Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| apis.mail.yahoo.com | 119.161.5.247 | |
| dl-mail.ymail.com | 119.161.5.247 |
GET
307
https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/raw?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&token=uDdRaaIpkxJyV0akyTfVtC7n1FhmsdJB7bDv_XH6K6bCQOXFxgkBkwEAZNsu-_QFvV_5i5_L4E4NWtq013TBfcZCGX32myhohFrRcQRPMX0YejtWOpAjLBddP6PWGYs9&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975
REQUEST
RESPONSE
BODY
GET /ws/download/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/raw?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&token=uDdRaaIpkxJyV0akyTfVtC7n1FhmsdJB7bDv_XH6K6bCQOXFxgkBkwEAZNsu-_QFvV_5i5_L4E4NWtq013TBfcZCGX32myhohFrRcQRPMX0YejtWOpAjLBddP6PWGYs9&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: ko-KR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: dl-mail.ymail.com
Connection: Keep-Alive
HTTP/1.1 307 Temporary Redirect
Location: https://apis.mail.yahoo.com/ws/v3/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/refresh?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975
X-Server-Response-Time: 1001ms
X-Server-Chain: jws600021.mail.sg3.yahoo.com
X-Server-Timestamp: Thu, 27 Apr 2023 05:59:45 GMT
Content-Length: 0
Referrer-Policy: no-referrer-when-downgrade
Date: Thu, 27 Apr 2023 05:59:57 GMT
Age: 1
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
Server: ATS
Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
GET
401
https://apis.mail.yahoo.com/ws/v3/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/refresh?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975
REQUEST
RESPONSE
BODY
GET /ws/v3/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/refresh?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: ko-KR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: apis.mail.yahoo.com
HTTP/1.1 401 Unauthorized
X-Server-Response-Time: 1ms
X-Server-Chain: jws600067.mail.sg3.yahoo.com
X-Server-Timestamp: Thu, 27 Apr 2023 05:59:45 GMT
Content-Type: application/json
Content-Length: 79
Referrer-Policy: no-referrer-when-downgrade
Date: Thu, 27 Apr 2023 05:59:45 GMT
Age: 0
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
Server: ATS
Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49165 -> 119.161.15.251:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49167 -> 119.161.16.11:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49164 -> 119.161.15.251:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49166 -> 119.161.16.11:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49166 119.161.16.11:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Sunnyvale, O=Oath Holdings Inc., CN=*.api.fantasysports.yahoo.com | 6e:2f:30:b9:a3:fc:58:90:e8:a6:e6:0f:b5:08:0e:63:1d:59:94:f0 |
|
TLSv1 192.168.56.101:49167 119.161.16.11:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Sunnyvale, O=Oath Holdings Inc., CN=*.api.fantasysports.yahoo.com | 6e:2f:30:b9:a3:fc:58:90:e8:a6:e6:0f:b5:08:0e:63:1d:59:94:f0 |
|
TLSv1 192.168.56.101:49165 119.161.15.251:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Sunnyvale, O=Oath Holdings Inc., CN=*.api.fantasysports.yahoo.com | 6e:2f:30:b9:a3:fc:58:90:e8:a6:e6:0f:b5:08:0e:63:1d:59:94:f0 |
|
TLSv1 192.168.56.101:49164 119.161.15.251:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Sunnyvale, O=Oath Holdings Inc., CN=*.api.fantasysports.yahoo.com | 6e:2f:30:b9:a3:fc:58:90:e8:a6:e6:0f:b5:08:0e:63:1d:59:94:f0 |
Snort Alerts
No Snort Alerts