Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.43.165.105 |
ipinfo.io | 34.117.59.81 | |
api.db-ip.com | 104.26.5.15 | |
www.maxmind.com | 104.17.214.67 | |
db-ip.com | 104.26.5.15 |
- TCP Requests
-
-
192.168.56.101:49167 104.17.214.67:80www.maxmind.com
-
192.168.56.101:49168 104.17.214.67:443www.maxmind.com
-
192.168.56.101:49169 104.17.214.67:443www.maxmind.com
-
192.168.56.101:49164 121.254.136.27:80apps.identrust.com
-
192.168.56.101:49165 172.67.75.166:443db-ip.com
-
192.168.56.101:49166 172.67.75.166:443db-ip.com
-
192.168.56.101:49161 23.254.227.214:80
-
192.168.56.101:49163 34.117.59.81:443ipinfo.io
-
- UDP Requests
-
-
192.168.56.101:53004 164.124.101.2:53
-
192.168.56.101:53850 164.124.101.2:53
-
192.168.56.101:54148 164.124.101.2:53
-
192.168.56.101:55146 164.124.101.2:53
-
192.168.56.101:59002 164.124.101.2:53
-
192.168.56.101:137 192.168.56.103:137
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:53853 239.255.255.250:1900
-
GET
200
https://db-ip.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: db-ip.com
HTTP/1.1 200 OK
Date: Sun, 12 Feb 2023 06:01:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-control: max-age=28800
X-IPLB-Request-ID: AC46E919:49EE_93878F2E:0050_63E87EBA_AE44CF5:2467C
X-IPLB-Instance: 30783
CF-Cache-Status: HIT
Age: 486
Last-Modified: Sun, 12 Feb 2023 05:52:59 GMT
Server-Timing: cf-q-config;dur=5.0000016926788e-06
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Fd861SNIZKK%2BsHSNDil6y5cJTK0K3%2FNlNazARePYN%2BAVUktD1g8SDf7Zu%2F1xwY2zYNdx4dhH42EfOHkAtp7DOX4Obg%2BC0FOCIzRZ%2BjdJdNoj4PAynfWU9Mk8Ig%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 79831b930bf68335-KIX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
POST
200
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
REQUEST
RESPONSE
BODY
POST /v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self HTTP/1.1
Connection: Keep-Alive
Referer: https://db-ip.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 0
Host: api.db-ip.com
HTTP/1.1 200 OK
Date: Sun, 12 Feb 2023 06:01:06 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: http*://*db-ip.com
Cache-control: max-age=180
X-IPLB-Request-ID: AC46E934:2E5E_93878F2E:0050_63E8809A_AE354BA:2467A
X-IPLB-Instance: 30783
CF-Cache-Status: DYNAMIC
Server-Timing: cf-q-config;dur=9.9999997473788e-06
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=tb%2B3AgHzjJyqYiyNNKB1k3QihMD39y2G71d4aW59dfW0TxQwE5UJTFDYBejk0IOhad6Yi5%2BQfdMac08%2Fl8atvhuXmYnyM4%2BScYP8YKDrpzPLInM9T1yrbdMyMuA3NtI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 79831b943f34836c-KIX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
GET
200
http://23.254.227.214/api/tracemap.php
REQUEST
RESPONSE
BODY
GET /api/tracemap.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 23.254.227.214
HTTP/1.1 200 OK
Date: Sun, 12 Feb 2023 06:01:05 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=10000
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Wed, 08 Feb 2023 16:52:56 GMT
ETag: "37d-5f433188daa00"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Sun, 12 Feb 2023 07:01:05 GMT
Date: Sun, 12 Feb 2023 06:01:05 GMT
Connection: keep-alive
GET
301
http://www.maxmind.com/geoip/v2.1/city/me
REQUEST
RESPONSE
BODY
GET /geoip/v2.1/city/me HTTP/1.1
Connection: Keep-Alive
Referer: https://www.maxmind.com/en/locate-my-ip-address
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: www.maxmind.com
HTTP/1.1 301 Moved Permanently
Date: Sun, 12 Feb 2023 06:01:06 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sun, 12 Feb 2023 07:01:06 GMT
Location: https://www.maxmind.com/geoip/v2.1/city/me
Server: cloudflare
CF-RAY: 79831b95c889a7db-ICN
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49168 -> 104.17.214.67:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49166 -> 172.67.75.166:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49163 -> 34.117.59.81:443 | 2025331 | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) | Device Retrieving External IP Address Detected |
TCP 192.168.56.101:49163 -> 34.117.59.81:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 34.117.59.81:443 -> 192.168.56.101:49163 | 2025330 | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) | Device Retrieving External IP Address Detected |
TCP 192.168.56.101:49165 -> 172.67.75.166:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49166 172.67.75.166:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc |
TLSv1 192.168.56.101:49163 34.117.59.81:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=ipinfo.io | 63:03:85:17:32:f2:5e:25:3f:4e:ca:14:a9:16:fe:4d:7c:c4:54:bf |
TLSv1 192.168.56.101:49165 172.67.75.166:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc |
Snort Alerts
No Snort Alerts