Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.216.159.81 |
| note.onedocshare.com | 149.28.162.113 |
- UDP Requests
-
-
192.168.56.103:53893 164.124.101.2:53
-
192.168.56.103:56357 164.124.101.2:53
-
192.168.56.103:58465 164.124.101.2:53
-
192.168.56.103:63128 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:49152 239.255.255.250:3702
-
192.168.56.103:49168 239.255.255.250:1900
-
192.168.56.103:49170 239.255.255.250:3702
-
192.168.56.103:49172 239.255.255.250:3702
-
192.168.56.103:56358 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.103:123
-
GET
404
https://note.onedocshare.com/seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY=
REQUEST
RESPONSE
BODY
GET /seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY= HTTP/1.1
Accept: */*
Accept-Language: ko-KR
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Host: note.onedocshare.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Fri, 29 Oct 2021 00:52:20 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Fri, 22 Oct 2021 20:14:01 GMT
ETag: "37d-5cef6a6e73440"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Fri, 29 Oct 2021 01:52:09 GMT
Date: Fri, 29 Oct 2021 00:52:09 GMT
Connection: keep-alive
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Fri, 22 Oct 2021 20:14:01 GMT
ETag: "37d-5cef6a6e73440"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Fri, 29 Oct 2021 01:52:09 GMT
Date: Fri, 29 Oct 2021 00:52:09 GMT
Connection: keep-alive
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Fri, 22 Oct 2021 20:14:01 GMT
ETag: "37d-5cef6a6e73440"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Fri, 29 Oct 2021 01:52:20 GMT
Date: Fri, 29 Oct 2021 00:52:20 GMT
Connection: keep-alive
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Fri, 22 Oct 2021 20:14:01 GMT
ETag: "37d-5cef6a6e73440"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Fri, 29 Oct 2021 01:52:20 GMT
Date: Fri, 29 Oct 2021 00:52:20 GMT
Connection: keep-alive
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49176 -> 149.28.162.113:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49171 -> 149.28.162.113:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49176 149.28.162.113:443 |
None | None | None |
|
TLSv1 192.168.56.103:49171 149.28.162.113:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=onedocshare.com | 81:b5:79:98:5d:c2:83:1c:d0:dd:b4:eb:1e:1e:14:84:f5:bc:5f:43 |
Snort Alerts
No Snort Alerts