Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| builder.pp.ru | 185.244.41.39 | |
| cdn.discordapp.com | 162.159.129.233 |
- UDP Requests
-
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:59370 239.255.255.250:3702
-
192.168.56.101:62327 239.255.255.250:1900
-
192.168.56.101:62329 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
https://builder.pp.ru/qvuivhquwhuizqw.dll
REQUEST
RESPONSE
BODY
GET /qvuivhquwhuizqw.dll HTTP/1.1
Host: builder.pp.ru
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 30 Aug 2021 10:04:36 GMT
Server: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 OpenSSL/1.0.2u
Last-Modified: Sat, 28 Aug 2021 20:21:36 GMT
ETag: "30000-5caa458c586d3"
Accept-Ranges: bytes
Content-Length: 196608
Connection: close
Content-Type: application/x-msdos-program
GET
200
https://cdn.discordapp.com/attachments/710557342755848243/881598869778092032/afansdo.exe
REQUEST
RESPONSE
BODY
GET /attachments/710557342755848243/881598869778092032/afansdo.exe HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 30 Aug 2021 10:04:37 GMT
Content-Type: application/x-msdos-program
Content-Length: 119008
Connection: keep-alive
CF-Ray: 686d32300d6f12d6-ICN
Accept-Ranges: bytes
Age: 50882
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=afansdo.exe
ETag: "97b2c750a2a59cb189eef40930e7198b"
Expires: Tue, 30 Aug 2022 10:04:37 GMT
Last-Modified: Sun, 29 Aug 2021 17:59:09 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
Alt-Svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1630259949899027
x-goog-hash: crc32c=YHXtug==
x-goog-hash: md5=l7LHUKKlnLGJ7vQJMOcZiw==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 119008
X-GUploader-UploadID: ADPycdsfU58dw9XOZH7xt4xAV26oAEkj9VukxPUuAR0iXFBN33_UXegqhP5LfIKv2_lCuMWjkVDbtD-fsmx6QH5CB3k
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dHIkD96cBIQe26aDdLBzxuVLGzwlH9zRqugKuf%2FBuphCK3aeZWWV%2BjgVGHStCG%2FZzWTuchSkpfvfnByiC3EMwnlO4MGxZnA8FfWlfNpm0BF1XeI2xFBcxkOoGxSCHc8Tiq8dgA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49201 -> 162.159.129.233:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49198 -> 185.244.41.39:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49201 162.159.129.233:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da |
|
TLSv1 192.168.56.101:49198 185.244.41.39:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=builder.pp.ru | f5:a6:86:aa:ac:60:8d:af:fa:e4:83:56:09:f9:43:62:e0:34:80:e8 |
Snort Alerts
No Snort Alerts