Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| twistednerd.dvrlists.com | 62.102.148.152 | |
| a2q8ua.sn.files.1drv.com |
CNAME
sn-files.fe.1drv.com
CNAME
l-0003.l-msedge.net
|
13.107.42.12 |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
- UDP Requests
-
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
192.168.56.101:62449 239.255.255.250:3702
-
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21124&authkey=AAvFfFUNaaPX5xg
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21124&authkey=AAvFfFUNaaPX5xg HTTP/1.1
User-Agent: zipo
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://a2q8ua.sn.files.1drv.com/y4mHv4FC3w4vu3xhBTq24EbcDs_9Ff-44ScNZJQarXQBccz-PruP8ExelHSqV4xuSj1PR_PPwAx83eslXEvSVPGJLAx6jbxr7NiKLVWjGnwSEAmq2CXsMYx6tAOhpM0N3OVm_TRtfBK4MGUWRaG-J5vdfrM8n39Zd-XWT_D5HNE8x7r8KtWZtkxAPGKBZg38Lwz5ZErWoxPxmYyqtRxi0UCYg/Gehnhmunuodizkcuanobbgrymobqird?download&psid=1
Set-Cookie: E=P:oG+E16xi2Yg=:eX58MBTkTv9mnPqQTkTfxNgFTmLfBYsXUGyt28napTw=:F; domain=.live.com; path=/
Set-Cookie: xid=5c72430e-829e-459d-a202-e17586d3750c&&RD0003FF11DA51&275; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Wed, 18-Aug-2021 23:21:13 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Thu, 26-Aug-2021 01:01:14 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD0003FF11DA51
X-ODWebServer: centralus1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 530FF4D430EB48D180340DCDB0442F69 Ref B: SLAEDGE1112 Ref C: 2021-08-19T01:01:13Z
Date: Thu, 19 Aug 2021 01:01:13 GMT
Content-Length: 0
GET
200
https://a2q8ua.sn.files.1drv.com/y4mHv4FC3w4vu3xhBTq24EbcDs_9Ff-44ScNZJQarXQBccz-PruP8ExelHSqV4xuSj1PR_PPwAx83eslXEvSVPGJLAx6jbxr7NiKLVWjGnwSEAmq2CXsMYx6tAOhpM0N3OVm_TRtfBK4MGUWRaG-J5vdfrM8n39Zd-XWT_D5HNE8x7r8KtWZtkxAPGKBZg38Lwz5ZErWoxPxmYyqtRxi0UCYg/Gehnhmunuodizkcuanobbgrymobqird?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mHv4FC3w4vu3xhBTq24EbcDs_9Ff-44ScNZJQarXQBccz-PruP8ExelHSqV4xuSj1PR_PPwAx83eslXEvSVPGJLAx6jbxr7NiKLVWjGnwSEAmq2CXsMYx6tAOhpM0N3OVm_TRtfBK4MGUWRaG-J5vdfrM8n39Zd-XWT_D5HNE8x7r8KtWZtkxAPGKBZg38Lwz5ZErWoxPxmYyqtRxi0UCYg/Gehnhmunuodizkcuanobbgrymobqird?download&psid=1 HTTP/1.1
User-Agent: zipo
Host: a2q8ua.sn.files.1drv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 582656
Content-Type: application/octet-stream
Content-Location: https://a2q8ua.sn.files.1drv.com/y4m5d_219BoFU7XHyXGgsmDtkMMWEnFoD5BsvY_qh1ybERc-ZruZVgRFaocU0DRHStrCRuOj5vBSIsgaQgjzFcS_4539q77_qgJxe2rbMcoxloOo5KdPAQZUYm09G1aGCKe-P0uOXG0uMwTTSCilhQDWvDFJDmBqLOapLra7czsOnHeQMbDp7RldSYT45uwrUpC
Expires: Wed, 17 Nov 2021 01:01:14 GMT
Last-Modified: Wed, 18 Aug 2021 16:56:24 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!124.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN3PPFA04EBD1DE
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: fTJfdmQOQk2AXpD/mPSqqA.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITEyNC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Gehnhmunuodizkcuanobbgrymobqird"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.734.803.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 95284F7C626345AB88B0B402CAA72CBA Ref B: SLAEDGE1019 Ref C: 2021-08-19T01:01:14Z
Date: Thu, 19 Aug 2021 01:01:14 GMT
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21124&authkey=AAvFfFUNaaPX5xg
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21124&authkey=AAvFfFUNaaPX5xg HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:oG+E16xi2Yg=:eX58MBTkTv9mnPqQTkTfxNgFTmLfBYsXUGyt28napTw=:F; xid=5c72430e-829e-459d-a202-e17586d3750c&&RD0003FF11DA51&275; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://a2q8ua.sn.files.1drv.com/y4mOQSKY3HPgDKYEXuiiOOPH_9t-Ca0UvsxWDvkH7aAj7bxUE5NIow9fuBaFmI_887wuFZq2k6AIwvtuiX8o9KIpSbJDgwZDGsdHbrqfxj8jwNBYfdzbt8FbH-8WRSR9Ls1NSB1vsywWLgE1mrKIB_6nU-4-b-B30748uy5_cdIKS7LL8B1hpZszZnzhW3gmiUITmMhVByGnEZSQYv5LDwGbQ/Gehnhmunuodizkcuanobbgrymobqird?download&psid=1
Set-Cookie: E=P:444m2Kxi2Yg=:e9CD/Zw57vhpBOmBVhL1IG5i+YBO/4DDSSHucCLguPY=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Wed, 18-Aug-2021 23:21:14 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Thu, 26-Aug-2021 01:01:15 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD0003FF11DA51
X-ODWebServer: centralus1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: C170AB6A871842798F517A765DC0AAE9 Ref B: SLAEDGE1112 Ref C: 2021-08-19T01:01:14Z
Date: Thu, 19 Aug 2021 01:01:14 GMT
Content-Length: 0
GET
200
https://a2q8ua.sn.files.1drv.com/y4mOQSKY3HPgDKYEXuiiOOPH_9t-Ca0UvsxWDvkH7aAj7bxUE5NIow9fuBaFmI_887wuFZq2k6AIwvtuiX8o9KIpSbJDgwZDGsdHbrqfxj8jwNBYfdzbt8FbH-8WRSR9Ls1NSB1vsywWLgE1mrKIB_6nU-4-b-B30748uy5_cdIKS7LL8B1hpZszZnzhW3gmiUITmMhVByGnEZSQYv5LDwGbQ/Gehnhmunuodizkcuanobbgrymobqird?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mOQSKY3HPgDKYEXuiiOOPH_9t-Ca0UvsxWDvkH7aAj7bxUE5NIow9fuBaFmI_887wuFZq2k6AIwvtuiX8o9KIpSbJDgwZDGsdHbrqfxj8jwNBYfdzbt8FbH-8WRSR9Ls1NSB1vsywWLgE1mrKIB_6nU-4-b-B30748uy5_cdIKS7LL8B1hpZszZnzhW3gmiUITmMhVByGnEZSQYv5LDwGbQ/Gehnhmunuodizkcuanobbgrymobqird?download&psid=1 HTTP/1.1
User-Agent: aswe
Host: a2q8ua.sn.files.1drv.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 582656
Content-Type: application/octet-stream
Content-Location: https://a2q8ua.sn.files.1drv.com/y4m5d_219BoFU7XHyXGgsmDtkMMWEnFoD5BsvY_qh1ybERc-ZruZVgRFaocU0DRHStrCRuOj5vBSIsgaQgjzFcS_4539q77_qgJxe2rbMcoxloOo5KdPAQZUYm09G1aGCKe-P0uOXG0uMwTTSCilhQDWvDFJDmBqLOapLra7czsOnHeQMbDp7RldSYT45uwrUpC
Expires: Wed, 17 Nov 2021 01:01:15 GMT
Last-Modified: Wed, 18 Aug 2021 16:56:24 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!124.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN4PPF33E143135
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: 5xoGcTDZ0E2tebfcZzZpBA.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITEyNC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Gehnhmunuodizkcuanobbgrymobqird"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.734.803.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: BC84D47A0B9B47F5BE92CE481467197A Ref B: SLAEDGE1116 Ref C: 2021-08-19T01:01:15Z
Date: Thu, 19 Aug 2021 01:01:15 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49200 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49201 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49202 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49200 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | CN=onedrive.com | 24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de |
|
TLSv1 192.168.56.101:49201 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49 |
|
TLSv1 192.168.56.101:49202 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49 |
|
TLS 1.3 192.168.56.101:49204 62.102.148.152:8618 |
None | None | None |
Snort Alerts
No Snort Alerts