Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.facebook.com | 157.240.215.35 | |
| store2.gofile.io | 31.14.69.10 | |
| www.google.com | 172.217.25.228 | |
| www.twitter.com |
CNAME
twitter.com
|
104.244.42.193 |
- UDP Requests
-
-
192.168.56.101:54056 164.124.101.2:53
-
192.168.56.101:55450 164.124.101.2:53
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:65329 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:54057 239.255.255.250:3702
-
192.168.56.101:62327 239.255.255.250:1900
-
192.168.56.101:62329 239.255.255.250:3702
-
192.168.56.101:62331 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
https://store2.gofile.io/download/5c9d4064-4708-4f82-b830-1ebe74778b3b/Luwwfkikt.dll
REQUEST
RESPONSE
BODY
GET /download/5c9d4064-4708-4f82-b830-1ebe74778b3b/Luwwfkikt.dll HTTP/1.1
Host: store2.gofile.io
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Content-Disposition: attachment; filename="Luwwfkikt.dll"
Content-Length: 907562
Content-Type: application/octet-stream
Date: Wed, 22 Sep 2021 00:20:42 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: Express
X-Xss-Protection: 1; mode=block
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.101 | 104.244.42.129 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 104.244.42.129 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 104.244.42.129 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 104.244.42.129 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 104.244.42.129 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 104.244.42.129 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 104.244.42.129 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 104.244.42.129 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 142.250.66.68 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 142.250.66.68 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 142.250.66.68 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 142.250.66.68 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 142.250.66.68 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 142.250.66.68 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 142.250.66.68 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 142.250.66.68 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 157.240.215.35 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 157.240.215.35 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 157.240.215.35 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 157.240.215.35 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 157.240.215.35 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 157.240.215.35 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 157.240.215.35 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 157.240.215.35 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 204.79.197.200 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 204.79.197.200 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 204.79.197.200 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 204.79.197.200 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 204.79.197.200 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 204.79.197.200 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 204.79.197.200 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 204.79.197.200 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49206 -> 31.14.69.10:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.101:49206 31.14.69.10:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=*.gofile.io | 4c:cc:6b:32:8f:55:d8:cc:fa:f4:4d:ae:80:a1:dd:b7:e3:e2:84:ae |
Snort Alerts
No Snort Alerts