Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| login.live.com |
CNAME
login.msa.msidentity.com
CNAME
prda.aadg.msidentity.com
|
20.190.166.5 |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
GET
302
https://onedrive.live.com/download?cid=12E1C0826CE1E631&resid=12E1C0826CE1E631%21111&authkey=ADdmmgbfTgMAmYM
REQUEST
RESPONSE
BODY
GET /download?cid=12E1C0826CE1E631&resid=12E1C0826CE1E631%21111&authkey=ADdmmgbfTgMAmYM HTTP/1.1
User-Agent: lVali
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1637309693&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D12E1C0826CE1E631%26resid%3D12E1C0826CE1E631%2521111%26authkey%3DADdmmgbfTgMAmYM&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
Set-Cookie: E=P:zfLvqTSr2Yg=:49HmSvumfCdU3mjNScZ3Sct7KHiQqrOykv7M28nIIjU=:F; domain=.live.com; path=/
Set-Cookie: xid=12934a60-ccf0-4adf-b868-3a0b3b10ba3e&&RD00155D99701A&371; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Fri, 19-Nov-2021 06:34:52 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Fri, 26-Nov-2021 08:14:53 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D99701A
X-ODWebServer: eastus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: D7F6BDAAF50949A3A4C9AB81B7784193 Ref B: SLAEDGE1006 Ref C: 2021-11-19T08:14:52Z
Date: Fri, 19 Nov 2021 08:14:52 GMT
Content-Length: 0
GET
200
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1637309693&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D12E1C0826CE1E631%26resid%3D12E1C0826CE1E631%2521111%26authkey%3DADdmmgbfTgMAmYM&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
REQUEST
RESPONSE
BODY
GET /login.srf?wa=wsignin1.0&rpsnv=13&ct=1637309693&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D12E1C0826CE1E631%26resid%3D12E1C0826CE1E631%2521111%26authkey%3DADdmmgbfTgMAmYM&lc=1033&id=250206&cbcxt=sky&cbcxt=sky HTTP/1.1
User-Agent: lVali
Host: login.live.com
Connection: Keep-Alive
Cookie: E=P:zfLvqTSr2Yg=:49HmSvumfCdU3mjNScZ3Sct7KHiQqrOykv7M28nIIjU=:F; xid=12934a60-ccf0-4adf-b868-3a0b3b10ba3e&&RD00155D99701A&371; xidseq=1; wla42=
HTTP/1.1 200 OK
Cache-Control: no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Fri, 19 Nov 2021 08:13:53 GMT
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
x-ms-route-info: R3_BAY
x-ms-request-id: bc6d978d-ba6a-4565-8d85-e07026a75476
PPServer: PPV: 30 H: BY1PPF6AD69A604 V: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
Set-Cookie: uaid=35ce82c71c9d4cc6986d55723936b712; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPRequ=id=250206<=1637309693&co=1; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSCC=175.208.134.150-KR; expires=Wed, 14-Dec-2022 08:14:53 GMT; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: OParams=11O.DR5gjqYVxT4G7B8uzLn8fdAwarGns2YSwnV9ui8EAs3JNNfuqarJhugTvJHqL9StJFx9unHQ7Ox*36nVv7keyTpFpPXsrROdI7LW5a0xaqfX32MiwlxAEfw8AF3lfPQr2Jv0b4mIbZ8Y53DJhHVtBLWEjBlDpB8QkWh4!AXKkKCP1skJX2Aq*NuznN!oG8GzTHqb0ngd8EHac5Kv!v8*spG2CfOEZNdnNKwuaeJH*YbIjV9dMrjU7S9H9NDMHznQMCCWUnQLC6FXCEhRr!u1UO6aHoXXtw*e0V5MHn2iF1Q1XYCf3NbmdYAUMsy7qUfFdmyZV3QNj7LYpM43*yu1voNuyaiYfqRRy69NxZHp6vn46hwIFQ3gDgeYf84Uhr1ZVRBrZUSvuzJo5kBQiuOciYgBQJBSguAiN2yFfbC2VYBMdBwhNxIYplI1o6ez1E0GyA$$; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPOK=$uuid-6a549b37-f360-4935-af35-a5d6f13d2579; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Date: Fri, 19 Nov 2021 08:14:53 GMT
Content-Length: 26605
GET
302
https://onedrive.live.com/download?cid=12E1C0826CE1E631&resid=12E1C0826CE1E631%21111&authkey=ADdmmgbfTgMAmYM
REQUEST
RESPONSE
BODY
GET /download?cid=12E1C0826CE1E631&resid=12E1C0826CE1E631%21111&authkey=ADdmmgbfTgMAmYM HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:zfLvqTSr2Yg=:49HmSvumfCdU3mjNScZ3Sct7KHiQqrOykv7M28nIIjU=:F; xid=12934a60-ccf0-4adf-b868-3a0b3b10ba3e&&RD00155D99701A&371; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1637309694&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D12E1C0826CE1E631%26resid%3D12E1C0826CE1E631%2521111%26authkey%3DADdmmgbfTgMAmYM&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
Set-Cookie: E=P:kraXqjSr2Yg=:VXVbCkFk5+gNZRZ0Vx7ZyefeolvWN4T1LCSy+XkCEmg=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Fri, 19-Nov-2021 06:34:53 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Fri, 26-Nov-2021 08:14:54 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D996C36
X-ODWebServer: eastus0-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 5AE4C28CAB2A47ABAF24EE27140DFAAB Ref B: SLAEDGE1006 Ref C: 2021-11-19T08:14:53Z
Date: Fri, 19 Nov 2021 08:14:53 GMT
Content-Length: 0
GET
200
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1637309694&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D12E1C0826CE1E631%26resid%3D12E1C0826CE1E631%2521111%26authkey%3DADdmmgbfTgMAmYM&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
REQUEST
RESPONSE
BODY
GET /login.srf?wa=wsignin1.0&rpsnv=13&ct=1637309694&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D12E1C0826CE1E631%26resid%3D12E1C0826CE1E631%2521111%26authkey%3DADdmmgbfTgMAmYM&lc=1033&id=250206&cbcxt=sky&cbcxt=sky HTTP/1.1
User-Agent: aswe
Host: login.live.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: E=P:kraXqjSr2Yg=:VXVbCkFk5+gNZRZ0Vx7ZyefeolvWN4T1LCSy+XkCEmg=:F; xid=12934a60-ccf0-4adf-b868-3a0b3b10ba3e&&RD00155D99701A&371; xidseq=2; wla42=; uaid=35ce82c71c9d4cc6986d55723936b712; MSPRequ=id=250206<=1637309693&co=1; MSCC=175.208.134.150-KR; OParams=11O.DR5gjqYVxT4G7B8uzLn8fdAwarGns2YSwnV9ui8EAs3JNNfuqarJhugTvJHqL9StJFx9unHQ7Ox*36nVv7keyTpFpPXsrROdI7LW5a0xaqfX32MiwlxAEfw8AF3lfPQr2Jv0b4mIbZ8Y53DJhHVtBLWEjBlDpB8QkWh4!AXKkKCP1skJX2Aq*NuznN!oG8GzTHqb0ngd8EHac5Kv!v8*spG2CfOEZNdnNKwuaeJH*YbIjV9dMrjU7S9H9NDMHznQMCCWUnQLC6FXCEhRr!u1UO6aHoXXtw*e0V5MHn2iF1Q1XYCf3NbmdYAUMsy7qUfFdmyZV3QNj7LYpM43*yu1voNuyaiYfqRRy69NxZHp6vn46hwIFQ3gDgeYf84Uhr1ZVRBrZUSvuzJo5kBQiuOciYgBQJBSguAiN2yFfbC2VYBMdBwhNxIYplI1o6ez1E0GyA$$; MSPOK=$uuid-6a549b37-f360-4935-af35-a5d6f13d2579
HTTP/1.1 200 OK
Cache-Control: no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Fri, 19 Nov 2021 08:13:54 GMT
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
x-ms-route-info: R3_BAY
x-ms-request-id: abcde779-3b70-4625-869c-aadd55e7e5b6
PPServer: PPV: 30 H: BY1PPF1A2B36A4A V: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
Set-Cookie: uaid=be94a5bb87354e84be8d785825a4889c; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPRequ=id=250206<=1637309694&co=2; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: OParams=11O.DeN1Xy1oPwf0jumyjF6AcjhnhR9fZ!YE!DcTKiFxutatdGYki1OQXNRtjDRIgOsi8xc7r2l!P*uIASTucU24tYUlunq!4eFeUruAd9uFF8QYvMjcgC9Uc!7owc4yBD4qw7BvTRbZeVOU7dIwsi*alN4tnE*BOXUe69BDjdQYljEHSuFEtZVpYx1BL22krjwDZwXs2vfq*VmMZziMX8pn502R*bdvfQgt87HuKhWtfS5hYmW4LaMZU3z7feM*yFaY2Y1Ezm4mgCp!pz7cZf!Y9ao51JX5MIlKZ!iwFS!fJcdT7AJWVIxlXxSk2Li9AokDSTOSNScRc90xKw0MVydXvADniiXg2*UEWKP5LcTuacbU2YusExkTksqKYK37ld89nx2zkezmkNFTmOGgYeZodZ1fsVvTZI98UiRLoeRBlybkdbF77nMUFRlP44Pz1UHi9VZfvhRRZh!jRxCG3QG00Gx4tygYvVY9HA44OB8JU!IBJ25IrAKqzAZ2mVr7HqtTdg$$; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Set-Cookie: MSPOK=$uuid-6a549b37-f360-4935-af35-a5d6f13d2579$uuid-bfbfda21-3bb4-4dbd-afcb-33e157cce338; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
Date: Fri, 19 Nov 2021 08:14:53 GMT
Content-Length: 26596
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49164 -> 40.126.35.87:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49163 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49165 -> 40.126.35.87:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49164 40.126.35.87:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net | b7:2c:02:a2:bb:df:8d:60:0d:c5:98:1a:c8:13:1f:31:26:4a:9d:83 |
|
TLSv1 192.168.56.101:49163 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | CN=onedrive.com | 50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb |
|
TLSv1 192.168.56.101:49165 40.126.35.87:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net | b7:2c:02:a2:bb:df:8d:60:0d:c5:98:1a:c8:13:1f:31:26:4a:9d:83 |
Snort Alerts
No Snort Alerts