Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.fourwaira.com |
CNAME
fourwaira.com
|
192.185.35.70 |
| www.jamnvibez.com | 104.26.14.140 |
- UDP Requests
-
-
192.168.56.102:52062 164.124.101.2:53
-
192.168.56.102:52336 164.124.101.2:53
-
192.168.56.102:64034 164.124.101.2:53
-
192.168.56.102:64995 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:49164 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.102:123
-
GET
403
http://www.jamnvibez.com/kzk9/?FrJd4VD=RD97+sYQI0XqiDdkgpzgSdWBYlciYaDFU1FGUcVBT4psxDAeA+lJB7BpU+r7Fjhs4LDiOT9/&Vnw0Z=-Z2h6rwPQ2dhNVd
REQUEST
RESPONSE
BODY
GET /kzk9/?FrJd4VD=RD97+sYQI0XqiDdkgpzgSdWBYlciYaDFU1FGUcVBT4psxDAeA+lJB7BpU+r7Fjhs4LDiOT9/&Vnw0Z=-Z2h6rwPQ2dhNVd HTTP/1.1
Host: www.jamnvibez.com
Connection: close
HTTP/1.1 403 Forbidden
Date: Tue, 19 Oct 2021 07:45:47 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=m3nmoCcF1lw4nHbUUG639ynCXtGs7OlWiNQT1JbHrYt23lF5TbshD4xQoH%2BekaTu3qjZUl%2BIHsmnHf0RA7lqEE1buozIZfS4%2BGFwq8DScSzFABn%2FpW6O889mrj5YI2COPEbm"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6a0863909f220a82-KIX
GET
301
http://www.fourwaira.com/kzk9/?FrJd4VD=jpbsMCdQcyIiRjwJxwpW4+ck0RmyGC3M4w6i6YV8jHR4vv9J5XguPad0A8kXdPUVZ76zsTs3&Vnw0Z=-Z2h6rwPQ2dhNVd
REQUEST
RESPONSE
BODY
GET /kzk9/?FrJd4VD=jpbsMCdQcyIiRjwJxwpW4+ck0RmyGC3M4w6i6YV8jHR4vv9J5XguPad0A8kXdPUVZ76zsTs3&Vnw0Z=-Z2h6rwPQ2dhNVd HTTP/1.1
Host: www.fourwaira.com
Connection: close
HTTP/1.1 301 Moved Permanently
Date: Tue, 19 Oct 2021 07:46:08 GMT
Server: Apache
Location: https://www.fourwaira.com/kzk9/?FrJd4VD=jpbsMCdQcyIiRjwJxwpW4+ck0RmyGC3M4w6i6YV8jHR4vv9J5XguPad0A8kXdPUVZ76zsTs3&Vnw0Z=-Z2h6rwPQ2dhNVd
Cache-Control: max-age=0
Expires: Tue, 19 Oct 2021 07:46:08 GMT
Content-Length: 346
Connection: close
Content-Type: text/html; charset=iso-8859-1
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49166 -> 172.67.74.94:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.102:49166 -> 172.67.74.94:80 | 2031449 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.102:49166 -> 172.67.74.94:80 | 2031453 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.102:49167 -> 192.185.35.70:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.102:49167 -> 192.185.35.70:80 | 2031449 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.102:49167 -> 192.185.35.70:80 | 2031453 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts