Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.twitter.com |
CNAME
twitter.com
|
104.244.42.193 |
| store2.gofile.io | 31.14.69.10 | |
| www.google.com | 172.217.31.132 | |
| www.facebook.com | 157.240.215.35 |
- UDP Requests
-
-
192.168.56.101:54056 164.124.101.2:53
-
192.168.56.101:55450 164.124.101.2:53
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:65329 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:54057 239.255.255.250:3702
-
192.168.56.101:62327 239.255.255.250:1900
-
192.168.56.101:62329 239.255.255.250:3702
-
192.168.56.101:62331 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
https://store2.gofile.io/download/af6f96d2-cbdd-494d-a0c4-3806faa01406/Entban.dll
REQUEST
RESPONSE
BODY
GET /download/af6f96d2-cbdd-494d-a0c4-3806faa01406/Entban.dll HTTP/1.1
Host: store2.gofile.io
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Content-Disposition: attachment; filename="Entban.dll"
Content-Length: 556560
Content-Type: application/octet-stream
Date: Wed, 22 Sep 2021 00:22:55 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: Express
X-Xss-Protection: 1; mode=block
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.101 | 104.244.42.1 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 104.244.42.1 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 104.244.42.1 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 104.244.42.1 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 104.244.42.1 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 104.244.42.1 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 104.244.42.1 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 104.244.42.1 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 157.240.215.35 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 157.240.215.35 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 157.240.215.35 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 157.240.215.35 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 157.240.215.35 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 157.240.215.35 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 157.240.215.35 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 157.240.215.35 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 204.79.197.200 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 204.79.197.200 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 204.79.197.200 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 204.79.197.200 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 204.79.197.200 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 204.79.197.200 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 204.79.197.200 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 204.79.197.200 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 216.58.200.68 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 216.58.200.68 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 216.58.200.68 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 216.58.200.68 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 216.58.200.68 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 216.58.200.68 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 216.58.200.68 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 216.58.200.68 | 192.168.56.101 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49207 -> 31.14.69.10:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.101:49207 31.14.69.10:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=*.gofile.io | 4c:cc:6b:32:8f:55:d8:cc:fa:f4:4d:ae:80:a1:dd:b7:e3:e2:84:ae |
Snort Alerts
No Snort Alerts