Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| pool.supportxmr.com |
CNAME
pool-fr.supportxmr.com
|
141.94.96.71 |
POST
200
http://51.77.140.74/api/endpoint.php
REQUEST
RESPONSE
BODY
POST /api/endpoint.php HTTP/1.1
Accept: */*
Connection: close
Content-Length: 268
Content-Type: application/json
Host: 51.77.140.74
User-Agent: cpp-httplib/0.9
HTTP/1.1 200 OK
Date: Tue, 08 Aug 2023 00:28:28 GMT
Server: Apache/2.4.56 (Debian)
Vary: Accept-Encoding
Content-Length: 480
Connection: close
Content-Type: text/html; charset=UTF-8
POST
200
http://51.77.140.74/api/endpoint.php
REQUEST
RESPONSE
BODY
POST /api/endpoint.php HTTP/1.1
Accept: */*
Connection: close
Content-Length: 489
Content-Type: application/json
Host: 51.77.140.74
User-Agent: cpp-httplib/0.9
HTTP/1.1 200 OK
Date: Tue, 08 Aug 2023 00:29:27 GMT
Server: Apache/2.4.56 (Debian)
Vary: Accept-Encoding
Content-Length: 480
Connection: close
Content-Type: text/html; charset=UTF-8
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49164 -> 51.77.140.74:80 | 2044697 | ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3 | A Network Trojan was detected |
| TCP 192.168.56.103:49166 -> 51.77.140.74:80 | 2035420 | ET MALWARE Win32/Pripyat Activity (POST) | A Network Trojan was detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.103:49163 141.94.96.195:9000 |
C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool | C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool | 53:ae:f7:96:12:17:eb:ad:26:1e:d7:46:d6:47:0b:e6:80:80:7b:02 |
|
TLS 1.2 192.168.56.103:49165 141.94.96.144:9000 |
C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool | C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool | d4:50:34:fd:7a:42:9b:53:4c:cb:38:ba:60:08:f3:a1:e1:df:f0:10 |
Snort Alerts
No Snort Alerts