Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| qcjbog.sn.files.1drv.com |
CNAME
sn-files.fe.1drv.com
CNAME
l-0003.l-msedge.net
|
13.107.42.12 |
| saptransmissions.dvrlists.com | 185.140.53.32 | |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
- TCP Requests
-
-
192.168.56.102:49165 13.107.42.12:443qcjbog.sn.files.1drv.com
-
192.168.56.102:49166 13.107.42.12:443qcjbog.sn.files.1drv.com
-
192.168.56.102:49164 13.107.42.13:443onedrive.live.com
-
192.168.56.102:49168 185.140.53.32:6969saptransmissions.dvrlists.com
-
192.168.56.102:49176 185.140.53.32:6969saptransmissions.dvrlists.com
-
192.168.56.102:49177 185.140.53.32:6969saptransmissions.dvrlists.com
-
- UDP Requests
-
-
192.168.56.102:52062 164.124.101.2:53
-
192.168.56.102:52336 164.124.101.2:53
-
192.168.56.102:58838 164.124.101.2:53
-
192.168.56.102:64034 164.124.101.2:53
-
192.168.56.102:64995 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:49164 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.102:123
-
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21156&authkey=ANROQ1PrS9e3Q48
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21156&authkey=ANROQ1PrS9e3Q48 HTTP/1.1
User-Agent: zipo
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://qcjbog.sn.files.1drv.com/y4mgO4fRklhtUF1Kf7SDAuSdekFB43L0BZG2UNSJJzh-_TpHGP6L2C6bE2XeW10uMQNRcY8oVM7xSbx2HEjYQneNDnVYoSeRsbSYjstbQwkWCvix9H4beDJsWaG7xC2_tIV_HFY0ac62q2WycHpONtiW6TQzJvUVQGbnG4J6Rbm6TwwKXpMBLQkVyTj1dZZEsvdFxZnBtQN1neiXukdj7r1Ag/Hjaysdpefymbyylradymneefuugtqzs?download&psid=1
Set-Cookie: E=P:DotZg1592Yg=:tTYYvaMV4bwkzY7Xwxc9nDqdqBl1awEmWrnNj/eCX0I=:F; domain=.live.com; path=/
Set-Cookie: xid=e35ae550-8123-4eee-bf4e-febf5a3d1e6e&&RD00155D99A498&310; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Tue, 21-Sep-2021 22:38:33 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Wed, 29-Sep-2021 00:18:33 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D99A498
X-ODWebServer: eastus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: B06E56879A1D4B50B9DD83A2BC34E233 Ref B: SLAEDGE1116 Ref C: 2021-09-22T00:18:33Z
Date: Wed, 22 Sep 2021 00:18:33 GMT
Content-Length: 0
GET
200
https://qcjbog.sn.files.1drv.com/y4mgO4fRklhtUF1Kf7SDAuSdekFB43L0BZG2UNSJJzh-_TpHGP6L2C6bE2XeW10uMQNRcY8oVM7xSbx2HEjYQneNDnVYoSeRsbSYjstbQwkWCvix9H4beDJsWaG7xC2_tIV_HFY0ac62q2WycHpONtiW6TQzJvUVQGbnG4J6Rbm6TwwKXpMBLQkVyTj1dZZEsvdFxZnBtQN1neiXukdj7r1Ag/Hjaysdpefymbyylradymneefuugtqzs?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mgO4fRklhtUF1Kf7SDAuSdekFB43L0BZG2UNSJJzh-_TpHGP6L2C6bE2XeW10uMQNRcY8oVM7xSbx2HEjYQneNDnVYoSeRsbSYjstbQwkWCvix9H4beDJsWaG7xC2_tIV_HFY0ac62q2WycHpONtiW6TQzJvUVQGbnG4J6Rbm6TwwKXpMBLQkVyTj1dZZEsvdFxZnBtQN1neiXukdj7r1Ag/Hjaysdpefymbyylradymneefuugtqzs?download&psid=1 HTTP/1.1
User-Agent: zipo
Host: qcjbog.sn.files.1drv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 844288
Content-Type: application/octet-stream
Content-Location: https://qcjbog.sn.files.1drv.com/y4ma3J08Cdhhh1LMhPOfa26nPHL0iuUExGTNtS29IvRgLDK1UaLTPqYx4Fz6fPSD3MhXfucy3doG5T_MO-Q1ZhaFF0cgau80BMlgNj44m1VPk5u4iGdCPgLQeXY_n3F8TCkpohLHbB9mdgxhpE9dIG7uDzp_ORnGKAmx4pG8MhWd2w1vLn6X8PG_3KbUrkgvkH-
Expires: Tue, 21 Dec 2021 00:18:34 GMT
Last-Modified: Tue, 21 Sep 2021 16:50:59 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!156.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN3PPF6252E65D5
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: SAg1ZuBQjUSjom5kZuf6vA.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE1Ni4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Hjaysdpefymbyylradymneefuugtqzs"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.758.906.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: ACADBCDE53474B269D0259658B85C953 Ref B: SLAEDGE1120 Ref C: 2021-09-22T00:18:34Z
Date: Wed, 22 Sep 2021 00:18:34 GMT
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21156&authkey=ANROQ1PrS9e3Q48
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21156&authkey=ANROQ1PrS9e3Q48 HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:DotZg1592Yg=:tTYYvaMV4bwkzY7Xwxc9nDqdqBl1awEmWrnNj/eCX0I=:F; xid=e35ae550-8123-4eee-bf4e-febf5a3d1e6e&&RD00155D99A498&310; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://qcjbog.sn.files.1drv.com/y4mwPvoB139FtnSuJDqawwFNrcMC4wICzbZ5StKfB9Jl3d1tkQ2nIuBercAh2QA07rsukuKVCT0UY-yfJP7VXdaTqc2zcbRyN_idSMKGz19IiTB5xRsHlrEFB_gGUbINfT7jH_zIDa613Uk5Vo5ud_8Pdvi8EsEmPHIeNkPZucU_ax5iWnlwcXrjm3MRNEVdP4qFf0wHiaX8G6R1EjzzPbmZg/Hjaysdpefymbyylradymneefuugtqzs?download&psid=1
Set-Cookie: E=P:a+Y+hF592Yg=:V3/+R8f5Q2XGRuXCwM5O0/MfktQEBvOx+4zOg7MwkAQ=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Tue, 21-Sep-2021 22:38:34 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Wed, 29-Sep-2021 00:18:35 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D99A498
X-ODWebServer: eastus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: FB38FBAF05FD4DA2AF1B5D4435219828 Ref B: SLAEDGE1116 Ref C: 2021-09-22T00:18:34Z
Date: Wed, 22 Sep 2021 00:18:34 GMT
Content-Length: 0
GET
200
https://qcjbog.sn.files.1drv.com/y4mwPvoB139FtnSuJDqawwFNrcMC4wICzbZ5StKfB9Jl3d1tkQ2nIuBercAh2QA07rsukuKVCT0UY-yfJP7VXdaTqc2zcbRyN_idSMKGz19IiTB5xRsHlrEFB_gGUbINfT7jH_zIDa613Uk5Vo5ud_8Pdvi8EsEmPHIeNkPZucU_ax5iWnlwcXrjm3MRNEVdP4qFf0wHiaX8G6R1EjzzPbmZg/Hjaysdpefymbyylradymneefuugtqzs?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mwPvoB139FtnSuJDqawwFNrcMC4wICzbZ5StKfB9Jl3d1tkQ2nIuBercAh2QA07rsukuKVCT0UY-yfJP7VXdaTqc2zcbRyN_idSMKGz19IiTB5xRsHlrEFB_gGUbINfT7jH_zIDa613Uk5Vo5ud_8Pdvi8EsEmPHIeNkPZucU_ax5iWnlwcXrjm3MRNEVdP4qFf0wHiaX8G6R1EjzzPbmZg/Hjaysdpefymbyylradymneefuugtqzs?download&psid=1 HTTP/1.1
User-Agent: aswe
Host: qcjbog.sn.files.1drv.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 844288
Content-Type: application/octet-stream
Content-Location: https://qcjbog.sn.files.1drv.com/y4ma3J08Cdhhh1LMhPOfa26nPHL0iuUExGTNtS29IvRgLDK1UaLTPqYx4Fz6fPSD3MhXfucy3doG5T_MO-Q1ZhaFF0cgau80BMlgNj44m1VPk5u4iGdCPgLQeXY_n3F8TCkpohLHbB9mdgxhpE9dIG7uDzp_ORnGKAmx4pG8MhWd2w1vLn6X8PG_3KbUrkgvkH-
Expires: Tue, 21 Dec 2021 00:18:35 GMT
Last-Modified: Tue, 21 Sep 2021 16:50:59 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!156.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN3PPF7BC3A1214
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: 79AZ0GPDakGCBconFlXTAA.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE1Ni4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Hjaysdpefymbyylradymneefuugtqzs"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.758.906.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 2CA44418A6354E2A9AD14AE6C6029881 Ref B: SLAEDGE1118 Ref C: 2021-09-22T00:18:35Z
Date: Wed, 22 Sep 2021 00:18:35 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49164 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49166 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49165 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.3 192.168.56.102:49168 185.140.53.32:6969 |
None | None | None |
|
TLS 1.3 192.168.56.102:49177 185.140.53.32:6969 |
None | None | None |
|
TLSv1 192.168.56.102:49164 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | CN=onedrive.com | 50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb |
|
TLSv1 192.168.56.102:49166 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e |
|
TLSv1 192.168.56.102:49165 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e |
|
TLS 1.3 192.168.56.102:49176 185.140.53.32:6969 |
None | None | None |
Snort Alerts
No Snort Alerts