Network Analysis
- TCP Requests
-
-
192.168.56.103:49168 130.117.252.29:443s3.eu-central-1.wasabisys.com
-
192.168.56.103:49171 130.117.252.29:443s3.eu-central-1.wasabisys.com
-
192.168.56.103:49163 130.117.252.31:80s3.eu-central-1.wasabisys.com
-
192.168.56.103:49169 142.250.66.36:443www.google.com
-
192.168.56.103:49166 37.230.138.123:443connectini.net
-
192.168.56.103:49172 37.230.138.66:80360devtracking.com
-
192.168.56.103:49170 52.219.140.125:443wewewe.s3.eu-central-1.amazonaws.com
-
- UDP Requests
-
-
192.168.56.101:137 192.168.56.103:137
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:56613 164.124.101.2:53
-
192.168.56.103:62576 164.124.101.2:53
-
192.168.56.103:64178 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:50803 239.255.255.250:1900
-
POST
100
https://connectini.net/Series/SuperNitouDisc.php
REQUEST
RESPONSE
BODY
POST /Series/SuperNitouDisc.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: connectini.net
Content-Length: 51
Expect: 100-continue
Connection: Keep-Alive
HTTP/1.1 100 Continue
GET
200
https://s3.eu-central-1.wasabisys.com/delice/delice-purify/up-do-dat-emHqRHrKsna22Rea.exe
REQUEST
RESPONSE
BODY
GET /delice/delice-purify/up-do-dat-emHqRHrKsna22Rea.exe HTTP/1.1
Host: s3.eu-central-1.wasabisys.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 410112
Content-Type: application/octet-stream
Date: Fri, 24 Mar 2023 00:39:39 GMT
ETag: "aba25c3c0dcd55cbf0a747a5830a9975"
Last-Modified: Wed, 08 Mar 2023 15:56:15 GMT
Server: WasabiS3/7.12.1004-2023-02-17-7ff2f5bdd9 (head18)
x-amz-id-2: uH6M0znaYrAJbKl7hYlgNQVeA7NcDzSy8h554N52KwdGRnnuL42TQpLoUYacMwVqrLbb8fc3qtvm
x-amz-request-id: 53535067D3629A87
GET
200
https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=6
REQUEST
RESPONSE
BODY
GET /S2S/Disc/Disc.php?ezok=flabs2&tesla=6 HTTP/1.1
Host: connectini.net
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 24 Mar 2023 00:39:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.33
X-Powered-By: PleskLin
GET
200
https://s3.eu-central-1.wasabisys.com/delice/delice-purify/hand-emHqRHrKsna22Rea.exe
REQUEST
RESPONSE
BODY
GET /delice/delice-purify/hand-emHqRHrKsna22Rea.exe HTTP/1.1
Host: s3.eu-central-1.wasabisys.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 129024
Content-Type: application/octet-stream
Date: Fri, 24 Mar 2023 00:39:40 GMT
ETag: "70a9b681d28137cfb4f0b4ab59ef51c6"
Last-Modified: Wed, 08 Mar 2023 15:56:06 GMT
Server: WasabiS3/7.12.1004-2023-02-17-7ff2f5bdd9 (head18)
x-amz-id-2: dol8ijBt0DUL2VP1y384pCmGsl04/qbblrCWUp47V6G4u3923a3oDJKU9sruZS/MZdVnG5AUD1AQ
x-amz-request-id: D8B1483D9751EA23
GET
0
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
REQUEST
RESPONSE
BODY
GET /WeUninstalled.exe HTTP/1.1
Host: wewewe.s3.eu-central-1.amazonaws.com
Connection: Keep-Alive
GET
0
https://www.google.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive
GET
0
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
REQUEST
RESPONSE
BODY
GET /WeUninstalled.exe HTTP/1.1
Host: wewewe.s3.eu-central-1.amazonaws.com
GET
0
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
REQUEST
RESPONSE
BODY
GET /WeUninstalled.exe HTTP/1.1
Host: wewewe.s3.eu-central-1.amazonaws.com
HEAD
200
http://s3.eu-central-1.wasabisys.com/delice/delice-prov/poweroff.exe
REQUEST
RESPONSE
BODY
HEAD /delice/delice-prov/poweroff.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: s3.eu-central-1.wasabisys.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 310784
Content-Type: application/octet-stream
Date: Fri, 24 Mar 2023 00:39:12 GMT
ETag: "ee726f15ff7c438fc1faf75032a81028"
Last-Modified: Wed, 08 Mar 2023 15:56:11 GMT
Server: WasabiS3/7.12.1004-2023-02-17-7ff2f5bdd9 (head20)
x-amz-id-2: 592S13Sdxw08UZc2R+lylpSCgvLmMNUlBm+0mlK50b8h8CkvRDG4uxk40RdcOwyIKau+esTMRldN
x-amz-request-id: 451DCDC91436F6E2
GET
200
http://s3.eu-central-1.wasabisys.com/delice/delice-prov/poweroff.exe
REQUEST
RESPONSE
BODY
GET /delice/delice-prov/poweroff.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: s3.eu-central-1.wasabisys.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 310784
Content-Type: application/octet-stream
Date: Fri, 24 Mar 2023 00:39:13 GMT
ETag: "ee726f15ff7c438fc1faf75032a81028"
Last-Modified: Wed, 08 Mar 2023 15:56:11 GMT
Server: WasabiS3/7.12.1004-2023-02-17-7ff2f5bdd9 (head20)
x-amz-id-2: roM2URQXkn9tn1xwWK7K76IKOfMsFJ9Inq3SdoInDdpCRQvTMzM4daBlYf3eb2nn40lzI3C8FVlJ
x-amz-request-id: 32E2C424DE6ACFCA
POST
100
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
REQUEST
RESPONSE
BODY
POST /ezzcbmueaa4iwhvb/fmovies HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 360devtracking.com
Content-Length: 180
Expect: 100-continue
Accept-Encoding: gzip
Connection: Keep-Alive
HTTP/1.1 100 Continue
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49169 -> 142.250.66.36:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49168 -> 130.117.252.29:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 130.117.252.31:80 -> 192.168.56.103:49163 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TCP 192.168.56.103:49171 -> 130.117.252.29:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49166 -> 37.230.138.123:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49170 -> 52.219.140.125:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.103:49169 142.250.66.36:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=www.google.com | 00:94:06:0f:b6:4d:e7:50:72:1e:56:17:9b:c5:85:cf:61:78:42:f1 |
TLS 1.2 192.168.56.103:49168 130.117.252.29:443 |
C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 | C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.eu-central-1.wasabisys.com | 1c:c4:44:2b:7d:4e:fd:e6:d3:c5:df:5f:31:06:9d:1a:90:71:e7:bc |
TLS 1.2 192.168.56.103:49171 130.117.252.29:443 |
C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 | C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.eu-central-1.wasabisys.com | 1c:c4:44:2b:7d:4e:fd:e6:d3:c5:df:5f:31:06:9d:1a:90:71:e7:bc |
TLSv1 192.168.56.103:49166 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
TLS 1.2 192.168.56.103:49170 52.219.140.125:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=*.s3.eu-central-1.amazonaws.com | bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb |
Snort Alerts
No Snort Alerts