Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 103.237.169.99 | Active | Moloch |
| 149.28.143.92 | Active | Moloch |
| 164.124.101.2 | Active | Moloch |
| 169.60.181.70 | Active | Moloch |
| 182.162.143.56 | Active | Moloch |
| 185.15.196.157 | Active | Moloch |
| 187.63.160.88 | Active | Moloch |
| 208.87.225.118 | Active | Moloch |
| 23.43.165.105 | Active | Moloch |
| 51.68.231.20 | Active | Moloch |
| 91.187.140.35 | Active | Moloch |
| 94.23.45.86 | Active | Moloch |
| 95.217.221.146 | Active | Moloch |
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.53.228.10 |
| clanbaker.org | 208.87.225.118 | |
| cs.com.sg | 103.237.169.99 | |
| atici.net | 185.15.196.157 | |
| j2ccamionmagasin.fr | 51.68.231.20 |
- TCP Requests
-
-
192.168.56.103:49162 103.237.169.99:443cs.com.sg
-
192.168.56.103:49179 182.162.143.56:443
-
192.168.56.103:49180 182.162.143.56:443
-
192.168.56.103:49182 182.162.143.56:443
-
192.168.56.103:49183 182.162.143.56:443
-
192.168.56.103:49168 185.15.196.157:80atici.net
-
192.168.56.103:49191 187.63.160.88:80
-
192.168.56.103:49192 187.63.160.88:80
-
192.168.56.103:49193 187.63.160.88:80
-
192.168.56.103:49194 187.63.160.88:80
-
192.168.56.103:49173 208.87.225.118:80clanbaker.org
-
192.168.56.103:49164 23.43.165.105:80apps.identrust.com
-
192.168.56.103:49166 51.68.231.20:443j2ccamionmagasin.fr
-
192.168.56.103:49187 91.187.140.35:8080
-
192.168.56.103:49188 91.187.140.35:8080
-
192.168.56.103:49189 91.187.140.35:8080
-
192.168.56.103:49190 91.187.140.35:8080
-
- UDP Requests
-
-
192.168.56.102:137 192.168.56.103:137
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:62576 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:53676 239.255.255.250:1900
-
8.8.8.8:53 192.168.56.103:62576
-
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
ETag: "37d-5e1e6e25c9800"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Mon, 07 Nov 2022 02:28:59 GMT
Date: Mon, 07 Nov 2022 01:28:59 GMT
Connection: keep-alive
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
ETag: "37d-5e1e6e25c9800"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Mon, 07 Nov 2022 02:28:59 GMT
Date: Mon, 07 Nov 2022 01:28:59 GMT
Connection: keep-alive
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
ETag: "37d-5e1e6e25c9800"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Mon, 07 Nov 2022 02:29:01 GMT
Date: Mon, 07 Nov 2022 01:29:01 GMT
Connection: keep-alive
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
ETag: "37d-5e1e6e25c9800"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Mon, 07 Nov 2022 02:29:01 GMT
Date: Mon, 07 Nov 2022 01:29:01 GMT
Connection: keep-alive
GET
200
http://atici.net/old/PkZI74DD/
REQUEST
RESPONSE
BODY
GET /old/PkZI74DD/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Host: atici.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Nov 2022 01:28:50 GMT
Content-Type: application/x-msdownload
Content-Length: 625152
Connection: keep-alive
X-Powered-By: PHP/7.3.33
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Expires: Mon, 07 Nov 2022 01:28:50 GMT
Content-Disposition: attachment; filename="BwjenXgU7wAH2nBzg.dll"
Content-Transfer-Encoding: binary
Set-Cookie: 63685f5213b3e=1667784530; expires=Mon, 07-Nov-2022 01:29:50 GMT; Max-Age=60; path=/
Last-Modified: Mon, 07 Nov 2022 01:28:50 GMT
X-Powered-By: PleskLin
GET
200
http://clanbaker.org/css/khhl7kT2n69n/
REQUEST
RESPONSE
BODY
GET /css/khhl7kT2n69n/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Host: clanbaker.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 07 Nov 2022 01:29:12 GMT
Server: Apache/2.4.6
X-Powered-By: PHP/7.2.24
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Expires: Mon, 07 Nov 2022 01:29:12 GMT
Content-Disposition: attachment; filename="9ZVNWi0ud8Z8diZ1A7Ea2WV.dll"
Content-Transfer-Encoding: binary
Set-Cookie: 63685f686d0ad=1667784552; expires=Mon, 07-Nov-2022 01:30:12 GMT; Max-Age=60; path=/
Last-Modified: Mon, 07 Nov 2022 01:29:12 GMT
Content-Length: 625152
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.103 | 164.124.101.2 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49162 103.237.169.99:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=cs.com.sg | 2a:49:94:e3:bb:32:6d:7a:61:e1:f0:5a:f7:d5:84:d7:05:8d:32:97 |
|
TLSv1 192.168.56.103:49166 51.68.231.20:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=j2ccamionmagasin.fr | 6f:2f:b3:5c:68:ea:15:5f:43:8a:94:a0:6c:ca:f8:82:af:9f:07:79 |
Snort Alerts
No Snort Alerts