Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
www.kimgj.com |
CNAME
kimgj.com
|
99.83.196.71 |
www.kwamitikki.com | 195.216.243.33 | |
www.podplugca.com |
CNAME
ext-sq.squarespace.com
|
198.49.23.144 |
www.displayfridges.fun | 64.225.91.73 | |
www.qixservice.online |
CNAME
onstatic-pt.setupdns.net
|
81.88.57.70 |
- UDP Requests
-
-
192.168.56.101:53004 164.124.101.2:53
-
192.168.56.101:53850 164.124.101.2:53
-
192.168.56.101:54148 164.124.101.2:53
-
192.168.56.101:55146 164.124.101.2:53
-
192.168.56.101:59002 164.124.101.2:53
-
192.168.56.101:137 192.168.56.103:137
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:54151 239.255.255.250:1900
-
GET
404
http://www.kwamitikki.com/sy22/?GFNl=ayc0h3zWsM+s/UZ3LUjJJuwK+un3y5jAnwaTGnQTjoBH3sQruTiuCMTcn690zSCGQsaDZ/V1&Rlj=YVFTx4dp
REQUEST
RESPONSE
BODY
GET /sy22/?GFNl=ayc0h3zWsM+s/UZ3LUjJJuwK+un3y5jAnwaTGnQTjoBH3sQruTiuCMTcn690zSCGQsaDZ/V1&Rlj=YVFTx4dp HTTP/1.1
Host: www.kwamitikki.com
Connection: close
HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 08 Oct 2023 01:41:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
GET
200
http://www.displayfridges.fun/sy22/?GFNl=aXg/rmbVwlFwwtnhCbViqZ1yX+MILNYt2xJKgyzLKbDp+5cOMXOnKyz8SWn7ESolc4/lQPeb&Rlj=YVFTx4dp
REQUEST
RESPONSE
BODY
GET /sy22/?GFNl=aXg/rmbVwlFwwtnhCbViqZ1yX+MILNYt2xJKgyzLKbDp+5cOMXOnKyz8SWn7ESolc4/lQPeb&Rlj=YVFTx4dp HTTP/1.1
Host: www.displayfridges.fun
Connection: close
HTTP/1.1 200 OK
server: nginx/1.18.0 (Ubuntu)
date: Sun, 08 Oct 2023 01:41:51 GMT
content-type: text/html
content-length: 593
last-modified: Wed, 22 Feb 2023 21:25:52 GMT
etag: "63f68860-251"
accept-ranges: bytes
connection: close
GET
403
http://www.kimgj.com/sy22/?GFNl=3SPsA2Ss8I6lJqBAUfWjnvopZUchcaiATf/poqfUwjZ4JN2yY1pEd2m56Et1bCNhcUG3dZ4S&Rlj=YVFTx4dp
REQUEST
RESPONSE
BODY
GET /sy22/?GFNl=3SPsA2Ss8I6lJqBAUfWjnvopZUchcaiATf/poqfUwjZ4JN2yY1pEd2m56Et1bCNhcUG3dZ4S&Rlj=YVFTx4dp HTTP/1.1
Host: www.kimgj.com
Connection: close
HTTP/1.1 403
Date: Sun, 08 Oct 2023 01:42:11 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: JSESSIONID=FCD685C6A1BC48CDBBF5E82386504638; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
GET
400
http://www.podplugca.com/sy22/?GFNl=1SbEEVOB0X5p51zw8Y9tIyj0s4wRGWDD/YTF5BQf3aGuyUlv8rzVEk4tRHrNdM/Dikld30uR&Rlj=YVFTx4dp
REQUEST
RESPONSE
BODY
GET /sy22/?GFNl=1SbEEVOB0X5p51zw8Y9tIyj0s4wRGWDD/YTF5BQf3aGuyUlv8rzVEk4tRHrNdM/Dikld30uR&Rlj=YVFTx4dp HTTP/1.1
Host: www.podplugca.com
Connection: close
HTTP/1.1 400 Bad Request
Cache-Control: no-cache, must-revalidate
Content-Length: 77564
Content-Type: text/html; charset=UTF-8
Date: Sun, 08 Oct 2023 01:42:32 UTC
Expires: Thu, 01 Jan 1970 00:00:00 UTC
Pragma: no-cache
Server: Squarespace
X-Contextid: 8vrY2rzy/ElhTa2uJ
Connection: close
GET
404
http://www.qixservice.online/sy22/?GFNl=VBKd4i1TBAeTlYBnm9tWLCP4ww2vn+XVFOQPMnsW4AFxqlBX+KApyR5y0aXQ0sSyxSIvT0ne&Rlj=YVFTx4dp
REQUEST
RESPONSE
BODY
GET /sy22/?GFNl=VBKd4i1TBAeTlYBnm9tWLCP4ww2vn+XVFOQPMnsW4AFxqlBX+KApyR5y0aXQ0sSyxSIvT0ne&Rlj=YVFTx4dp HTTP/1.1
Host: www.qixservice.online
Connection: close
HTTP/1.1 404 Not Found
Date: Sun, 08 Oct 2023 01:42:52 GMT
Server: Apache
Content-Length: 203
Connection: close
Content-Type: text/html; charset=iso-8859-1
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49166 -> 195.216.243.33:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
TCP 192.168.56.101:49169 -> 198.185.159.145:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
TCP 192.168.56.101:49170 -> 81.88.57.70:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
TCP 192.168.56.101:49168 -> 75.2.85.42:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
TCP 192.168.56.101:49167 -> 64.225.91.73:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts