Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| trapboijiggy.dvrlists.com | 31.3.152.100 | |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
| l5celg.sn.files.1drv.com |
CNAME
sn-files.fe.1drv.com
CNAME
l-0003.l-msedge.net
|
13.107.42.12 |
- TCP Requests
-
-
192.168.56.101:49201 13.107.42.12:443l5celg.sn.files.1drv.com
-
192.168.56.101:49202 13.107.42.12:443l5celg.sn.files.1drv.com
-
192.168.56.101:49200 13.107.42.13:443onedrive.live.com
-
192.168.56.101:49204 31.3.152.100:54614trapboijiggy.dvrlists.com
-
192.168.56.101:49212 31.3.152.100:54614trapboijiggy.dvrlists.com
-
192.168.56.101:49213 31.3.152.100:54614trapboijiggy.dvrlists.com
-
- UDP Requests
-
-
192.168.56.101:54056 164.124.101.2:53
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62327 239.255.255.250:1900
-
192.168.56.101:62329 239.255.255.250:3702
-
192.168.56.101:62331 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21164&authkey=ANROjRWx1nqVZnY
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21164&authkey=ANROjRWx1nqVZnY HTTP/1.1
User-Agent: zipo
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://l5celg.sn.files.1drv.com/y4mLv-GqBjhaOB-mLJQgnVgkJCnpmMVYtpQjObQnaZ2ICEvU_3slIlmM8hKoW6fzonHpOKQj9HLBz9pb93NCO-pwHLbMUwkj2_g8d-Aei7CkflN5HcEdHSyc0HTOihKZZ_mpA1Nxy9Rc64DBQqnSkxz0WCtr49llNeElSJ-6Gtwio1lzIg6B36LMbCy2OD_H-_Z-c6mpVGqdMQEpgm4NsDO7w/Ykpsyzzdkhppcdowwcfwlzpgevpatcf?download&psid=1
Set-Cookie: E=P:1ipQ8DF/2Yg=:17+Nl1/J+nP6cTXa+5WaEiHUs3qdertTqYnABg8PLUM=:F; domain=.live.com; path=/
Set-Cookie: xid=1e7b9b42-ac20-4a41-96c2-682841e194fb&&RD00155D999901&312; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Fri, 24-Sep-2021 06:24:31 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Fri, 01-Oct-2021 08:04:31 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D999901
X-ODWebServer: eastus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 4410AFF3E38B482ABE37CD81C9C7F675 Ref B: SLAEDGE1112 Ref C: 2021-09-24T08:04:31Z
Date: Fri, 24 Sep 2021 08:04:31 GMT
Content-Length: 0
GET
200
https://l5celg.sn.files.1drv.com/y4mLv-GqBjhaOB-mLJQgnVgkJCnpmMVYtpQjObQnaZ2ICEvU_3slIlmM8hKoW6fzonHpOKQj9HLBz9pb93NCO-pwHLbMUwkj2_g8d-Aei7CkflN5HcEdHSyc0HTOihKZZ_mpA1Nxy9Rc64DBQqnSkxz0WCtr49llNeElSJ-6Gtwio1lzIg6B36LMbCy2OD_H-_Z-c6mpVGqdMQEpgm4NsDO7w/Ykpsyzzdkhppcdowwcfwlzpgevpatcf?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mLv-GqBjhaOB-mLJQgnVgkJCnpmMVYtpQjObQnaZ2ICEvU_3slIlmM8hKoW6fzonHpOKQj9HLBz9pb93NCO-pwHLbMUwkj2_g8d-Aei7CkflN5HcEdHSyc0HTOihKZZ_mpA1Nxy9Rc64DBQqnSkxz0WCtr49llNeElSJ-6Gtwio1lzIg6B36LMbCy2OD_H-_Z-c6mpVGqdMQEpgm4NsDO7w/Ykpsyzzdkhppcdowwcfwlzpgevpatcf?download&psid=1 HTTP/1.1
User-Agent: zipo
Host: l5celg.sn.files.1drv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 868352
Content-Type: application/octet-stream
Content-Location: https://l5celg.sn.files.1drv.com/y4m86OePXFqiu4zTc91EZvknfnkU1TdARuTxMWW4wYEc8PtdI35fRa_E9ph9SuVunCjIoWeb4AV7H9q48J1eJ7KQ6XiZ_e-e0hZ7wZ3G5wABu2FfNIpHs2RWQq4ivSzWlcGDQrkrBFHK6QHKr3-oeMY4v4UOpmQm8-18RpX08aJAn4JQ6pxTeNJglfLPy6wX121
Expires: Thu, 23 Dec 2021 08:04:32 GMT
Last-Modified: Thu, 23 Sep 2021 14:05:40 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!164.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN4PPF8B1BBE1A8
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: 2FuxP7bL+kK+pZXVtYf4mQ.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE2NC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Ykpsyzzdkhppcdowwcfwlzpgevpatcf"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.758.906.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 339F2C7021494646BBD0C4AC240EA24A Ref B: SLAEDGE1019 Ref C: 2021-09-24T08:04:31Z
Date: Fri, 24 Sep 2021 08:04:31 GMT
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21164&authkey=ANROjRWx1nqVZnY
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21164&authkey=ANROjRWx1nqVZnY HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:1ipQ8DF/2Yg=:17+Nl1/J+nP6cTXa+5WaEiHUs3qdertTqYnABg8PLUM=:F; xid=1e7b9b42-ac20-4a41-96c2-682841e194fb&&RD00155D999901&312; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://l5celg.sn.files.1drv.com/y4miF6XlED8SY5--LgS44ahEhDcYCFwMTUFKt2cmNHEgwJC3dqKFsQUhuZ46dpQaoIwHZ9KrpMep0rTZkQKeIKr3PZ5VY_INk0UmRCYL9Fuve_Yapbe60tK7jScYNy1Diy91sotH3hSU3uEuESB1dR0pXlM2-y46BCMiXPgUnjHMhiUL6snOzGjoSuvMFM7tYUHYBSIwPEsZwIMl7BeBoMmvw/Ykpsyzzdkhppcdowwcfwlzpgevpatcf?download&psid=1
Set-Cookie: E=P:GCIK8TF/2Yg=:M770spkUFn4OFtYZcM6PWeREuq1+200eeE7Mjfw5Yf8=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Fri, 24-Sep-2021 06:24:32 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Fri, 01-Oct-2021 08:04:32 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D999901
X-ODWebServer: eastus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 3E4EF5D79B3249DFAFACE8AE877BAAB7 Ref B: SLAEDGE1112 Ref C: 2021-09-24T08:04:32Z
Date: Fri, 24 Sep 2021 08:04:32 GMT
Content-Length: 0
GET
200
https://l5celg.sn.files.1drv.com/y4miF6XlED8SY5--LgS44ahEhDcYCFwMTUFKt2cmNHEgwJC3dqKFsQUhuZ46dpQaoIwHZ9KrpMep0rTZkQKeIKr3PZ5VY_INk0UmRCYL9Fuve_Yapbe60tK7jScYNy1Diy91sotH3hSU3uEuESB1dR0pXlM2-y46BCMiXPgUnjHMhiUL6snOzGjoSuvMFM7tYUHYBSIwPEsZwIMl7BeBoMmvw/Ykpsyzzdkhppcdowwcfwlzpgevpatcf?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4miF6XlED8SY5--LgS44ahEhDcYCFwMTUFKt2cmNHEgwJC3dqKFsQUhuZ46dpQaoIwHZ9KrpMep0rTZkQKeIKr3PZ5VY_INk0UmRCYL9Fuve_Yapbe60tK7jScYNy1Diy91sotH3hSU3uEuESB1dR0pXlM2-y46BCMiXPgUnjHMhiUL6snOzGjoSuvMFM7tYUHYBSIwPEsZwIMl7BeBoMmvw/Ykpsyzzdkhppcdowwcfwlzpgevpatcf?download&psid=1 HTTP/1.1
User-Agent: aswe
Host: l5celg.sn.files.1drv.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 868352
Content-Type: application/octet-stream
Content-Location: https://l5celg.sn.files.1drv.com/y4m86OePXFqiu4zTc91EZvknfnkU1TdARuTxMWW4wYEc8PtdI35fRa_E9ph9SuVunCjIoWeb4AV7H9q48J1eJ7KQ6XiZ_e-e0hZ7wZ3G5wABu2FfNIpHs2RWQq4ivSzWlcGDQrkrBFHK6QHKr3-oeMY4v4UOpmQm8-18RpX08aJAn4JQ6pxTeNJglfLPy6wX121
Expires: Thu, 23 Dec 2021 08:04:33 GMT
Last-Modified: Thu, 23 Sep 2021 14:05:40 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!164.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN4PPF797B15F38
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: ruOWlerh9kmvpALwx6bE+g.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITE2NC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Ykpsyzzdkhppcdowwcfwlzpgevpatcf"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.758.906.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: B5AEDF63C64444EAA49993398497F1BD Ref B: SLAEDGE1116 Ref C: 2021-09-24T08:04:32Z
Date: Fri, 24 Sep 2021 08:04:32 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49201 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49202 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49200 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49201 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e |
|
TLSv1 192.168.56.101:49202 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e |
|
TLS 1.3 192.168.56.101:49213 31.3.152.100:54614 |
None | None | None |
|
TLS 1.3 192.168.56.101:49212 31.3.152.100:54614 |
None | None | None |
|
TLSv1 192.168.56.101:49200 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | CN=onedrive.com | 50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb |
|
TLS 1.3 192.168.56.101:49204 31.3.152.100:54614 |
None | None | None |
Snort Alerts
No Snort Alerts