Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| login.live.com |
CNAME
prda.aadg.msidentity.com
CNAME
login.msa.msidentity.com
|
20.190.141.38 |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
- UDP Requests
-
-
192.168.56.102:52062 164.124.101.2:53
-
192.168.56.102:52336 164.124.101.2:53
-
192.168.56.102:64034 164.124.101.2:53
-
192.168.56.102:64995 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:49164 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.102:123
-
GET
302
https://onedrive.live.com/download?cid=7B2ADE39B2F10F51&resid=7B2ADE39B2F10F51%21104&authkey=APQEHgzEMRRS19k
REQUEST
RESPONSE
BODY
GET /download?cid=7B2ADE39B2F10F51&resid=7B2ADE39B2F10F51%21104&authkey=APQEHgzEMRRS19k HTTP/1.1
User-Agent: lVali
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1634690254&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D7B2ADE39B2F10F51%26resid%3D7B2ADE39B2F10F51%2521104%26authkey%3DAPQEHgzEMRRS19k&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
Set-Cookie: E=P:lPHDzmGT2Yg=:uV1wHK55LhHq/IOa62VdT2TZWIEfQxQNFF3oVRG4ruE=:F; domain=.live.com; path=/
Set-Cookie: xid=ef129b0e-c0cd-4b5c-92bf-7a52320aba4b&&RDE42AAC9406A1&340; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Tue, 19-Oct-2021 22:57:33 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Wed, 27-Oct-2021 00:37:34 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RDE42AAC9406A1
X-ODWebServer: centralus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 714F9E39F1F840BA8DBC43411E42DC56 Ref B: SLAEDGE1116 Ref C: 2021-10-20T00:37:33Z
Date: Wed, 20 Oct 2021 00:37:33 GMT
Content-Length: 0
GET
200
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1634690254&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D7B2ADE39B2F10F51%26resid%3D7B2ADE39B2F10F51%2521104%26authkey%3DAPQEHgzEMRRS19k&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
REQUEST
RESPONSE
BODY
GET /login.srf?wa=wsignin1.0&rpsnv=13&ct=1634690254&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D7B2ADE39B2F10F51%26resid%3D7B2ADE39B2F10F51%2521104%26authkey%3DAPQEHgzEMRRS19k&lc=1033&id=250206&cbcxt=sky&cbcxt=sky HTTP/1.1
User-Agent: lVali
Host: login.live.com
Connection: Keep-Alive
Cookie: E=P:lPHDzmGT2Yg=:uV1wHK55LhHq/IOa62VdT2TZWIEfQxQNFF3oVRG4ruE=:F; xid=ef129b0e-c0cd-4b5c-92bf-7a52320aba4b&&RDE42AAC9406A1&340; xidseq=1; wla42=
HTTP/1.1 200 OK
Cache-Control: no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Wed, 20 Oct 2021 00:36:34 GMT
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
X-Frame-Options: DENY
X-DNS-Prefetch-Control: on
Link: <https://acctcdn.msauth.net>; rel=preconnect; crossorigin
Link: <https://logincdn.msauth.net>; rel=preconnect; crossorigin
Link: <https://acctcdn.msauth.net/>; rel=dns-prefetch
Link: <https://acctcdn.msftauth.net/>; rel=dns-prefetch
Link: <https://acctcdnmsftuswe2.azureedge.net/>; rel=dns-prefetch
Link: <https://acctcdnvzeuno.azureedge.net/>; rel=dns-prefetch
Link: <https://logincdn.msauth.net/>; rel=dns-prefetch
Link: <https://lgincdnvzeuno.azureedge.net/>; rel=dns-prefetch
Link: <https://lgincdnmsftuswe2.azureedge.net/>; rel=dns-prefetch
Referrer-Policy: strict-origin-when-cross-origin
x-ms-route-info: R3_BAY
x-ms-request-id: 571b821f-96e8-4828-94d2-1185ed44f18c
PPServer: PPV: 30 H: BY1PPF155530862 V: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
Set-Cookie: uaid=ccea8b4c225f4a92b3d87b164f1b0922; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPRequ=id=250206<=1634690254&co=1; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSCC=175.208.134.150-KR; expires=Mon, 14-Nov-2022 00:37:34 GMT; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: OParams=11O.DavSNCaj9yL*DN4EeS3o9PX2WBgb4BZK69yYhemSadjHaxQNLkL!X1511Rpx5UnEzXeJ3tfFrnSqCWObv6wYHZ8VXQAlDznSJlcll1Njwplwn!MvwDIzOH3!2VOKjHxwSR7EQReOK!A3724J3!hu52Wzryz1pi9yXLnojuIak4e61yd5B8Z!tcXVzWgVN7RM1aOmmh3xma4WCLnaaaVHGg9YyBEirkAMvYI5S0O5nVZKpIQZucMx8Bvjq86n4FZNZR7T8har!EWdEGPN0zSlO*9qykrKj6mcO2jr9eulJ6DP5d2jjS4EaS0jC!lVBzjv55gevmsPCt32otGZGIHn8*Z9s!gu0CbmBnuJ9gJKHOhPWDHd*PU1IxhFJ!4akCx4XIDnMtYSUAPgzJM5v1jyVlG83d4ZqjwohmIAyQXXY2oFOHjtWfHHvYKXl2raYYVi3A$$; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPOK=$uuid-78e25149-986c-4c2e-97ba-5e3288d73899; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Date: Wed, 20 Oct 2021 00:37:34 GMT
Content-Length: 27272
GET
302
https://onedrive.live.com/download?cid=7B2ADE39B2F10F51&resid=7B2ADE39B2F10F51%21104&authkey=APQEHgzEMRRS19k
REQUEST
RESPONSE
BODY
GET /download?cid=7B2ADE39B2F10F51&resid=7B2ADE39B2F10F51%21104&authkey=APQEHgzEMRRS19k HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:lPHDzmGT2Yg=:uV1wHK55LhHq/IOa62VdT2TZWIEfQxQNFF3oVRG4ruE=:F; xid=ef129b0e-c0cd-4b5c-92bf-7a52320aba4b&&RDE42AAC9406A1&340; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1634690254&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D7B2ADE39B2F10F51%26resid%3D7B2ADE39B2F10F51%2521104%26authkey%3DAPQEHgzEMRRS19k&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
Set-Cookie: E=P:7HYLz2GT2Yg=:LCTZkeTql4NFzUQlhvt+YiDzIJOgdEx7yiIFW0ymY98=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Tue, 19-Oct-2021 22:57:34 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Wed, 27-Oct-2021 00:37:34 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RDE42AAC9406A1
X-ODWebServer: centralus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 8E5B7D0FFE17465BB74BE6D484A51883 Ref B: SLAEDGE1116 Ref C: 2021-10-20T00:37:34Z
Date: Wed, 20 Oct 2021 00:37:33 GMT
Content-Length: 0
GET
200
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1634690254&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D7B2ADE39B2F10F51%26resid%3D7B2ADE39B2F10F51%2521104%26authkey%3DAPQEHgzEMRRS19k&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
REQUEST
RESPONSE
BODY
GET /login.srf?wa=wsignin1.0&rpsnv=13&ct=1634690254&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D7B2ADE39B2F10F51%26resid%3D7B2ADE39B2F10F51%2521104%26authkey%3DAPQEHgzEMRRS19k&lc=1033&id=250206&cbcxt=sky&cbcxt=sky HTTP/1.1
User-Agent: aswe
Host: login.live.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: E=P:7HYLz2GT2Yg=:LCTZkeTql4NFzUQlhvt+YiDzIJOgdEx7yiIFW0ymY98=:F; xid=ef129b0e-c0cd-4b5c-92bf-7a52320aba4b&&RDE42AAC9406A1&340; xidseq=2; wla42=; uaid=ccea8b4c225f4a92b3d87b164f1b0922; MSPRequ=id=250206<=1634690254&co=1; MSCC=175.208.134.150-KR; OParams=11O.DavSNCaj9yL*DN4EeS3o9PX2WBgb4BZK69yYhemSadjHaxQNLkL!X1511Rpx5UnEzXeJ3tfFrnSqCWObv6wYHZ8VXQAlDznSJlcll1Njwplwn!MvwDIzOH3!2VOKjHxwSR7EQReOK!A3724J3!hu52Wzryz1pi9yXLnojuIak4e61yd5B8Z!tcXVzWgVN7RM1aOmmh3xma4WCLnaaaVHGg9YyBEirkAMvYI5S0O5nVZKpIQZucMx8Bvjq86n4FZNZR7T8har!EWdEGPN0zSlO*9qykrKj6mcO2jr9eulJ6DP5d2jjS4EaS0jC!lVBzjv55gevmsPCt32otGZGIHn8*Z9s!gu0CbmBnuJ9gJKHOhPWDHd*PU1IxhFJ!4akCx4XIDnMtYSUAPgzJM5v1jyVlG83d4ZqjwohmIAyQXXY2oFOHjtWfHHvYKXl2raYYVi3A$$; MSPOK=$uuid-78e25149-986c-4c2e-97ba-5e3288d73899
HTTP/1.1 200 OK
Cache-Control: no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Wed, 20 Oct 2021 00:36:34 GMT
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
x-ms-route-info: R3_BAY
x-ms-request-id: 5bfc3f13-2e24-4b2d-a993-cada832da7e5
PPServer: PPV: 30 H: BY1PEPF00001DFD V: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
Set-Cookie: uaid=6e1b6256309f4cb696482e9cf7fd52a3; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPRequ=id=250206<=1634690254&co=2; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: OParams=11O.Da2SKpakY4yEntvnJ7!5fbbT94VIc7zpX1CPavqy!0Ti2iwuKcVMSY2Yeb8NjFyFjX8NGkHmkmT9BtYR3acABbQwcRavcLuIg3Z2MiwG43BE0lRBjUdJ6kMH26tBM57teaPCuurQkqIwJwfNtxH*EVC7sB6y80tQ2AIozCzF7sOj0BsGWrmBJDfviNwg5Mu*Y3fgfXOXr4nlqtgYGDDTQ4COe1JmXh63nTuRIZ5lcbny7Ys2eu!mcFXHFJt7HsC2Tnr2p989yFSM3mRFuR32cC02QZZdjAy4NAGPS8CwPM5pzVS06lYlSypH0c*o!p19MdYD6SnNvgl!BqHurNu27UZxSByLE5g0YHIfQStM9nAnFHdQfYuZeF2ME72Ci1Ta52b*GdL4kDrfyJdgDY846P7FKLeIrgch0wqham*B!ar*VcJLFYYqqi6XPREZt4p7JR86ONmtLvtsOmCPwpQ27XaDoyhK8O9DRMN!jSox0AYMjplapr5okneMf6TJSfzdNQ$$; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPOK=$uuid-78e25149-986c-4c2e-97ba-5e3288d73899$uuid-7bf036ef-8839-4579-8f0e-4d44122668e6; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Date: Wed, 20 Oct 2021 00:37:34 GMT
Content-Length: 26600
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49164 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49166 -> 20.190.144.166:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49165 -> 20.190.144.166:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49164 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | CN=onedrive.com | 50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb |
|
TLSv1 192.168.56.102:49165 20.190.144.166:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net | 73:7d:2b:8b:14:fd:d9:03:14:62:2e:35:a7:c1:54:33:e0:8b:3b:71 |
|
TLSv1 192.168.56.102:49166 20.190.144.166:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net | 73:7d:2b:8b:14:fd:d9:03:14:62:2e:35:a7:c1:54:33:e0:8b:3b:71 |
Snort Alerts
No Snort Alerts