Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| builder.pp.ru | 185.244.41.39 |
GET
200
https://builder.pp.ru/testqcwqebqweqwe.dll
REQUEST
RESPONSE
BODY
GET /testqcwqebqweqwe.dll HTTP/1.1
Host: builder.pp.ru
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 08 Sep 2021 01:09:29 GMT
Server: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 OpenSSL/1.0.2u
Last-Modified: Sat, 04 Sep 2021 19:00:41 GMT
ETag: "2ee00-5cb30084c0043"
Accept-Ranges: bytes
Content-Length: 192000
Connection: close
Content-Type: application/x-msdos-program
GET
404
http://95.215.205.85/638394261.exe
REQUEST
RESPONSE
BODY
GET /638394261.exe HTTP/1.1
Host: 95.215.205.85
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/10.0
Date: Wed, 08 Sep 2021 01:09:31 GMT
Content-Length: 1245
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49165 -> 95.215.205.85:80 | 2016141 | ET INFO Executable Download from dotted-quad Host | A Network Trojan was detected |
| TCP 192.168.56.102:49164 -> 185.244.41.39:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.102:49164 185.244.41.39:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=builder.pp.ru | f5:a6:86:aa:ac:60:8d:af:fa:e4:83:56:09:f9:43:62:e0:34:80:e8 |
Snort Alerts
No Snort Alerts