Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| login.live.com |
CNAME
login.msa.msidentity.com
CNAME
prda.aadg.msidentity.com
|
40.126.35.64 |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
- UDP Requests
-
-
192.168.56.101:55871 164.124.101.2:53
-
192.168.56.101:57609 164.124.101.2:53
-
192.168.56.101:60131 164.124.101.2:53
-
192.168.56.101:62062 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:57612 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.101:123
-
GET
302
https://onedrive.live.com/download?cid=3AD292385C59C809&resid=3AD292385C59C809%21106&authkey=AHXb1biR0zpJmSw
REQUEST
RESPONSE
BODY
GET /download?cid=3AD292385C59C809&resid=3AD292385C59C809%21106&authkey=AHXb1biR0zpJmSw HTTP/1.1
User-Agent: lVali
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636418955&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D3AD292385C59C809%26resid%3D3AD292385C59C809%2521106%26authkey%3DAHXb1biR0zpJmSw&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
Set-Cookie: E=P:mCyywBqj2Yg=:vYqvlyGp9+J6wV6tVZ44kxj2EfQRJmuUzXzrj4DRr+U=:F; domain=.live.com; path=/
Set-Cookie: xid=d4d4cbb0-a091-4ac2-ae17-882c3b7202b4&&RD00155D995E8A&361; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Mon, 08-Nov-2021 23:09:14 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Tue, 16-Nov-2021 00:49:15 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D995E8A
X-ODWebServer: eastus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 9973282C5C674A1DA946E3C993EAE77B Ref B: SLAEDGE1006 Ref C: 2021-11-09T00:49:14Z
Date: Tue, 09 Nov 2021 00:49:14 GMT
Content-Length: 0
GET
200
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636418955&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D3AD292385C59C809%26resid%3D3AD292385C59C809%2521106%26authkey%3DAHXb1biR0zpJmSw&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
REQUEST
RESPONSE
BODY
GET /login.srf?wa=wsignin1.0&rpsnv=13&ct=1636418955&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D3AD292385C59C809%26resid%3D3AD292385C59C809%2521106%26authkey%3DAHXb1biR0zpJmSw&lc=1033&id=250206&cbcxt=sky&cbcxt=sky HTTP/1.1
User-Agent: lVali
Host: login.live.com
Connection: Keep-Alive
Cookie: E=P:mCyywBqj2Yg=:vYqvlyGp9+J6wV6tVZ44kxj2EfQRJmuUzXzrj4DRr+U=:F; xid=d4d4cbb0-a091-4ac2-ae17-882c3b7202b4&&RD00155D995E8A&361; xidseq=1; wla42=
HTTP/1.1 200 OK
Cache-Control: no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Tue, 09 Nov 2021 00:48:15 GMT
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
X-Frame-Options: DENY
X-DNS-Prefetch-Control: on
Link: <https://acctcdn.msauth.net>; rel=preconnect; crossorigin
Link: <https://logincdn.msauth.net>; rel=preconnect; crossorigin
Link: <https://acctcdn.msauth.net/>; rel=dns-prefetch
Link: <https://acctcdn.msftauth.net/>; rel=dns-prefetch
Link: <https://acctcdnmsftuswe2.azureedge.net/>; rel=dns-prefetch
Link: <https://acctcdnvzeuno.azureedge.net/>; rel=dns-prefetch
Link: <https://logincdn.msauth.net/>; rel=dns-prefetch
Link: <https://lgincdnvzeuno.azureedge.net/>; rel=dns-prefetch
Link: <https://lgincdnmsftuswe2.azureedge.net/>; rel=dns-prefetch
Referrer-Policy: strict-origin-when-cross-origin
x-ms-route-info: R3_BAY
x-ms-request-id: bc1be43f-5318-40e0-a09c-750c1adb6c52
PPServer: PPV: 30 H: BY1PPF155530862 V: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
Set-Cookie: uaid=e96c725e80704b289dc620ca9fbefad9; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPRequ=id=250206<=1636418955&co=1; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSCC=175.208.134.150-KR; expires=Sun, 04-Dec-2022 00:49:15 GMT; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: OParams=11O.DS3mmj*0D3Ay7PtyjeCgioEczWqGc1OB7LB!ZXHQ9DgP08dayxquZGwPusXME6RZwrydnGVAPd!gkN3ZgKb8LNAZhcllEFt*K63hnDuQ431Syii2k49*npVcbTCeoHEt5smxIqrcpqPkYT6wnywHkXDVZG0QCry6HI5NC0ZFolNjaTNsFWUY8ONPdOucolGSCmmxsMUR2KQqZOGsrVVJB9fjwYkpaDjDt9tkjbOEU91Nw0fmlCxdLtWb*D4clJuQ5BiNJNi8WIbA2LU7BDtTnvQz9uXgZPXTogP4311q3DGFN7wC8MHgrRT0ObQpwXg!qE4a1m1rB45C4YXrc6VNC2XhD69zmQP26FK5IZzfp01RGmvK5bRxjTyp!4k1VZTxejWJC6EZy8JB*NX4Sxlv9vfIKYYdLtHq!5BcoHp0Jjg!uZOgmLfOqLVESJSnOn2RMg$$; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPOK=$uuid-871b4364-442c-4a1c-af72-0ac065507603; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Date: Tue, 09 Nov 2021 00:49:15 GMT
Content-Length: 27273
GET
302
https://onedrive.live.com/download?cid=3AD292385C59C809&resid=3AD292385C59C809%21106&authkey=AHXb1biR0zpJmSw
REQUEST
RESPONSE
BODY
GET /download?cid=3AD292385C59C809&resid=3AD292385C59C809%21106&authkey=AHXb1biR0zpJmSw HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:mCyywBqj2Yg=:vYqvlyGp9+J6wV6tVZ44kxj2EfQRJmuUzXzrj4DRr+U=:F; xid=d4d4cbb0-a091-4ac2-ae17-882c3b7202b4&&RD00155D995E8A&361; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636418955&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D3AD292385C59C809%26resid%3D3AD292385C59C809%2521106%26authkey%3DAHXb1biR0zpJmSw&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
Set-Cookie: E=P:umIpwRqj2Yg=:RANPxuW6hoGe7Ia6QnxE56MU45mCBWZusngKiJsTgfA=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Mon, 08-Nov-2021 23:09:15 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Tue, 16-Nov-2021 00:49:15 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D995E8A
X-ODWebServer: eastus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 8E1A5738B6754AFA842631939B30C1E9 Ref B: SLAEDGE1006 Ref C: 2021-11-09T00:49:15Z
Date: Tue, 09 Nov 2021 00:49:14 GMT
Content-Length: 0
GET
200
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636418955&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D3AD292385C59C809%26resid%3D3AD292385C59C809%2521106%26authkey%3DAHXb1biR0zpJmSw&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
REQUEST
RESPONSE
BODY
GET /login.srf?wa=wsignin1.0&rpsnv=13&ct=1636418955&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D3AD292385C59C809%26resid%3D3AD292385C59C809%2521106%26authkey%3DAHXb1biR0zpJmSw&lc=1033&id=250206&cbcxt=sky&cbcxt=sky HTTP/1.1
User-Agent: aswe
Host: login.live.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: E=P:umIpwRqj2Yg=:RANPxuW6hoGe7Ia6QnxE56MU45mCBWZusngKiJsTgfA=:F; xid=d4d4cbb0-a091-4ac2-ae17-882c3b7202b4&&RD00155D995E8A&361; xidseq=2; wla42=; uaid=e96c725e80704b289dc620ca9fbefad9; MSPRequ=id=250206<=1636418955&co=1; MSCC=175.208.134.150-KR; OParams=11O.DS3mmj*0D3Ay7PtyjeCgioEczWqGc1OB7LB!ZXHQ9DgP08dayxquZGwPusXME6RZwrydnGVAPd!gkN3ZgKb8LNAZhcllEFt*K63hnDuQ431Syii2k49*npVcbTCeoHEt5smxIqrcpqPkYT6wnywHkXDVZG0QCry6HI5NC0ZFolNjaTNsFWUY8ONPdOucolGSCmmxsMUR2KQqZOGsrVVJB9fjwYkpaDjDt9tkjbOEU91Nw0fmlCxdLtWb*D4clJuQ5BiNJNi8WIbA2LU7BDtTnvQz9uXgZPXTogP4311q3DGFN7wC8MHgrRT0ObQpwXg!qE4a1m1rB45C4YXrc6VNC2XhD69zmQP26FK5IZzfp01RGmvK5bRxjTyp!4k1VZTxejWJC6EZy8JB*NX4Sxlv9vfIKYYdLtHq!5BcoHp0Jjg!uZOgmLfOqLVESJSnOn2RMg$$; MSPOK=$uuid-871b4364-442c-4a1c-af72-0ac065507603
HTTP/1.1 200 OK
Cache-Control: no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Tue, 09 Nov 2021 00:48:15 GMT
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
x-ms-route-info: R3_BAY
x-ms-request-id: b88a1a66-8b27-40d6-ace7-d75fcf2eeb54
PPServer: PPV: 30 H: SJ1PPF98A03F927 V: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
Set-Cookie: uaid=2be8c4f4395d4021be8c90068dc8cbf0; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPRequ=id=250206<=1636418955&co=2; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: OParams=11O.DbeNCxfz8YUrx7Fpc7kUq8R5beTcrb3rRKhJ5wND6AAm0ffZ!*lTA9QcDgLxRa!5gMMX*69M3qlHtzZVp*dKN1X120WXavwqMJz*psfmx1zNYnK!L096AM8K1YBFFd0QUbJ9H8eRpFkh39S9PymVqIxNl6PhkmgT2EDBJXz1GLQWmNMrEmEx4529oDES6RPqxP1wT62wkitBynVtIcu6nCtjtGpCjnyhxnYQPpaNWBg3MlFPAOa6T4KXLfxea8z4igPBZDl8Rx9GFaBA5MuFc7!ORe3ZoUSgpoJ54KIg7kzG04DrlgxzIHPgS8Y5h92xvRnUbUZJpbm7QxULXVWD!KMNHtKG6GxqVEZqaqudztYDcN3UqKJ8Vg!QiYXlLwRZVJeBdYX2HZJMgbZMCEQQrHZS2CynQWnwI1r1k1tJKdG!wIGhvDPpfSqYR9QaT5dA7!kBymrkU0XT3WbhyGi6Kcf5COa3!80cbyY14zodAjmP; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPOK=$uuid-871b4364-442c-4a1c-af72-0ac065507603$uuid-77f460b2-ff98-4b2a-93e2-61c4c00eb947; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Date: Tue, 09 Nov 2021 00:49:15 GMT
Content-Length: 26594
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49163 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49165 -> 20.190.144.161:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49164 -> 20.190.144.161:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49163 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | CN=onedrive.com | 50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb |
|
TLSv1 192.168.56.101:49165 20.190.144.161:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net | 73:7d:2b:8b:14:fd:d9:03:14:62:2e:35:a7:c1:54:33:e0:8b:3b:71 |
|
TLSv1 192.168.56.101:49164 20.190.144.161:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net | 73:7d:2b:8b:14:fd:d9:03:14:62:2e:35:a7:c1:54:33:e0:8b:3b:71 |
Snort Alerts
No Snort Alerts