Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| cdn.wmpvp.com |
CNAME
cdn.wmpvp.com.wsglb0.com
|
14.0.113.205 |
| new-service.biliapi.net | 122.189.171.106 |
GET
200
https://new-service.biliapi.net/picture/chatres/update/version.txt
REQUEST
RESPONSE
BODY
GET /picture/chatres/update/version.txt HTTP/1.1
Host: new-service.biliapi.net
Accept: */*
Accept-Encoding: deflate, gzip
HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 17 Jun 2023 09:10:54 GMT
Content-Type: text/plain; charset=utf-8
ETag: "648b0acf-158"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
X-Cache-Lookup: Cache Miss
X-Cache-Lookup: Hit From Upstream Cluster
Last-Modified: Thu, 15 Jun 2023 12:57:51 GMT
Content-Length: 344
X-NWS-LOG-UUID: 13259598874040505533
Connection: keep-alive
X-Cache-Lookup: Cache Miss
GET
200
https://cdn.wmpvp.com/steamWeb/F24DCA1346594DF3B954684015A7C50F-1686833838173.pdf
REQUEST
RESPONSE
BODY
GET /steamWeb/F24DCA1346594DF3B954684015A7C50F-1686833838173.pdf HTTP/1.1
Host: cdn.wmpvp.com
Accept: */*
Accept-Encoding: deflate, gzip
HTTP/1.1 200 OK
Date: Sat, 17 Jun 2023 09:10:54 GMT
Content-Type: application/pdf
Content-Length: 1239853
Connection: keep-alive
Server: AliyunOSS
x-oss-request-id: 648B0AE676A41035314494D7
Accept-Ranges: bytes
ETag: "BDF38048E9B28A41CF634337C2D6D8AC"
Last-Modified: Thu, 15 Jun 2023 12:57:18 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 7229888014651117014
x-oss-storage-class: Standard
Content-MD5: vfOASOmyikHPY0M3wtbYrA==
x-oss-server-time: 10
Age: 1
X-Via: 1.1 zhsx21:8 (Cdn Cache Server V2.0), 1.1 CS-000-01L6Z170:12 (Cdn Cache Server V2.0), 1.1 PShgseSEL4fr138:6 (Cdn Cache Server V2.0)
X-Ws-Request-Id: 648d789e_PShgseSEL4fr138_13367-10009
Access-Control-Allow-Origin: *
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49165 -> 113.207.69.188:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49169 -> 14.0.113.205:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.103:49165 113.207.69.188:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 DV TLS CA 2020 | CN=*.biliapi.net | ce:3f:f7:0a:8d:37:1c:cb:b4:10:53:29:c8:51:cd:3b:7e:4e:5a:ed |
|
TLS 1.2 192.168.56.103:49169 14.0.113.205:443 |
C=US, O=DigiCert, Inc., CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1 | CN=*.wmpvp.com | 7a:33:5f:6b:95:b3:9f:fa:cc:e0:8f:ee:6e:f9:c8:b9:1a:7e:1b:ac |
Snort Alerts
No Snort Alerts