Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | Dec. 8, 2022, 9:45 a.m. | Dec. 8, 2022, 9:47 a.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\snake.docx
3028
Name | Response | Post-Analysis Lookup |
---|---|---|
apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.43.165.105 |
paknavy-gov-pk.downld.net | 185.205.187.234 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49168 -> 185.205.187.234:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49162 -> 185.205.187.234:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49166 -> 185.205.187.234:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49168 185.205.187.234:443 |
None | None | None |
TLSv1 192.168.56.102:49162 185.205.187.234:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=*.downld.net | 04:a5:76:5d:da:67:11:3c:f9:61:b0:5f:bb:45:55:38:d3:a7:2a:ee |
TLSv1 192.168.56.102:49166 185.205.187.234:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=*.downld.net | 04:a5:76:5d:da:67:11:3c:f9:61:b0:5f:bb:45:55:38:d3:a7:2a:ee |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
file | C:\Users\test22\AppData\Local\Temp\~$snake.docx |