Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.oneresi.com |
CNAME
oneresi.com
|
15.197.148.33 |
| www.bowllywood.com | 156.241.138.74 | |
| www.qianxz109.xyz | ||
| www.trailblazerbaby.com |
CNAME
ext-sq.squarespace.com
|
198.49.23.144 |
| www.seoulbeautytw.com |
CNAME
easystore.map.fastly.net
|
151.101.194.236 |
- UDP Requests
-
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:62576 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:49154 239.255.255.250:1900
-
GET
400
http://www.trailblazerbaby.com/ge06/?cxlL6=Vn36JpzNTKaSb0MTbSztLcrwH0nGOIWlPxp5C0tdRb7z35/kOAEpp28Rs4alwfkjtZwLX/a3&Tj=YBZ0
REQUEST
RESPONSE
BODY
GET /ge06/?cxlL6=Vn36JpzNTKaSb0MTbSztLcrwH0nGOIWlPxp5C0tdRb7z35/kOAEpp28Rs4alwfkjtZwLX/a3&Tj=YBZ0 HTTP/1.1
Host: www.trailblazerbaby.com
Connection: close
HTTP/1.1 400 Bad Request
Cache-Control: no-cache, must-revalidate
Content-Length: 77564
Content-Type: text/html; charset=UTF-8
Date: Tue, 10 Oct 2023 22:48:41 UTC
Expires: Thu, 01 Jan 1970 00:00:00 UTC
Pragma: no-cache
Server: Squarespace
X-Contextid: ofI1eOxu/pD8mYgTH
Connection: close
GET
301
http://www.seoulbeautytw.com/ge06/?cxlL6=Qc2b7R052BxaaIixZxZchyIrCtI6dOvdNg5lwCRd5bjXdsmVEtEF/rdDBYlFLrvTnx09Yrft&Tj=YBZ0
REQUEST
RESPONSE
BODY
GET /ge06/?cxlL6=Qc2b7R052BxaaIixZxZchyIrCtI6dOvdNg5lwCRd5bjXdsmVEtEF/rdDBYlFLrvTnx09Yrft&Tj=YBZ0 HTTP/1.1
Host: www.seoulbeautytw.com
Connection: close
HTTP/1.1 301 Moved Permanently
Connection: close
Content-Length: 0
Server: Varnish
Retry-After: 0
Location: https://www.seoulbeautytw.com/ge06/?cxlL6=Qc2b7R052BxaaIixZxZchyIrCtI6dOvdNg5lwCRd5bjXdsmVEtEF/rdDBYlFLrvTnx09Yrft&Tj=YBZ0
Accept-Ranges: bytes
Date: Tue, 10 Oct 2023 22:49:21 GMT
Via: 1.1 varnish
X-Served-By: cache-icn1450083-ICN
X-Cache: HIT
X-Cache-Hits: 0
Strict-Transport-Security: max-age=31557600
GET
200
http://www.bowllywood.com/ge06/?cxlL6=uEJyp/LCRcqeyVkDqWXotAOO7ojlhdOeJwNXEXO62CdMmnp4nkE9E2jcl8Y9Q/hLDx6OjvQc&Tj=YBZ0
REQUEST
RESPONSE
BODY
GET /ge06/?cxlL6=uEJyp/LCRcqeyVkDqWXotAOO7ojlhdOeJwNXEXO62CdMmnp4nkE9E2jcl8Y9Q/hLDx6OjvQc&Tj=YBZ0 HTTP/1.1
Host: www.bowllywood.com
Connection: close
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 10 Oct 2023 22:49:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
GET
403
http://www.oneresi.com/ge06/?cxlL6=TxZz26qHBFBWLipdaFP8DXj847gFVWoG3E2dnld5pyULLNin+5TsGSuzug1CwjEl4T2LS/ZH&Tj=YBZ0
REQUEST
RESPONSE
BODY
GET /ge06/?cxlL6=TxZz26qHBFBWLipdaFP8DXj847gFVWoG3E2dnld5pyULLNin+5TsGSuzug1CwjEl4T2LS/ZH&Tj=YBZ0 HTTP/1.1
Host: www.oneresi.com
Connection: close
HTTP/1.1 403 Forbidden
Server: openresty
Date: Tue, 10 Oct 2023 22:50:02 GMT
Content-Type: text/html
Content-Length: 150
Connection: close
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49168 -> 156.241.138.74:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49166 -> 198.49.23.145:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49169 -> 15.197.148.33:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49167 -> 146.75.50.236:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts