Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| phila.ac.ug | 45.143.201.4 |
GET
200
http://phila.ac.ug/azne_Rnnztqgs.bmp
REQUEST
RESPONSE
BODY
GET /azne_Rnnztqgs.bmp HTTP/1.1
Host: phila.ac.ug
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Mon, 20 Jun 2022 01:16:23 GMT
Content-Type: image/bmp
Content-Length: 786432
Connection: keep-alive
Last-Modified: Sun, 19 Jun 2022 09:56:00 GMT
ETag: "c0000-5e1c9fea5ab2e"
Accept-Ranges: bytes
POST
200
http://phila.ac.ug/index.php
REQUEST
RESPONSE
BODY
POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: phila.ac.ug
Content-Length: 91
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Mon, 20 Jun 2022 01:16:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
POST
200
http://phila.ac.ug/index.php
REQUEST
RESPONSE
BODY
POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: phila.ac.ug
Content-Length: 4450
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Mon, 20 Jun 2022 01:16:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49162 -> 45.143.201.4:80 | 2030384 | ET HUNTING Suspicious Terse Request for .bmp | Potentially Bad Traffic |
| TCP 45.143.201.4:80 -> 192.168.56.103:49165 | 2029138 | ET MALWARE AZORult v3.3 Server Response M3 | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts