Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
a2ooiw.sn.files.1drv.com |
CNAME
sn-files.fe.1drv.com
CNAME
l-0003.l-msedge.net
|
13.107.42.12 |
twistednerd.dvrlists.com | 62.102.148.152 | |
onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21128&authkey=AHwv5d2XqgZhJTg
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21128&authkey=AHwv5d2XqgZhJTg HTTP/1.1
User-Agent: zipo
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://a2ooiw.sn.files.1drv.com/y4m-DtusEGdlWhmlRB9W9DH3UrnVHV-LboxupN_yLq3KU4drRJETI9tgtkiUXtXaK5FqWdNquQhyxx9L_gwMLPJUY_k5XNap3ppghjTnPIUW47IPZ_7LmMTNgwxNhuipdELBpTC5ecx-Tgn_IjtpNErT657fkkX2jFJT_IDJQoqSSG2_v9bq7nuKh8C0RynsDJnNPeRRHVd2P8852lisgHDgg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1
Set-Cookie: E=P:O8hQbm9j2Yg=:El9GfPoD8Iayyr20tbdfug6MIIOIWQAhjXdjEkMiCVQ=:F; domain=.live.com; path=/
Set-Cookie: xid=8e77cb76-eeaf-4f36-8cc4-3b26e4ba66b0&&RD00155D74539C&276; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Thu, 19-Aug-2021 22:34:09 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Fri, 27-Aug-2021 00:14:09 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D74539C
X-ODWebServer: northcentralus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: C540BF61F9CA4369BD73F38FD449F979 Ref B: SLAEDGE1116 Ref C: 2021-08-20T00:14:09Z
Date: Fri, 20 Aug 2021 00:14:09 GMT
Content-Length: 0
GET
200
https://a2ooiw.sn.files.1drv.com/y4m-DtusEGdlWhmlRB9W9DH3UrnVHV-LboxupN_yLq3KU4drRJETI9tgtkiUXtXaK5FqWdNquQhyxx9L_gwMLPJUY_k5XNap3ppghjTnPIUW47IPZ_7LmMTNgwxNhuipdELBpTC5ecx-Tgn_IjtpNErT657fkkX2jFJT_IDJQoqSSG2_v9bq7nuKh8C0RynsDJnNPeRRHVd2P8852lisgHDgg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4m-DtusEGdlWhmlRB9W9DH3UrnVHV-LboxupN_yLq3KU4drRJETI9tgtkiUXtXaK5FqWdNquQhyxx9L_gwMLPJUY_k5XNap3ppghjTnPIUW47IPZ_7LmMTNgwxNhuipdELBpTC5ecx-Tgn_IjtpNErT657fkkX2jFJT_IDJQoqSSG2_v9bq7nuKh8C0RynsDJnNPeRRHVd2P8852lisgHDgg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1 HTTP/1.1
User-Agent: zipo
Host: a2ooiw.sn.files.1drv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 577024
Content-Type: application/octet-stream
Content-Location: https://a2ooiw.sn.files.1drv.com/y4m8B6W6vgbzjfHgoO776uc8yXVFoq6ljDzyV6NdmLtQI1PgEyJNc8Fl8MKPg2NKg6by7VX-ksrOzuHXOa7ak5KnVNV-ZXsslLRCmDSkkAsSJoaX6VDLix-XqPkKAOnUHfHa2bE2c4DiQ-dQaAF-3709nlsz9TMPJBghki6k87PjQUOUuGJxmf5QaSbfhEx7C2f
Expires: Thu, 18 Nov 2021 00:14:10 GMT
Last-Modified: Thu, 19 Aug 2021 15:35:03 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!128.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN3PPF224687FC7
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: L9lqieM+0Eyvwuacx0RLeQ.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITEyOC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Dhfjtcfiwqjptzsveipvvutmlisezrk"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.734.803.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 4FA4E0FD18484D5C89DB029F4CFC19B0 Ref B: SLAEDGE1120 Ref C: 2021-08-20T00:14:09Z
Date: Fri, 20 Aug 2021 00:14:10 GMT
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21128&authkey=AHwv5d2XqgZhJTg
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21128&authkey=AHwv5d2XqgZhJTg HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:O8hQbm9j2Yg=:El9GfPoD8Iayyr20tbdfug6MIIOIWQAhjXdjEkMiCVQ=:F; xid=8e77cb76-eeaf-4f36-8cc4-3b26e4ba66b0&&RD00155D74539C&276; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://a2ooiw.sn.files.1drv.com/y4mE7XbSQXuZC9yYWp7AUZU0ZKgvmTacBuyD7WsIASM6IO9-p1TuQ8utdj6pKiooBRT7NSppFynY2HU1E7LUO7MTQprfN3i3jeghtE0I055rFBxTM0RGdo2IK0TDKRmgj68KbY9MMsf_ejwdv1lkwxXjAuH1OrWGGrYHCcD-ohf6XGb9Nv4UPD9_gKiMQXEj0jeN9Iazhno6ozmNeNyI-iWlg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1
Set-Cookie: E=P:53vubm9j2Yg=:PUWThISqopZKmK9TMqY8Ix8hovgCKOQrpfDdqlk0xO8=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Thu, 19-Aug-2021 22:34:10 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Fri, 27-Aug-2021 00:14:10 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D744BD0
X-ODWebServer: northcentralus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 77FDE90975EB41E6917F6D9D67027AE3 Ref B: SLAEDGE1116 Ref C: 2021-08-20T00:14:10Z
Date: Fri, 20 Aug 2021 00:14:10 GMT
Content-Length: 0
GET
200
https://a2ooiw.sn.files.1drv.com/y4mE7XbSQXuZC9yYWp7AUZU0ZKgvmTacBuyD7WsIASM6IO9-p1TuQ8utdj6pKiooBRT7NSppFynY2HU1E7LUO7MTQprfN3i3jeghtE0I055rFBxTM0RGdo2IK0TDKRmgj68KbY9MMsf_ejwdv1lkwxXjAuH1OrWGGrYHCcD-ohf6XGb9Nv4UPD9_gKiMQXEj0jeN9Iazhno6ozmNeNyI-iWlg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mE7XbSQXuZC9yYWp7AUZU0ZKgvmTacBuyD7WsIASM6IO9-p1TuQ8utdj6pKiooBRT7NSppFynY2HU1E7LUO7MTQprfN3i3jeghtE0I055rFBxTM0RGdo2IK0TDKRmgj68KbY9MMsf_ejwdv1lkwxXjAuH1OrWGGrYHCcD-ohf6XGb9Nv4UPD9_gKiMQXEj0jeN9Iazhno6ozmNeNyI-iWlg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1 HTTP/1.1
User-Agent: aswe
Host: a2ooiw.sn.files.1drv.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 577024
Content-Type: application/octet-stream
Content-Location: https://a2ooiw.sn.files.1drv.com/y4m8B6W6vgbzjfHgoO776uc8yXVFoq6ljDzyV6NdmLtQI1PgEyJNc8Fl8MKPg2NKg6by7VX-ksrOzuHXOa7ak5KnVNV-ZXsslLRCmDSkkAsSJoaX6VDLix-XqPkKAOnUHfHa2bE2c4DiQ-dQaAF-3709nlsz9TMPJBghki6k87PjQUOUuGJxmf5QaSbfhEx7C2f
Expires: Thu, 18 Nov 2021 00:14:10 GMT
Last-Modified: Thu, 19 Aug 2021 15:35:03 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!128.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN4PPF19DBD533B
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: fb7okSyHoEWKrew9wn18eA.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITEyOC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Dhfjtcfiwqjptzsveipvvutmlisezrk"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.734.803.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: C9EEC117F7C94B5D9FC9C52876EF468C Ref B: SLAEDGE1118 Ref C: 2021-08-20T00:14:10Z
Date: Fri, 20 Aug 2021 00:14:10 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49164 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49165 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49166 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49164 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | CN=onedrive.com | 24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de |
TLSv1 192.168.56.102:49165 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49 |
TLSv1 192.168.56.102:49166 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49 |
Snort Alerts
No Snort Alerts