Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| ya7p6a.sn.files.1drv.com |
CNAME
sn-files.fe.1drv.com
CNAME
l-0003.l-msedge.net
|
13.107.42.12 |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
- UDP Requests
-
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62325 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
192.168.56.101:62449 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21144&authkey=ADKru-6Ld-lJ97I
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21144&authkey=ADKru-6Ld-lJ97I HTTP/1.1
User-Agent: zipo
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://ya7p6a.sn.files.1drv.com/y4mwfXOKjaW69wYFkI3SGx3XTuEnz3xPlm0bryjw2gLBg6o-LSPkzMUDb6s5J_u7Bs8WP2vq4AreLgWt8E5kWbcSNvbIxhLJGsTa7XUSyO2qSF9NtU9dLinxHeGEo3KfheOwsTJ84lSmZ-nlXoL5ltTl-00PpD3-J3OxW1Ab6Zi6u5vwzjA0oUiQdVA3769hxc9KhNbpGfeT0MzPyXyQOVyPg/Dbixhszrnpskrfhdmybztzypykrurds?download&psid=1
Set-Cookie: E=P:BCd2aLNu2Yg=:212iaWAXsmsezXzUWCZ1bCkU2/1gDiigsGe+ajKDGE0=:F; domain=.live.com; path=/
Set-Cookie: xid=9a88613a-5539-47a8-ba9d-d25bf0ac5208&&RD00155D6F9D7D&291; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Fri, 03-Sep-2021 06:38:28 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Fri, 10-Sep-2021 08:18:28 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D6F9D7D
X-ODWebServer: northcentralus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 95815121D5B246F99B98401C4B70A78C Ref B: SLAEDGE1116 Ref C: 2021-09-03T08:18:27Z
Date: Fri, 03 Sep 2021 08:18:28 GMT
Content-Length: 0
GET
200
https://ya7p6a.sn.files.1drv.com/y4mwfXOKjaW69wYFkI3SGx3XTuEnz3xPlm0bryjw2gLBg6o-LSPkzMUDb6s5J_u7Bs8WP2vq4AreLgWt8E5kWbcSNvbIxhLJGsTa7XUSyO2qSF9NtU9dLinxHeGEo3KfheOwsTJ84lSmZ-nlXoL5ltTl-00PpD3-J3OxW1Ab6Zi6u5vwzjA0oUiQdVA3769hxc9KhNbpGfeT0MzPyXyQOVyPg/Dbixhszrnpskrfhdmybztzypykrurds?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mwfXOKjaW69wYFkI3SGx3XTuEnz3xPlm0bryjw2gLBg6o-LSPkzMUDb6s5J_u7Bs8WP2vq4AreLgWt8E5kWbcSNvbIxhLJGsTa7XUSyO2qSF9NtU9dLinxHeGEo3KfheOwsTJ84lSmZ-nlXoL5ltTl-00PpD3-J3OxW1Ab6Zi6u5vwzjA0oUiQdVA3769hxc9KhNbpGfeT0MzPyXyQOVyPg/Dbixhszrnpskrfhdmybztzypykrurds?download&psid=1 HTTP/1.1
User-Agent: zipo
Host: ya7p6a.sn.files.1drv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 582656
Content-Type: application/octet-stream
Content-Location: https://ya7p6a.sn.files.1drv.com/y4mIG9Jxi_8qwq2kvXqvAKd25RG3DeXwARldEzb8Tf1M42pF72wusMtx9gVq_ZSoW2CqLl7KmcU349ahFn80sff_N-_Yk7etbhsXrKZ_MsIclZQE9RhT92otFkhh8yrirVU5uMvlb0QsdPaMh1a05mt3Ga7b7bFmXiz3P544yq62Vkj7V9YEDpBUDQeA0aKtE09
Expires: Thu, 02 Dec 2021 08:18:28 GMT
Last-Modified: Thu, 02 Sep 2021 14:43:55 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!144.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN4PPF26EBAC6A9
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: vSOxw2QIgUCLQX61FHeDXA.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE0NC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Dbixhszrnpskrfhdmybztzypykrurds"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.742.813.2004
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: AE9B61BA36BD444DA1FD4C81A9081BD5 Ref B: SLAEDGE1116 Ref C: 2021-09-03T08:18:28Z
Date: Fri, 03 Sep 2021 08:18:28 GMT
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21144&authkey=ADKru-6Ld-lJ97I
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21144&authkey=ADKru-6Ld-lJ97I HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:BCd2aLNu2Yg=:212iaWAXsmsezXzUWCZ1bCkU2/1gDiigsGe+ajKDGE0=:F; xid=9a88613a-5539-47a8-ba9d-d25bf0ac5208&&RD00155D6F9D7D&291; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://ya7p6a.sn.files.1drv.com/y4md987bqpeXyH2yULsrm7vyAfWGLIv2wUJDK4ZcmIW_gedctayW5Tizvqt6qaXXNJCi0qgQVjqyPw6fyISiI2mCcGw1_2ug6rQFtxzfwu-KEuHO_Ym8-xZIhpf424sLtIZ6ywXv9lJ7JXVsQZB0q4xbTZYcCthKmj7ucINV_3gx9g_uBwYGTzab4Q0jSkxKc1_67ZLKtdM8MmXPgItTMFlog/Dbixhszrnpskrfhdmybztzypykrurds?download&psid=1
Set-Cookie: E=P:oYwZabNu2Yg=:TqtH/uhDTZm/AHejNMPF1AVdYN+1B+PsbptooSPE9dw=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Fri, 03-Sep-2021 06:38:29 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Fri, 10-Sep-2021 08:18:29 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D6F6AF2
X-ODWebServer: northcentralus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: BE1D1401618B49FDB088FFE20E9B0B60 Ref B: SLAEDGE1116 Ref C: 2021-09-03T08:18:29Z
Date: Fri, 03 Sep 2021 08:18:29 GMT
Content-Length: 0
GET
200
https://ya7p6a.sn.files.1drv.com/y4md987bqpeXyH2yULsrm7vyAfWGLIv2wUJDK4ZcmIW_gedctayW5Tizvqt6qaXXNJCi0qgQVjqyPw6fyISiI2mCcGw1_2ug6rQFtxzfwu-KEuHO_Ym8-xZIhpf424sLtIZ6ywXv9lJ7JXVsQZB0q4xbTZYcCthKmj7ucINV_3gx9g_uBwYGTzab4Q0jSkxKc1_67ZLKtdM8MmXPgItTMFlog/Dbixhszrnpskrfhdmybztzypykrurds?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4md987bqpeXyH2yULsrm7vyAfWGLIv2wUJDK4ZcmIW_gedctayW5Tizvqt6qaXXNJCi0qgQVjqyPw6fyISiI2mCcGw1_2ug6rQFtxzfwu-KEuHO_Ym8-xZIhpf424sLtIZ6ywXv9lJ7JXVsQZB0q4xbTZYcCthKmj7ucINV_3gx9g_uBwYGTzab4Q0jSkxKc1_67ZLKtdM8MmXPgItTMFlog/Dbixhszrnpskrfhdmybztzypykrurds?download&psid=1 HTTP/1.1
User-Agent: aswe
Host: ya7p6a.sn.files.1drv.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 582656
Content-Type: application/octet-stream
Content-Location: https://ya7p6a.sn.files.1drv.com/y4mIG9Jxi_8qwq2kvXqvAKd25RG3DeXwARldEzb8Tf1M42pF72wusMtx9gVq_ZSoW2CqLl7KmcU349ahFn80sff_N-_Yk7etbhsXrKZ_MsIclZQE9RhT92otFkhh8yrirVU5uMvlb0QsdPaMh1a05mt3Ga7b7bFmXiz3P544yq62Vkj7V9YEDpBUDQeA0aKtE09
Expires: Thu, 02 Dec 2021 08:18:29 GMT
Last-Modified: Thu, 02 Sep 2021 14:43:55 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!144.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN3PPFCA8E1A9CB
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: 59x57hPb20eWudxeRM+gjQ.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE0NC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Dbixhszrnpskrfhdmybztzypykrurds"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.749.824.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: E2CF50861392416C961723AED5AA0F22 Ref B: SLAEDGE1013 Ref C: 2021-09-03T08:18:29Z
Date: Fri, 03 Sep 2021 08:18:28 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49202 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49201 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49203 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49201 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | CN=onedrive.com | 50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb |
|
TLSv1 192.168.56.101:49203 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e |
|
TLSv1 192.168.56.101:49202 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e |
Snort Alerts
No Snort Alerts