Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 104.21.33.188 | Active | Moloch |
| 111.90.146.149 | Active | Moloch |
| 164.124.101.2 | Active | Moloch |
| 172.67.130.202 | Active | Moloch |
| 23.206.175.43 | Active | Moloch |
| 3.17.66.208 | Active | Moloch |
| 67.198.134.186 | Active | Moloch |
| 98.126.176.51 | Active | Moloch |
| 98.126.176.53 | Active | Moloch |
| 99.86.144.74 | Active | Moloch |
- TCP Requests
-
-
192.168.56.103:49177 104.21.33.188:443source7.boys4dayz.com
-
192.168.56.103:49225 111.90.146.149:80papwli.pw
-
192.168.56.103:49201 172.67.130.202:443mybrowserinfo.com
-
192.168.56.103:49180 23.206.175.43:80apps.identrust.com
-
192.168.56.103:49176 3.17.66.208:50383
-
192.168.56.103:49200 67.198.134.186:433
-
192.168.56.103:49202 98.126.176.51:443user.maskvpn.org
-
192.168.56.103:49203 98.126.176.51:443user.maskvpn.org
-
192.168.56.103:49199 98.126.176.53:443vpn.maskvpn.org
-
192.168.56.103:49181 99.86.144.74:80duzlwewk2uk96.cloudfront.net
-
- UDP Requests
-
-
192.168.56.103:50665 164.124.101.2:53
-
192.168.56.103:53498 164.124.101.2:53
-
192.168.56.103:53893 164.124.101.2:53
-
192.168.56.103:56357 164.124.101.2:53
-
192.168.56.103:58465 164.124.101.2:53
-
192.168.56.103:63128 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:49152 239.255.255.250:3702
-
192.168.56.103:49168 239.255.255.250:1900
-
192.168.56.103:49170 239.255.255.250:3702
-
192.168.56.103:49172 239.255.255.250:3702
-
192.168.56.103:49174 239.255.255.250:3702
-
8.8.8.8:53 192.168.56.103:63129
-
8.8.8.8:53 192.168.56.103:63130
-
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Fri, 22 Oct 2021 20:14:01 GMT
ETag: "37d-5cef6a6e73440"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Tue, 26 Oct 2021 01:32:30 GMT
Date: Tue, 26 Oct 2021 00:32:30 GMT
Connection: keep-alive
GET
200
http://duzlwewk2uk96.cloudfront.net/vpn.exe
REQUEST
RESPONSE
BODY
GET /vpn.exe HTTP/1.1
Host: duzlwewk2uk96.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 15699256
Connection: keep-alive
Date: Tue, 26 Oct 2021 00:32:32 GMT
Last-Modified: Tue, 26 Oct 2021 00:17:58 GMT
ETag: "4dd57eb8ea614ca43e679abeaf5351bf"
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 13748bbc0f98e51e751e7e4b1939b964.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: ICN51-C1
X-Amz-Cf-Id: xjozMfj1S9S0_NGWt3WCQVTR3Nagy0RgryEN669a5919de9AGjqoyQ==
GET
200
http://papwli.pw/adsli/note866.exe
REQUEST
RESPONSE
BODY
GET /adsli/note866.exe HTTP/1.1
Host: papwli.pw
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Sun, 24 Oct 2021 16:02:25 GMT
Accept-Ranges: bytes
ETag: "d9107789f0c8d71:0"
Server: Microsoft-IIS/8.5
Date: Mon, 25 Oct 2021 16:33:56 GMT
Content-Length: 2145280
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49177 104.21.33.188:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=*.boys4dayz.com | 8d:a4:7e:14:c5:14:28:f1:07:04:40:07:c0:62:ff:97:67:34:d9:f0 |
|
TLS 1.2 192.168.56.103:49203 98.126.176.51:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=user.maskvpn.org | 8e:d3:47:28:4d:1d:b8:e5:89:2b:2a:10:7c:3c:02:02:bf:f7:c0:f2 |
|
TLS 1.2 192.168.56.103:49199 98.126.176.53:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=vpn.maskvpn.org | 8d:fc:00:5d:fb:42:74:9f:52:5d:29:51:ec:4c:6e:4d:c2:50:cc:f7 |
|
TLS 1.2 192.168.56.103:49202 98.126.176.51:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=user.maskvpn.org | 8e:d3:47:28:4d:1d:b8:e5:89:2b:2a:10:7c:3c:02:02:bf:f7:c0:f2 |
|
TLS 1.2 192.168.56.103:49201 172.67.130.202:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | b6:f1:e6:a1:ab:bd:40:68:6a:f9:61:ea:fe:4d:f7:47:b6:74:b9:9f |
Snort Alerts
No Snort Alerts