Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.67.53.17 |
| www.google-analytics.com | 216.239.38.178 | |
| www.highmotionsoftware.com |
CNAME
highmotionsoftware.com
|
104.193.111.101 |
| www.bolidesoft.com |
CNAME
bolidesoft.com
|
104.193.111.117 |
- UDP Requests
-
-
192.168.56.101:137 192.168.56.103:137
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:62576 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:52763 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.103:123
-
GET
200
https://www.google-analytics.com/collect?v=1&tid=UA-380480-23&cid=%7B8088027B-4BB6-456E-A8C8-37F4AC853C35%7D&t=event&ec=Session&ea=Start&an=ImBatch&av=7.6.0&ul=en-GB&sr=1024x768&sc=start&z=42773
REQUEST
RESPONSE
BODY
GET /collect?v=1&tid=UA-380480-23&cid=%7B8088027B-4BB6-456E-A8C8-37F4AC853C35%7D&t=event&ec=Session&ea=Start&an=ImBatch&av=7.6.0&ul=en-GB&sr=1024x768&sc=start&z=42773 HTTP/1.1
User-Agent: GAnalytics/1.0 (Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition))
Host: www.google-analytics.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Pragma: no-cache
X-Content-Type-Options: nosniff
Cross-Origin-Resource-Policy: cross-origin
Server: Golfe2
Content-Length: 35
Date: Fri, 15 Sep 2023 23:02:21 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Age: 21617
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
Content-Type: image/gif
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET
200
http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE
BODY
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Mon, 21 Aug 2023 22:08:28 GMT
ETag: "37d-603761e33cf00"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Sat, 16 Sep 2023 06:02:39 GMT
Date: Sat, 16 Sep 2023 05:02:39 GMT
Connection: keep-alive
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49168 -> 172.217.24.238:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49169 -> 104.193.111.101:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49168 172.217.24.238:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=*.google-analytics.com | e6:f7:82:c1:10:ac:08:76:a1:97:70:b7:56:b7:ef:92:30:ba:1e:12 |
|
TLSv1 192.168.56.103:49169 104.193.111.101:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=highmotionsoftware.com | 6f:a9:b3:c7:07:47:2c:5d:29:21:bd:d5:d6:29:38:66:0c:08:a5:43 |
Snort Alerts
No Snort Alerts