Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| bz.bbbeioaag.com | 45.136.113.107 | |
| count.iiagjaggg.com | 45.66.159.179 | |
| www.facebook.com | 157.240.31.35 |
GET
302
https://www.facebook.com/ads/manager/account_settings/account_billing
REQUEST
RESPONSE
BODY
GET /ads/manager/account_settings/account_billing HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
Host: www.facebook.com
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-ch-prefers-color-scheme: light
Upgrade-Insecure-Requests: 1
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
HTTP/1.1 302 Found
Set-Cookie: sb=6hwcZMoiKfHL4dyLXKJpWkQ6; expires=Sat, 22-Mar-2025 09:33:30 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly; SameSite=None
Location: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
x-fb-rlafr: 0
document-policy: force-load-at-top
cross-origin-resource-policy: same-origin
cross-origin-opener-policy: same-origin-allow-popups
Pragma: no-cache
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
X-Frame-Options: DENY
origin-agent-cluster: ?0
Strict-Transport-Security: max-age=15552000; preload
Content-Type: text/html; charset="utf-8"
X-FB-Debug: EGFxsGtyADvVrz42wvkYJa2z1c+uf35nVfQhDREN1xcFqoPtHNRLgM2gnuWT4vLMSm9Dkv9W0ff9OU9p52dvlA==
Date: Thu, 23 Mar 2023 09:33:30 GMT
Alt-Svc: h3=":443"; ma=86400
Connection: keep-alive
Content-Length: 0
GET
200
https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
REQUEST
RESPONSE
BODY
GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
Host: www.facebook.com
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-ch-prefers-color-scheme: light
Upgrade-Insecure-Requests: 1
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Cookie: sb=6hwcZMoiKfHL4dyLXKJpWkQ6
HTTP/1.1 200 OK
Vary: Accept-Encoding
Set-Cookie: fr=0gwyvmxukjaJa3KsT..BkHBzr.Rc.AAA.0.0.BkHBzr.AWXszgZklvk; expires=Wed, 21-Jun-2023 09:33:30 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly; SameSite=None
report-to: {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}
content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.google.com 127.0.0.1:* 'unsafe-inline' blob: data: 'self' connect.facebook.net 'unsafe-eval';style-src fonts.googleapis.com *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* wss://*.fbcdn.net attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ v.whatsapp.net *.fbsbx.com *.fb.com;font-src data: *.gstatic.com *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com *.tenor.co media.tenor.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net *.giphy.com connect.facebook.net *.carriersignal.info blob: android-webview-video-poster: googleads.g.doubleclick.net www.googleadservices.com *.whatsapp.net *.fb.com *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com https://*.giphy.com data:;frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com fbsbx.com data: www.instagram.com *.fbcdn.net https://paywithmybank.com https://sandbox.paywithmybank.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;
x-fb-rlafr: 0
document-policy: force-load-at-top
cross-origin-opener-policy: unsafe-none
Pragma: no-cache
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
X-Frame-Options: DENY
origin-agent-cluster: ?0
Strict-Transport-Security: max-age=15552000; preload
Content-Type: text/html; charset="utf-8"
X-FB-Debug: cgOJG5KaNcYbCh1tBaNq4UYBDctu7tBkT/rkGZDWvJ6mbuAIywhsjddVtvpFnsrLIhe2KKJJje9EIud6hs0m4g==
Date: Thu, 23 Mar 2023 09:33:31 GMT
Transfer-Encoding: chunked
Alt-Svc: h3=":443"; ma=86400
Connection: keep-alive
GET
200
http://bz.bbbeioaag.com/sts/bimage.jpg
REQUEST
RESPONSE
BODY
GET /sts/bimage.jpg HTTP/1.1
User-Agent: HTTPREAD
Host: bz.bbbeioaag.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 23 Mar 2023 09:33:20 GMT
Content-Type: image/jpeg
Content-Length: 1516748
Last-Modified: Mon, 06 Mar 2023 16:48:18 GMT
Connection: keep-alive
ETag: "64061952-1724cc"
Accept-Ranges: bytes
GET
200
http://count.iiagjaggg.com/check/safe
REQUEST
RESPONSE
BODY
GET /check/safe HTTP/1.1
Connection: Keep-Alive
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
Host: count.iiagjaggg.com
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Mar 2023 09:33:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
POST
200
http://www.facebook.com/check/?sid=1251809&key=0dcaeaf81593814fe2ahttps://www.facebook.com/d06851037
REQUEST
RESPONSE
BODY
POST /check/?sid=1251809&key=0dcaeaf81593814fe2ahttps://www.facebook.com/d06851037 HTTP/1.1
Cache-Control: max-age=0
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
Host: www.facebook.com
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-ch-prefers-color-scheme: light
Upgrade-Insecure-Requests: 1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Content-Length: 256
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Mar 2023 09:33:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49163 -> 31.13.82.36:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49165 -> 45.66.159.179:80 | 2003626 | ET HUNTING Double User-Agent (User-Agent User-Agent) | Potentially Bad Traffic |
| TCP 192.168.56.103:49165 -> 45.66.159.179:80 | 2003626 | ET HUNTING Double User-Agent (User-Agent User-Agent) | Potentially Bad Traffic |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49163 31.13.82.36:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 18:07:a5:9b:4c:d8:00:d8:4f:84:a6:46:eb:79:ac:09:29:8e:ec:e1 |
Snort Alerts
No Snort Alerts