Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.vaskaworldairways.com |
CNAME
fletchto99.com
|
71.33.149.60 |
| www.docomo-mobileconsulting.com | 91.195.240.109 | |
| www.uadmxqby.click | ||
| www.zhperviepixie.com |
CNAME
zhperviepixie.com
|
167.172.228.26 |
| www.sarthaksrishticreation.com | 119.18.49.69 |
- UDP Requests
-
-
192.168.56.101:53004 164.124.101.2:53
-
192.168.56.101:53850 164.124.101.2:53
-
192.168.56.101:54148 164.124.101.2:53
-
192.168.56.101:55146 164.124.101.2:53
-
192.168.56.101:59002 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:54151 239.255.255.250:1900
-
GET
404
http://www.zhperviepixie.com/sy22/?8pM0A2PH=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&Cda4=inCHhv7P
REQUEST
RESPONSE
BODY
GET /sy22/?8pM0A2PH=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&Cda4=inCHhv7P HTTP/1.1
Host: www.zhperviepixie.com
Connection: close
HTTP/1.1 404
Server: nginx/1.20.1
Date: Fri, 15 Sep 2023 08:35:16 GMT
Content-Length: 0
Connection: close
GET
301
http://www.sarthaksrishticreation.com/sy22/?8pM0A2PH=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&Cda4=inCHhv7P
REQUEST
RESPONSE
BODY
GET /sy22/?8pM0A2PH=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&Cda4=inCHhv7P HTTP/1.1
Host: www.sarthaksrishticreation.com
Connection: close
HTTP/1.1 301 Moved Permanently
Date: Fri, 15 Sep 2023 08:35:37 GMT
Server: Apache
Location: https://www.sarthaksrishticreation.com/sy22/?8pM0A2PH=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&Cda4=inCHhv7P
Content-Length: 352
Connection: close
Content-Type: text/html; charset=iso-8859-1
GET
200
http://www.docomo-mobileconsulting.com/sy22/?8pM0A2PH=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&Cda4=inCHhv7P
REQUEST
RESPONSE
BODY
GET /sy22/?8pM0A2PH=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&Cda4=inCHhv7P HTTP/1.1
Host: www.docomo-mobileconsulting.com
Connection: close
HTTP/1.1 200 OK
date: Fri, 15 Sep 2023 08:35:58 GMT
content-type: text/html; charset=UTF-8
transfer-encoding: chunked
vary: Accept-Encoding
x-powered-by: PHP/8.1.17
expires: Mon, 26 Jul 1997 05:00:00 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_H09F8ul3FM4+lCkinZVRoEDLW9PFKsRJOc+pPAXvMPvmsJna7rYdyN/jX18aO8YPOoK+J5FR8VvBqugzLaYxOg==
last-modified: Fri, 15 Sep 2023 08:35:58 GMT
x-cache-miss-from: parking-6f7d579cd8-772zr
server: NginX
connection: close
GET
301
http://www.vaskaworldairways.com/sy22/?8pM0A2PH=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&Cda4=inCHhv7P
REQUEST
RESPONSE
BODY
GET /sy22/?8pM0A2PH=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&Cda4=inCHhv7P HTTP/1.1
Host: www.vaskaworldairways.com
Connection: close
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 15 Sep 2023 08:36:16 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Location: https://www.vaskaworldairways.com/sy22/?8pM0A2PH=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&Cda4=inCHhv7P
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Cache-Control: no-transform
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=Edge
X-XSS-Protection: 1; mode=block
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49167 -> 119.18.49.69:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49169 -> 71.33.149.60:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49168 -> 91.195.240.109:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49166 -> 167.172.228.26:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts