Network Analysis
- TCP Requests
-
-
192.168.56.103:49168 142.250.66.68:443www.google.com
-
192.168.56.103:49164 154.49.215.100:80s3.eu-central-2.wasabisys.com
-
192.168.56.103:49169 154.49.215.102:443s3.eu-central-2.wasabisys.com
-
192.168.56.103:49170 154.49.215.102:443s3.eu-central-2.wasabisys.com
-
192.168.56.103:49166 37.230.138.123:443connectini.net
-
192.168.56.103:49179 37.230.138.123:443connectini.net
-
192.168.56.103:49172 37.230.138.66:80360devtracking.com
-
192.168.56.103:49171 52.219.170.26:443wewewe.s3.eu-central-1.amazonaws.com
-
- UDP Requests
-
-
192.168.56.103:50674 164.124.101.2:53
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53658 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:56613 164.124.101.2:53
-
192.168.56.103:57986 164.124.101.2:53
-
192.168.56.103:62576 164.124.101.2:53
-
192.168.56.103:64178 164.124.101.2:53
-
192.168.56.103:64530 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.101:137
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:64897 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.103:123
-
POST
100
https://connectini.net/Series/SuperNitouDisc.php
REQUEST
RESPONSE
BODY
POST /Series/SuperNitouDisc.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: connectini.net
Content-Length: 51
Expect: 100-continue
Connection: Keep-Alive
HTTP/1.1 100 Continue
GET
200
https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=8
REQUEST
RESPONSE
BODY
GET /S2S/Disc/Disc.php?ezok=flabs2&tesla=8 HTTP/1.1
Host: connectini.net
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 Apr 2023 07:55:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.33
X-Powered-By: PleskLin
GET
200
https://s3.eu-central-2.wasabisys.com/melody-tata7ada-elmallal/shakira/up-do-dat-TRURNfy8CgzSgm9K.exe
REQUEST
RESPONSE
BODY
GET /melody-tata7ada-elmallal/shakira/up-do-dat-TRURNfy8CgzSgm9K.exe HTTP/1.1
Host: s3.eu-central-2.wasabisys.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 510976
Content-Type: application/octet-stream
Date: Thu, 13 Apr 2023 07:55:07 GMT
ETag: "f32b8def722876287f9424f3f3c41d2e"
Last-Modified: Wed, 05 Apr 2023 13:53:37 GMT
Server: WasabiS3/7.12.1004-2023-02-17-7ff2f5bdd9 (R204-U11)
x-amz-id-2: LKgLCHBMCMkQPy01+Nz+AL0UJX7CijX6tjlK2SC8mljAlYez/XY9KKtswz8rhctNh12GhugebDGi
x-amz-request-id: 6D1B52F823836A4F:A
GET
0
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
REQUEST
RESPONSE
BODY
GET /WeUninstalled.exe HTTP/1.1
Host: wewewe.s3.eu-central-1.amazonaws.com
Connection: Keep-Alive
GET
200
https://www.google.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:55:08 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-SUKLdmukIcd-DcfqxPCaFw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2023-04-13-07; expires=Sat, 13-May-2023 07:55:08 GMT; path=/; domain=.google.com; Secure
Set-Cookie: AEC=AUEFqZd0N5ljxbogPzQVLmJ5eEVMaD9al3frd52pSjHrD-ZTO_rC1eCpYlA; expires=Tue, 10-Oct-2023 07:55:08 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: NID=511=PXAMFrlRQ9RYCOalWLR5K0F6I_xDLwxLrnpnV7H_jPAxsQ1hjwG0Nu8dpZzcMsiLX1JhxwcxDh3CSDqq13x9oj6C5Kvaup9zhdEuuqGKsbWbpWnsRXZufroRVx5aNWDlSYxPFxGdsDKoeKulvOp8lmdRkn3Ic-GAYIOnKKBTCKY; expires=Fri, 13-Oct-2023 07:55:08 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET
200
https://s3.eu-central-2.wasabisys.com/melody-tata7ada-elmallal/shakira/hand-TRURNfy8CgzSgm9K.exe
REQUEST
RESPONSE
BODY
GET /melody-tata7ada-elmallal/shakira/hand-TRURNfy8CgzSgm9K.exe HTTP/1.1
Host: s3.eu-central-2.wasabisys.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 129024
Content-Type: application/octet-stream
Date: Thu, 13 Apr 2023 07:55:08 GMT
ETag: "70a9b681d28137cfb4f0b4ab59ef51c6"
Last-Modified: Wed, 05 Apr 2023 13:53:32 GMT
Server: WasabiS3/7.12.1004-2023-02-17-7ff2f5bdd9 (R104-U11)
x-amz-id-2: XQ9ZBmc+VIVf8rwR3PvZefmaiS9EXYDGcQPFjwEnqWqJS3v4hj3lDwQoS1Fw9qQU62q08I2zMueW
x-amz-request-id: 5298CC140EBEA733:A
GET
0
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
REQUEST
RESPONSE
BODY
GET /WeUninstalled.exe HTTP/1.1
Host: wewewe.s3.eu-central-1.amazonaws.com
GET
0
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
REQUEST
RESPONSE
BODY
GET /WeUninstalled.exe HTTP/1.1
Host: wewewe.s3.eu-central-1.amazonaws.com
HEAD
200
http://s3.eu-central-2.wasabisys.com/melody-tata7ada-elmallal/50cent/poweroff.exe
REQUEST
RESPONSE
BODY
HEAD /melody-tata7ada-elmallal/50cent/poweroff.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: s3.eu-central-2.wasabisys.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 587264
Content-Type: application/octet-stream
Date: Thu, 13 Apr 2023 07:54:39 GMT
ETag: "4de7538747bf36f826099aceed872175"
Last-Modified: Wed, 05 Apr 2023 13:53:38 GMT
Server: WasabiS3/7.12.1004-2023-02-17-7ff2f5bdd9 (R204-U11)
x-amz-id-2: yDVqh0FMocAQsLOdKuV3SfiWlhmToBOKOHfWgiXvgpwzoQNNkaEer4b2dhgcWn+kXxm1lmfquqQZ
x-amz-request-id: 8F954BE282D23927:A
GET
200
http://s3.eu-central-2.wasabisys.com/melody-tata7ada-elmallal/50cent/poweroff.exe
REQUEST
RESPONSE
BODY
GET /melody-tata7ada-elmallal/50cent/poweroff.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: s3.eu-central-2.wasabisys.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 587264
Content-Type: application/octet-stream
Date: Thu, 13 Apr 2023 07:54:39 GMT
ETag: "4de7538747bf36f826099aceed872175"
Last-Modified: Wed, 05 Apr 2023 13:53:38 GMT
Server: WasabiS3/7.12.1004-2023-02-17-7ff2f5bdd9 (R204-U11)
x-amz-id-2: kVd5HeNCB7j9Idv7J+QwIiDl9ryo57CrLQ/vWJobXzEuUG4hpp1eEKRo/OrwNnpYrNG2oPjcpZy0
x-amz-request-id: CDA41D6699B0EFB7:A
POST
100
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
REQUEST
RESPONSE
BODY
POST /ezzcbmueaa4iwhvb/fmovies HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 360devtracking.com
Content-Length: 180
Expect: 100-continue
Accept-Encoding: gzip
Connection: Keep-Alive
HTTP/1.1 100 Continue
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.103 | 172.217.25.14 | 8 | \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
| 172.217.25.14 | 192.168.56.103 | 0 | \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49166 -> 37.230.138.123:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49169 -> 154.49.215.102:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49168 -> 142.250.66.68:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49170 -> 154.49.215.102:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49179 -> 37.230.138.123:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49171 -> 52.219.170.26:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 154.49.215.100:80 -> 192.168.56.103:49164 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49166 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
|
TLS 1.2 192.168.56.103:49169 154.49.215.102:443 |
C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 | C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.eu-central-2.wasabisys.com | ba:39:86:54:fe:51:d0:8a:00:57:c5:dc:dd:11:62:4e:6e:dd:28:84 |
|
TLS 1.2 192.168.56.103:49168 142.250.66.68:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=www.google.com | 3e:43:00:13:2a:5d:12:97:9e:3a:1c:62:f3:7e:d1:c4:fb:db:b7:73 |
|
TLS 1.2 192.168.56.103:49170 154.49.215.102:443 |
C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 | C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.eu-central-2.wasabisys.com | ba:39:86:54:fe:51:d0:8a:00:57:c5:dc:dd:11:62:4e:6e:dd:28:84 |
|
TLSv1 192.168.56.103:49179 37.230.138.123:443 |
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com | a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49 |
|
TLS 1.2 192.168.56.103:49171 52.219.170.26:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=*.s3.eu-central-1.amazonaws.com | bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb |
Snort Alerts
No Snort Alerts