Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
POST
200
http://193.201.9.43/plays/chapter/index.php
REQUEST
RESPONSE
BODY
POST /plays/chapter/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.201.9.43
Content-Length: 90
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 12 Apr 2023 00:17:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
404
http://193.201.9.43/plays/chapter/Plugins/cred64.dll
REQUEST
RESPONSE
BODY
GET /plays/chapter/Plugins/cred64.dll HTTP/1.1
Host: 193.201.9.43
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 12 Apr 2023 00:17:52 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
GET
200
http://193.201.9.43/plays/chapter/Plugins/clip64.dll
REQUEST
RESPONSE
BODY
GET /plays/chapter/Plugins/clip64.dll HTTP/1.1
Host: 193.201.9.43
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 12 Apr 2023 00:17:53 GMT
Content-Type: application/octet-stream
Content-Length: 91136
Last-Modified: Tue, 11 Apr 2023 10:19:50 GMT
Connection: keep-alive
ETag: "64353446-16400"
Accept-Ranges: bytes
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49172 -> 193.201.9.43:80 | 2027700 | ET MALWARE Amadey CnC Check-In | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49172 -> 193.201.9.43:80 | 2027250 | ET INFO Dotted Quad Host DLL Request | Potentially Bad Traffic |
| TCP 192.168.56.103:49172 -> 193.201.9.43:80 | 2027250 | ET INFO Dotted Quad Host DLL Request | Potentially Bad Traffic |
| TCP 193.201.9.43:80 -> 192.168.56.103:49172 | 2014819 | ET INFO Packed Executable Download | Misc activity |
| TCP 193.201.9.43:80 -> 192.168.56.103:49172 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 193.201.9.43:80 -> 192.168.56.103:49172 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
| TCP 193.201.9.43:80 -> 192.168.56.103:49172 | 2015744 | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) | Misc activity |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts