 0.120463132858
Content-Disposition: attachment
Connection: Keep-Alive
X-Usage-Input-Ops: 0
X-Request-Count: 1576
X-Frame-Options: SAMEORIGIN
Last-Modified: Fri, 13 Aug 2021 19:54:08 GMT
X-Version: 6cb6a737050b
X-Cache-Info: cached
Content-Length: 2069251
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49204 -> 185.65.135.248:58899 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49205 -> 104.192.141.1:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.101:49205 104.192.141.1:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA | unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org | 4e:6a:4c:3b:82:15:ef:df:97:38:5e:50:ef:b9:86:42:84:3b:89:f0 |
|
TLS 1.2 192.168.56.101:49204 185.65.135.248:58899 |
C=US, O=Let's Encrypt, CN=R3 | CN=sanctam.net | 38:bc:f2:94:62:8a:02:9e:90:64:d5:0f:bc:00:83:12:36:86:2c:2a |
|
TLS 1.3 192.168.56.101:49208 131.153.76.130:80 |
None | None | None |
Snort Alerts
No Snort Alerts