Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| fonts.googleapis.com | 172.217.161.202 |
- TCP Requests
-
-
192.168.56.102:49176 117.18.232.200:80
-
192.168.56.102:49178 117.18.232.200:443
-
192.168.56.102:49179 117.18.232.200:443
-
192.168.56.102:49180 117.18.232.200:443
-
192.168.56.102:49172 142.250.207.74:443fonts.googleapis.com
-
192.168.56.102:49173 142.250.207.74:443fonts.googleapis.com
-
192.168.56.102:49167 94.142.138.88:80
-
192.168.56.102:49168 94.142.138.88:80
-
192.168.56.102:49170 94.142.138.88:80
-
192.168.56.102:49171 94.142.138.88:80
-
- UDP Requests
-
-
192.168.56.102:56630 164.124.101.2:53
-
192.168.56.102:62846 164.124.101.2:53
-
192.168.56.102:63709 164.124.101.2:53
-
192.168.56.102:64513 164.124.101.2:53
-
192.168.56.102:137 192.168.56.103:137
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:63712 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.102:123
-
GET
200
https://fonts.googleapis.com/css?family=Roboto:100,100i,300,300i,400,400i,500,500i,700,700i,900,900i|Open+Sans:300,300i,400,400i,500,500i,600,600i,700,700i,800,800i
REQUEST
RESPONSE
BODY
GET /css?family=Roboto:100,100i,300,300i,400,400i,500,500i,700,700i,900,900i|Open+Sans:300,300i,400,400i,500,500i,600,600i,700,700i,800,800i HTTP/1.1
Accept: text/css
Referer: http://94.142.138.88/auth
Accept-Language: ko-KR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: fonts.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/css; charset=utf-8
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
Expires: Sat, 04 Mar 2023 22:43:40 GMT
Date: Sat, 04 Mar 2023 22:43:40 GMT
Cache-Control: private, max-age=86400
Cross-Origin-Opener-Policy: same-origin-allow-popups
Cross-Origin-Resource-Policy: cross-origin
Content-Encoding: gzip
Server: ESF
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Transfer-Encoding: chunked
GET
200
http://94.142.138.88/auth
REQUEST
RESPONSE
BODY
GET /auth HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: ko-KR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 94.142.138.88
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 04 Mar 2023 22:43:40 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
GET
200
http://94.142.138.88/gui/nicepage.css
REQUEST
RESPONSE
BODY
GET /gui/nicepage.css HTTP/1.1
Accept: text/css
Referer: http://94.142.138.88/auth
Accept-Language: ko-KR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 94.142.138.88
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 1322536
Content-Type: text/css; charset=utf-8
Last-Modified: Tue, 29 Nov 2022 07:56:45 GMT
Date: Sat, 04 Mar 2023 22:43:40 GMT
GET
200
http://94.142.138.88/gui/Auth.css
REQUEST
RESPONSE
BODY
GET /gui/Auth.css HTTP/1.1
Accept: text/css
Referer: http://94.142.138.88/auth
Accept-Language: ko-KR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 94.142.138.88
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 1107
Content-Type: text/css; charset=utf-8
Last-Modified: Tue, 29 Nov 2022 07:56:44 GMT
Date: Sat, 04 Mar 2023 22:43:40 GMT
GET
200
http://94.142.138.88/gui/nicepage.js
REQUEST
RESPONSE
BODY
GET /gui/nicepage.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://94.142.138.88/auth
Accept-Language: ko-KR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 94.142.138.88
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 241964
Content-Type: text/javascript; charset=utf-8
Last-Modified: Tue, 29 Nov 2022 07:56:45 GMT
Date: Sat, 04 Mar 2023 22:43:40 GMT
GET
200
http://94.142.138.88/gui/jquery.js
REQUEST
RESPONSE
BODY
GET /gui/jquery.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://94.142.138.88/auth
Accept-Language: ko-KR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 94.142.138.88
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 89476
Content-Type: text/javascript; charset=utf-8
Last-Modified: Tue, 29 Nov 2022 07:56:45 GMT
Date: Sat, 04 Mar 2023 22:43:40 GMT
GET
404
http://94.142.138.88/favicon.ico
REQUEST
RESPONSE
BODY
GET /favicon.ico HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: 94.142.138.88
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Sat, 04 Mar 2023 22:43:48 GMT
Content-Length: 19
GET
304
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
REQUEST
RESPONSE
BODY
GET /IE9CompatViewList.xml HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: ie9cvlist.ie.microsoft.com
If-Modified-Since: Wed, 28 Jul 2021 23:12:31 GMT
If-None-Match: 0x8D9521D2D2DF1EC
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Age: 3526
Cache-Control: max-age=21600
Date: Sat, 04 Mar 2023 22:44:39 GMT
Etag: 0x8D9521D2D2DF1EC
Last-Modified: Wed, 28 Jul 2021 23:12:31 GMT
Server: ECAcc (tka/897A)
Vary: Accept-Encoding
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 4b0b3443-901e-00ca-30e2-4e7ecf000000
x-ms-version: 2009-09-19
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49173 -> 142.250.207.74:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49172 -> 142.250.207.74:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 94.142.138.88:80 -> 192.168.56.102:49167 | 2043017 | ET MALWARE Aurora Stealer Admin Console In HTTP Response | A Network Trojan was detected |
| TCP 192.168.56.102:49178 -> 117.18.232.200:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 117.18.232.200:443 -> 192.168.56.102:49180 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
| TCP 192.168.56.102:49179 -> 117.18.232.200:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49173 142.250.207.74:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=upload.video.google.com | 2e:01:79:0a:f4:af:b4:b2:18:5f:56:ea:ed:84:40:c2:63:9f:2c:90 |
|
TLSv1 192.168.56.102:49172 142.250.207.74:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=upload.video.google.com | 2e:01:79:0a:f4:af:b4:b2:18:5f:56:ea:ed:84:40:c2:63:9f:2c:90 |
Snort Alerts
No Snort Alerts