Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| users.qzone.qq.com | 58.250.136.113 |
- TCP Requests
-
-
103.97.178.89:2016 192.168.56.101:49165
-
192.168.56.101:49162 107.151.204.57:9985
-
192.168.56.101:49167 58.250.136.113:80users.qzone.qq.com
-
192.168.56.101:49168 58.250.136.113:443users.qzone.qq.com
-
192.168.56.101:49171 58.250.136.113:80users.qzone.qq.com
-
192.168.56.101:49172 58.250.136.113:443users.qzone.qq.com
-
GET
200
https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
REQUEST
RESPONSE
BODY
GET /fcg-bin/cgi_get_portrait.fcg?uins=12345678 HTTP/1.1
Connection: Keep-Alive
Host: users.qzone.qq.com
HTTP/1.1 200 OK
Date: Tue, 06 Jun 2023 22:40:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 109
Connection: keep-alive
Server: openresty/1.16.1.1
X-Powered-By: TSW/Node.js
Cache-Control: no-cache
Vary: Origin, Accept
Mod-Map: nodeproxy_index:photo.v7/nodejs/module/nodeproxy/index.js
x-request-time: 0.136
x-whistle-client-id: -,
Strict-Transport-Security: max-age=3600
GET
200
https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
REQUEST
RESPONSE
BODY
GET /fcg-bin/cgi_get_portrait.fcg?uins=12345678 HTTP/1.1
Connection: Keep-Alive
Host: users.qzone.qq.com
HTTP/1.1 200 OK
Date: Tue, 06 Jun 2023 22:42:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 109
Connection: keep-alive
Server: openresty/1.16.1.1
X-Powered-By: TSW/Node.js
Cache-Control: no-cache
Vary: Origin, Accept
Mod-Map: nodeproxy_index:photo.v7/nodejs/module/nodeproxy/index.js
x-request-time: 0.100
x-whistle-client-id: -,
Strict-Transport-Security: max-age=3600
GET
302
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
REQUEST
RESPONSE
BODY
GET /fcg-bin/cgi_get_portrait.fcg?uins=12345678 HTTP/1.1
Host: users.qzone.qq.com
HTTP/1.1 302 Moved Temporarily
Server: stgw
Date: Tue, 06 Jun 2023 22:40:47 GMT
Content-Type: text/html
Content-Length: 137
Connection: keep-alive
Location: https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
GET
302
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
REQUEST
RESPONSE
BODY
GET /fcg-bin/cgi_get_portrait.fcg?uins=12345678 HTTP/1.1
Host: users.qzone.qq.com
HTTP/1.1 302 Moved Temporarily
Server: stgw
Date: Tue, 06 Jun 2023 22:42:10 GMT
Content-Type: text/html
Content-Length: 137
Connection: keep-alive
Location: https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49168 -> 58.250.136.113:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49162 -> 107.151.204.57:9985 | 2027250 | ET INFO Dotted Quad Host DLL Request | Potentially Bad Traffic |
| TCP 107.151.204.57:9985 -> 192.168.56.101:49162 | 2045860 | ET HUNTING Rejetto HTTP File Sever Response | A Network Trojan was detected |
| TCP 192.168.56.101:49172 -> 58.250.136.113:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49168 58.250.136.113:443 |
C=US, O=DigiCert Inc, CN=DigiCert Secure Site CN CA G3 | C=CN, ST=Guangdong Province, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, CN=*.qzone.qq.com | 95:32:d9:7d:91:4a:63:96:66:10:b3:ab:36:27:f3:23:ab:62:48:32 |
|
TLSv1 192.168.56.101:49172 58.250.136.113:443 |
None | None | None |
Snort Alerts
No Snort Alerts