Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| boogieproductions.com.au | 101.0.113.93 | |
| iu.ac.bd | 103.28.121.60 | |
| recapitol.com | 108.179.232.85 | |
| x1.i.lencr.org | 104.76.75.146 |
- TCP Requests
-
-
192.168.56.103:49168 101.0.113.93:443boogieproductions.com.au
-
192.168.56.103:49175 103.28.121.60:443iu.ac.bd
-
192.168.56.103:49176 103.28.121.60:443iu.ac.bd
-
192.168.56.103:49177 103.28.121.60:443iu.ac.bd
-
192.168.56.103:49169 104.74.211.103:80x1.i.lencr.org
-
192.168.56.103:49170 108.179.232.85:443recapitol.com
-
192.168.56.103:49171 108.179.232.85:443recapitol.com
-
192.168.56.103:49172 108.179.232.85:443recapitol.com
-
- UDP Requests
-
-
192.168.56.103:50665 164.124.101.2:53
-
192.168.56.103:53498 164.124.101.2:53
-
192.168.56.103:53893 164.124.101.2:53
-
192.168.56.103:56357 164.124.101.2:53
-
192.168.56.103:58465 164.124.101.2:53
-
192.168.56.103:63128 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:49152 239.255.255.250:3702
-
192.168.56.103:49168 239.255.255.250:1900
-
192.168.56.103:49170 239.255.255.250:3702
-
192.168.56.103:49172 239.255.255.250:3702
-
192.168.56.103:53499 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.103:123
-
GET
200
http://x1.i.lencr.org/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: x1.i.lencr.org
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/pkix-cert
Last-Modified: Fri, 19 Jan 2018 23:38:04 GMT
ETag: "5a62815c-56f"
Content-Disposition: attachment; filename="ISRG Root X1.der"
Cache-Control: max-age=81740
Expires: Wed, 13 Oct 2021 23:50:13 GMT
Date: Wed, 13 Oct 2021 01:07:53 GMT
Content-Length: 1391
Connection: keep-alive
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49171 -> 108.179.232.85:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49170 -> 108.179.232.85:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 103.28.121.60:443 -> 192.168.56.103:49177 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
| TCP 108.179.232.85:443 -> 192.168.56.103:49172 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
| TCP 192.168.56.103:49175 -> 103.28.121.60:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49176 -> 103.28.121.60:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49168 -> 101.0.113.93:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49168 101.0.113.93:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=*.boogieproductions.com.au | b5:e4:87:70:98:86:d3:92:89:0d:4e:b3:21:76:f6:e2:16:65:7e:b6 |
Snort Alerts
No Snort Alerts