Network Analysis
- TCP Requests
-
-
192.168.56.102:49171 104.21.31.210:443a.upstloans.net
-
192.168.56.102:49174 104.21.31.210:443a.upstloans.net
-
192.168.56.102:49175 104.21.31.210:443a.upstloans.net
-
192.168.56.102:49176 104.21.31.210:443a.upstloans.net
-
192.168.56.102:49164 104.21.79.144:443a.goatgame.co
-
192.168.56.102:49173 104.74.211.103:80x1.c.lencr.org
-
192.168.56.102:49172 182.162.106.26:80crl.identrust.com
-
192.168.56.102:49170 208.95.112.1:80ip-api.com
-
- UDP Requests
-
-
192.168.56.102:52062 164.124.101.2:53
-
192.168.56.102:52336 164.124.101.2:53
-
192.168.56.102:54322 164.124.101.2:53
-
192.168.56.102:58838 164.124.101.2:53
-
192.168.56.102:61115 164.124.101.2:53
-
192.168.56.102:64034 164.124.101.2:53
-
192.168.56.102:64472 164.124.101.2:53
-
192.168.56.102:64995 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:49164 239.255.255.250:1900
-
192.168.56.102:52063 34.97.69.225:53google.vrthcobj.com
-
GET
200
https://a.goatgame.co/userf/dat/2201/sqlite.dat
REQUEST
RESPONSE
BODY
GET /userf/dat/2201/sqlite.dat HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: a.goatgame.co
HTTP/1.1 200 OK
Date: Thu, 09 Sep 2021 00:00:35 GMT
Content-Length: 578669
Connection: keep-alive
last-modified: Wed, 28 Jul 2021 11:35:54 GMT
etag: "8d46d-5c82d63a8d95c"
accept-ranges: bytes
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vwXivLvzEkj8NzuRhnJ%2FpZqNV2vbB3ypovBI7DA7nuT06mwkJwR1NW%2B%2FaFFYbAH18tVknCBAXMbgYY8JPoF28LPcl0tLj31VPgTOXmPIwWknAKRrcMGQWFGTyzf7uAQE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bc231d4dbf0a8a-KIX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET
200
https://a.goatgame.co/userf/dat/sqlite.dll
REQUEST
RESPONSE
BODY
GET /userf/dat/sqlite.dll HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: a.goatgame.co
HTTP/1.1 200 OK
Date: Thu, 09 Sep 2021 00:00:36 GMT
Content-Type: application/x-msdownload
Content-Length: 13312
Connection: keep-alive
last-modified: Fri, 27 Aug 2021 04:30:17 GMT
etag: "3400-5ca82f0bd6e46"
accept-ranges: bytes
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TfYS1PH6xgWZKhbATJuFBQeFjUmUciQJSrEB6ccxBbo36ZsVCRRwHnOk1zawMtPvS3wGvy8fltpuvHPOGFSf5EBIN%2BeQckY2VDQ0pwjtINPMKiowSBlY9Vh%2FU65Y14av"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bc23211c670a8a-KIX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST
200
https://a.upstloans.net/report7.4.php
REQUEST
RESPONSE
BODY
POST /report7.4.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: a.upstloans.net
Content-Length: 282
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 09 Sep 2021 00:00:50 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=gzbYk5ReBCT3l7mjPSI3rA2K9ezRjC4mj%2Bnram9bS923PYdbVLYLc61TDqofxDe%2B6qhRycIvalLuJ1J2Mjz3sQFzaZHOGh%2Blq5qwhN9jkTRpXqCNGihAoBVCnk%2FdLs9QSdA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bc237c2fa30a92-KIX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST
200
https://b.upstloans.net/report7.4.php
REQUEST
RESPONSE
BODY
POST /report7.4.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: b.upstloans.net
Content-Length: 282
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 09 Sep 2021 00:00:51 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f%2FRRNVZ2%2FG2OgKWRWSwzRMYSM5PXj2qdTuHLUjr8QojzW3Td2AQSpnDwevJnkjbZSBAY5VlEnfBg4e%2FeOznqZLzyw5mNtPaIzfU65TWJEEspzXgfVyhEgRnNuTbonHGni%2BQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bc237e6eb20a6e-KIX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST
200
https://a.upstloans.net/report7.4.php
REQUEST
RESPONSE
BODY
POST /report7.4.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: a.upstloans.net
Content-Length: 282
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 09 Sep 2021 00:00:51 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9BpCkxGnp3K1reg%2B0JD0CHeeBzBPX92qeKJ3KD1dPqmba5htZJs0AIGMrrwwIAgFJKf1nc8eoOVyk6yW%2BuLrzrsQx5kilV3Qd7hZpUDd7YdT%2FvSw9WPZ4NUAbvqiXuj9GCU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bc23806a4dfce9-KIX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST
200
https://a.upstloans.net/report7.4.php
REQUEST
RESPONSE
BODY
POST /report7.4.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: a.upstloans.net
Content-Length: 254
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 09 Sep 2021 00:00:51 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yn1idQR9bh4ZA58wwOuM9gkU1G5AmsKvVvOdBBlq6WZSJGHIq973S0Ab2xjXAyvj4NIA00viuMjOU1nA30NDHbG3wtUzx%2Ff2%2FcYkL1vy3sANi0%2Be9mLyZ2gByGOc9j3j6Bw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bc23827905fbd0-KIX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET
200
http://ip-api.com/json/?fields=8198
REQUEST
RESPONSE
BODY
GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 09 Sep 2021 00:00:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 60
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
GET
200
http://crl.identrust.com/DSTROOTCAX3CRL.crl
REQUEST
RESPONSE
BODY
GET /DSTROOTCAX3CRL.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Wed, 18 Aug 2021 20:24:25 GMT
ETag: "4a6-5c9db386ca01d"
Accept-Ranges: bytes
Content-Length: 1190
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkix-crl
Cache-Control: max-age=3600
Expires: Thu, 09 Sep 2021 01:00:46 GMT
Date: Thu, 09 Sep 2021 00:00:46 GMT
Connection: keep-alive
GET
200
http://x1.c.lencr.org/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: x1.c.lencr.org
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Mon, 26 Jul 2021 16:20:55 GMT
ETag: "60fee0e7-2cd"
Cache-Control: max-age=3600
Expires: Thu, 09 Sep 2021 01:00:50 GMT
Date: Thu, 09 Sep 2021 00:00:50 GMT
Content-Length: 717
Connection: keep-alive
GET
200
http://ip-api.com/json/?fields=8198
REQUEST
RESPONSE
BODY
GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 09 Sep 2021 00:00:50 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 60
Access-Control-Allow-Origin: *
X-Ttl: 50
X-Rl: 43
GET
200
http://ip-api.com/json/?fields=8198
REQUEST
RESPONSE
BODY
GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 09 Sep 2021 00:00:50 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 60
Access-Control-Allow-Origin: *
X-Ttl: 50
X-Rl: 42
GET
200
http://ip-api.com/json/?fields=8198
REQUEST
RESPONSE
BODY
GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 09 Sep 2021 00:00:51 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 60
Access-Control-Allow-Origin: *
X-Ttl: 49
X-Rl: 41
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49164 -> 104.21.79.144:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49170 -> 208.95.112.1:80 | 2022082 | ET POLICY External IP Lookup ip-api.com | Device Retrieving External IP Address Detected |
| TCP 192.168.56.102:49170 -> 208.95.112.1:80 | 2022082 | ET POLICY External IP Lookup ip-api.com | Device Retrieving External IP Address Detected |
| TCP 192.168.56.102:49170 -> 208.95.112.1:80 | 2022082 | ET POLICY External IP Lookup ip-api.com | Device Retrieving External IP Address Detected |
| TCP 192.168.56.102:49170 -> 208.95.112.1:80 | 2022082 | ET POLICY External IP Lookup ip-api.com | Device Retrieving External IP Address Detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49164 104.21.79.144:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 2f:1b:f4:da:ad:da:2a:22:ea:dc:26:f0:35:83:25:0d:5d:29:4d:fb |
|
TLSv1 192.168.56.102:49176 104.21.31.210:443 |
None | None | None |
|
TLSv1 192.168.56.102:49171 104.21.31.210:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=*.upstloans.net | 12:ed:3c:4a:ff:c2:a1:8d:83:7a:48:18:92:32:52:dc:a3:6f:83:f7 |
|
TLSv1 192.168.56.102:49174 104.21.31.210:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=*.upstloans.net | 12:ed:3c:4a:ff:c2:a1:8d:83:7a:48:18:92:32:52:dc:a3:6f:83:f7 |
|
TLSv1 192.168.56.102:49175 104.21.31.210:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=*.upstloans.net | 12:ed:3c:4a:ff:c2:a1:8d:83:7a:48:18:92:32:52:dc:a3:6f:83:f7 |
Snort Alerts
No Snort Alerts