Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| 20mqvq.am.files.1drv.com |
CNAME
am-files.fe.1drv.com
CNAME
l-0003.l-msedge.net
|
13.107.42.12 |
| saptransmissions.dvrlists.com | 45.162.228.171 | |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
- TCP Requests
-
-
192.168.56.102:49165 13.107.42.12:44320mqvq.am.files.1drv.com
-
192.168.56.102:49166 13.107.42.12:44320mqvq.am.files.1drv.com
-
192.168.56.102:49164 13.107.42.13:443onedrive.live.com
-
192.168.56.102:49170 45.162.228.171:30445saptransmissions.dvrlists.com
-
192.168.56.102:49176 45.162.228.171:30445saptransmissions.dvrlists.com
-
192.168.56.102:49177 45.162.228.171:30445saptransmissions.dvrlists.com
-
- UDP Requests
-
-
192.168.56.102:52062 164.124.101.2:53
-
192.168.56.102:52336 164.124.101.2:53
-
192.168.56.102:58838 164.124.101.2:53
-
192.168.56.102:64034 164.124.101.2:53
-
192.168.56.102:64995 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:49164 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.102:123
-
GET
302
https://onedrive.live.com/download?cid=D6CD7BA665204307&resid=D6CD7BA665204307%21109&authkey=AMdOM29o41CbOZ0
REQUEST
RESPONSE
BODY
GET /download?cid=D6CD7BA665204307&resid=D6CD7BA665204307%21109&authkey=AMdOM29o41CbOZ0 HTTP/1.1
User-Agent: lVali
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://20mqvq.am.files.1drv.com/y4mIICgczn0jQ6zC8-aw8Xb86SRr2CmJy2ooH9966h6ZkT_AUu9dtWSt-mU9kkZ3qd5cYMw79sssxrVislI6ELzqwRjOrwQJHO8jnXz0I3kSCIVfFNj6gKFnW6vIjjDV9UQRTSdfp0NjNpEqxAnPmZIKXsSVZyMp_epb-KQRwil_gw_dAONVvND-k4n11x4W_NJ4wPdBbVgnJrgcy3vmBGBCQ/Csigvgmrhqyzxcdrdqesimyzfccnhhv?download&psid=1
Set-Cookie: E=P:mMG4XW2J2Yg=:bGC4DmyV6Bg7gBZCMGMdRfIgUrwm1jUvwd1AAcmFaX4=:F; domain=.live.com; path=/
Set-Cookie: xid=b1657970-2549-45a7-8e37-c11f4600dd01&&RD0003FF11B737&327; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Thu, 07-Oct-2021 06:55:06 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Thu, 14-Oct-2021 08:35:07 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD0003FF11B737
X-ODWebServer: centralus1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 951200FD61D543A5B8D194B97A8A0BF0 Ref B: SLAEDGE1116 Ref C: 2021-10-07T08:35:06Z
Date: Thu, 07 Oct 2021 08:35:07 GMT
Content-Length: 0
GET
200
https://20mqvq.am.files.1drv.com/y4mIICgczn0jQ6zC8-aw8Xb86SRr2CmJy2ooH9966h6ZkT_AUu9dtWSt-mU9kkZ3qd5cYMw79sssxrVislI6ELzqwRjOrwQJHO8jnXz0I3kSCIVfFNj6gKFnW6vIjjDV9UQRTSdfp0NjNpEqxAnPmZIKXsSVZyMp_epb-KQRwil_gw_dAONVvND-k4n11x4W_NJ4wPdBbVgnJrgcy3vmBGBCQ/Csigvgmrhqyzxcdrdqesimyzfccnhhv?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mIICgczn0jQ6zC8-aw8Xb86SRr2CmJy2ooH9966h6ZkT_AUu9dtWSt-mU9kkZ3qd5cYMw79sssxrVislI6ELzqwRjOrwQJHO8jnXz0I3kSCIVfFNj6gKFnW6vIjjDV9UQRTSdfp0NjNpEqxAnPmZIKXsSVZyMp_epb-KQRwil_gw_dAONVvND-k4n11x4W_NJ4wPdBbVgnJrgcy3vmBGBCQ/Csigvgmrhqyzxcdrdqesimyzfccnhhv?download&psid=1 HTTP/1.1
User-Agent: lVali
Host: 20mqvq.am.files.1drv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 587264
Content-Type: application/octet-stream
Content-Location: https://20mqvq.am.files.1drv.com/y4mFXMxUgTRFKweKs3h6efhbKYt2mJJJpA__rOBJU2S59mFjiKJAr4NVHYB1E3jdjdc8HeHE2KAqVssURlw-nsI9bosaHccegFMEmt6KOZep--XpLvabL3OKpAFu1YpExrcowxqfJQP6f998oD9UEqyit6kMmUeQtFduYoJR-ROAe91ISMJjcWBWQ71Yq413oL6
Expires: Wed, 05 Jan 2022 08:35:11 GMT
Last-Modified: Wed, 06 Oct 2021 14:39:57 GMT
Accept-Ranges: bytes
ETag: D6CD7BA665204307!109.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: AM4PPF65F8C5889
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: c3CQhZ7O/EGQG02Ryd9S4A.0
X-SqlDataOrigin: S
CTag: aYzpENkNEN0JBNjY1MjA0MzA3ITEwOS4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Csigvgmrhqyzxcdrdqesimyzfccnhhv"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.773.927.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 25AC06230EB1483FA5D875AC923EDACA Ref B: SLAEDGE1120 Ref C: 2021-10-07T08:35:07Z
Date: Thu, 07 Oct 2021 08:35:10 GMT
GET
302
https://onedrive.live.com/download?cid=D6CD7BA665204307&resid=D6CD7BA665204307%21109&authkey=AMdOM29o41CbOZ0
REQUEST
RESPONSE
BODY
GET /download?cid=D6CD7BA665204307&resid=D6CD7BA665204307%21109&authkey=AMdOM29o41CbOZ0 HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:mMG4XW2J2Yg=:bGC4DmyV6Bg7gBZCMGMdRfIgUrwm1jUvwd1AAcmFaX4=:F; xid=b1657970-2549-45a7-8e37-c11f4600dd01&&RD0003FF11B737&327; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://20mqvq.am.files.1drv.com/y4mUh_YT7N5cZ_VtYj7gY-pLi8ax9qzfrx2nbGHZ7G1U61GzcbwSU8iAsSYmf4Jyh-cQD8gC5IsZXT3NdfbXn-6ClX-Ym5zGliSPzVI32b3Ew1iMIKynGYhOz3ZkIz5WXAhE2_-np3wFxBXD4vDAkYtjLc1gALD8fzAvwxJlIBUecmXh0qVBxg4N_dmmNtN--5J5Wmq0pbRBxhqaOq9fB_0Jg/Csigvgmrhqyzxcdrdqesimyzfccnhhv?download&psid=1
Set-Cookie: E=P:knXhYG2J2Yg=:rC3h3PqldyFqNO9SFz40VYGIiqyZbIcUICtCt8rKRC0=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Thu, 07-Oct-2021 06:55:11 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Thu, 14-Oct-2021 08:35:12 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD0003FF1184AB
X-ODWebServer: centralus1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: A96CC975256246CCA04E66AE83BBE43D Ref B: SLAEDGE1116 Ref C: 2021-10-07T08:35:11Z
Date: Thu, 07 Oct 2021 08:35:12 GMT
Content-Length: 0
GET
200
https://20mqvq.am.files.1drv.com/y4mUh_YT7N5cZ_VtYj7gY-pLi8ax9qzfrx2nbGHZ7G1U61GzcbwSU8iAsSYmf4Jyh-cQD8gC5IsZXT3NdfbXn-6ClX-Ym5zGliSPzVI32b3Ew1iMIKynGYhOz3ZkIz5WXAhE2_-np3wFxBXD4vDAkYtjLc1gALD8fzAvwxJlIBUecmXh0qVBxg4N_dmmNtN--5J5Wmq0pbRBxhqaOq9fB_0Jg/Csigvgmrhqyzxcdrdqesimyzfccnhhv?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mUh_YT7N5cZ_VtYj7gY-pLi8ax9qzfrx2nbGHZ7G1U61GzcbwSU8iAsSYmf4Jyh-cQD8gC5IsZXT3NdfbXn-6ClX-Ym5zGliSPzVI32b3Ew1iMIKynGYhOz3ZkIz5WXAhE2_-np3wFxBXD4vDAkYtjLc1gALD8fzAvwxJlIBUecmXh0qVBxg4N_dmmNtN--5J5Wmq0pbRBxhqaOq9fB_0Jg/Csigvgmrhqyzxcdrdqesimyzfccnhhv?download&psid=1 HTTP/1.1
User-Agent: aswe
Host: 20mqvq.am.files.1drv.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 587264
Content-Type: application/octet-stream
Content-Location: https://20mqvq.am.files.1drv.com/y4mFXMxUgTRFKweKs3h6efhbKYt2mJJJpA__rOBJU2S59mFjiKJAr4NVHYB1E3jdjdc8HeHE2KAqVssURlw-nsI9bosaHccegFMEmt6KOZep--XpLvabL3OKpAFu1YpExrcowxqfJQP6f998oD9UEqyit6kMmUeQtFduYoJR-ROAe91ISMJjcWBWQ71Yq413oL6
Expires: Wed, 05 Jan 2022 08:35:14 GMT
Last-Modified: Wed, 06 Oct 2021 14:39:57 GMT
Accept-Ranges: bytes
ETag: D6CD7BA665204307!109.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: AM4SCH107021114
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: G9zrMpLtLE+h9btpy8eYSA.0
X-SqlDataOrigin: S
CTag: aYzpENkNEN0JBNjY1MjA0MzA3ITEwOS4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Csigvgmrhqyzxcdrdqesimyzfccnhhv"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.773.927.2003
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 5C438CEF5CEB4AECBBCB8BC266C02C5E Ref B: SLAEDGE1118 Ref C: 2021-10-07T08:35:12Z
Date: Thu, 07 Oct 2021 08:35:14 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49164 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49166 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49165 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49164 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | CN=onedrive.com | 50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb |
|
TLSv1 192.168.56.102:49166 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e |
|
TLSv1 192.168.56.102:49165 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e |
|
TLS 1.3 192.168.56.102:49176 45.162.228.171:30445 |
None | None | None |
|
TLS 1.3 192.168.56.102:49170 45.162.228.171:30445 |
None | None | None |
|
TLS 1.3 192.168.56.102:49177 45.162.228.171:30445 |
None | None | None |
Snort Alerts
No Snort Alerts