Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| cdn.discordapp.com | 162.159.135.233 | |
| www.google.com | 142.250.206.228 |
GET
200
https://www.google.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 18 Aug 2022 08:28:22 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2022-08-18-08; expires=Sat, 17-Sep-2022 08:28:22 GMT; path=/; domain=.google.com; Secure
Set-Cookie: AEC=AakniGPlmYjVqhHwwVcotyb7IREvU8Wy4t3sHwkv7j2HrJVygW4obCriVA; expires=Tue, 14-Feb-2023 08:28:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: NID=511=U2_OU-H0Vik5XJw5Rehn-GDWoJMzRert7zuBSj-ktBTQVYVkn_C7aXUlQil2W_JGyqthCHLVzG2SF2L3AkQnwwi8dD1iKGikQpjbGnKGRdC5YE-yZ5dLIU9vnCHjq6RMQZv_NR3Rn75oKJAqddciRlB7L7CKzM55AsMFaB7minY; expires=Fri, 17-Feb-2023 08:28:22 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET
200
https://cdn.discordapp.com/attachments/994323960667852841/994350957108412446/Windows_Defender_SmartScreen.exe
REQUEST
RESPONSE
BODY
GET /attachments/994323960667852841/994350957108412446/Windows_Defender_SmartScreen.exe HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 18 Aug 2022 08:29:20 GMT
Content-Type: application/x-msdos-program
Content-Length: 4156928
Connection: keep-alive
CF-Ray: 73c947fd9fab9329-ICN
Accept-Ranges: bytes
Age: 1523693
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=Windows_Defender_SmartScreen.exe, attachment
ETag: "8be2acb42cf8929bf0575df2654aafe4"
Expires: Fri, 18 Aug 2023 08:29:20 GMT
Last-Modified: Wed, 06 Jul 2022 21:15:42 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1657142142426454
x-goog-hash: crc32c=JoiSEg==
x-goog-hash: md5=i+KstCz4kpvwV13yZUqv5A==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 4156928
X-GUploader-UploadID: ADPycdv6NJ-regRaVOCVwHvxZGboG6MQBLe957h1OEyM2fGFABUO1C0wQ1vDm_WLMuJmL-tpEFZVOTzcht0l4gQMn2x7
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0qwNDBzz1MTfFRlYgBGXl0qZ4JyHsi1NAfbYiiqaoctvjPM5CBYpolrDQbNFpvEtsY5%2BoUEuo1I3ndJefp0oUBZvfYCJzNnfuu98YWnxncU5QaxIjTVgTzw%2BQaPgmjPMZ2uXIQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49168 -> 142.251.42.164:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49161 -> 172.217.161.36:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49180 -> 162.159.135.233:443 | 2035464 | ET INFO Observed Discord Domain (discordapp .com in TLS SNI) | Misc activity |
| TCP 192.168.56.103:49180 -> 162.159.135.233:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| UDP 192.168.56.103:60880 -> 164.124.101.2:53 | 2035466 | ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) | Misc activity |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49168 142.251.42.164:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=www.google.com | 27:2e:56:1b:56:00:b7:8d:84:07:c7:62:41:02:94:f3:9a:a0:c3:5e |
|
TLSv1 192.168.56.103:49161 172.217.161.36:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=www.google.com | 27:2e:56:1b:56:00:b7:8d:84:07:c7:62:41:02:94:f3:9a:a0:c3:5e |
|
TLS 1.2 192.168.56.103:49180 162.159.135.233:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 42:d5:a7:c0:c1:61:01:ee:fb:44:38:ab:54:aa:23:79:3b:75:08:a8 |
Snort Alerts
No Snort Alerts