Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.vaskaworldairways.com |
CNAME
fletchto99.com
|
97.118.134.29 |
| www.docomo-mobileconsulting.com | 185.53.177.52 | |
| www.zhperviepixie.com |
CNAME
zhperviepixie.com
|
167.172.228.26 |
| www.vinteligencia.com | 172.67.198.50 | |
| www.gracefullytouchedartistry.com |
CNAME
cdn1.wixdns.net
|
34.149.87.45 |
- TCP Requests
-
-
131.153.76.130:80 192.168.56.103:49232
-
192.168.56.103:49167 167.172.228.26:80www.zhperviepixie.com
-
192.168.56.103:49168 172.67.198.50:80www.vinteligencia.com
-
192.168.56.103:49170 185.53.177.52:80www.docomo-mobileconsulting.com
-
192.168.56.103:49169 34.149.87.45:80www.gracefullytouchedartistry.com
-
192.168.56.103:49166 97.118.134.29:80www.vaskaworldairways.com
-
- UDP Requests
-
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:62576 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.101:137
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:49154 239.255.255.250:1900
-
GET
301
http://www.vaskaworldairways.com/sy22/?Dxlpd=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&mnSh=Txlhkdx
REQUEST
RESPONSE
BODY
GET /sy22/?Dxlpd=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&mnSh=Txlhkdx HTTP/1.1
Host: www.vaskaworldairways.com
Connection: close
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 18 Oct 2023 22:56:38 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Location: https://www.vaskaworldairways.com/sy22/?Dxlpd=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&mnSh=Txlhkdx
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Cache-Control: no-transform
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=Edge
X-XSS-Protection: 1; mode=block
GET
404
http://www.zhperviepixie.com/sy22/?Dxlpd=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&mnSh=Txlhkdx
REQUEST
RESPONSE
BODY
GET /sy22/?Dxlpd=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&mnSh=Txlhkdx HTTP/1.1
Host: www.zhperviepixie.com
Connection: close
HTTP/1.1 404
Server: nginx/1.20.1
Date: Wed, 18 Oct 2023 22:56:59 GMT
Content-Length: 0
Connection: close
GET
301
http://www.vinteligencia.com/sy22/?Dxlpd=bFBzPUMpurqsSaAEhywdCFYwBQqPS0zKvFatuRp4xXu+SuvLn4C9Xg+acXGhzE1ceHoH+Iro&mnSh=Txlhkdx
REQUEST
RESPONSE
BODY
GET /sy22/?Dxlpd=bFBzPUMpurqsSaAEhywdCFYwBQqPS0zKvFatuRp4xXu+SuvLn4C9Xg+acXGhzE1ceHoH+Iro&mnSh=Txlhkdx HTTP/1.1
Host: www.vinteligencia.com
Connection: close
HTTP/1.1 301 Moved Permanently
Date: Wed, 18 Oct 2023 22:57:19 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Wed, 18 Oct 2023 23:57:19 GMT
Location: https://www.vinteligencia.com/sy22/?Dxlpd=bFBzPUMpurqsSaAEhywdCFYwBQqPS0zKvFatuRp4xXu+SuvLn4C9Xg+acXGhzE1ceHoH+Iro&mnSh=Txlhkdx
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WfH5yG%2B0IKIZxDLnebv2rpUFbFNA%2F0fta3pG6YTiJXlCCn%2BAF623a77zuQNVQQFStoT0qXkZVpomYsVrLfXq68OLXVHHnJoWkD0pjVhh7LWJhbO6MJt15%2FWJPbWLPh0xMSV%2FrilTxpw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 818461311ec48d18-KIX
alt-svc: h3=":443"; ma=86400
GET
301
http://www.gracefullytouchedartistry.com/sy22/?Dxlpd=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&mnSh=Txlhkdx
REQUEST
RESPONSE
BODY
GET /sy22/?Dxlpd=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&mnSh=Txlhkdx HTTP/1.1
Host: www.gracefullytouchedartistry.com
Connection: close
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Location: https://www.gracefullytouchedartistry.com/sy22?Dxlpd=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&mnSh=Txlhkdx
Strict-Transport-Security: max-age=3600
X-Wix-Request-Id: 1697669859.704626791525318
Age: 0
Cache-Control: no-cache
X-Content-Type-Options: nosniff
Server: Pepyaka/1.19.10
Accept-Ranges: bytes
Date: Wed, 18 Oct 2023 22:57:39 GMT
X-Served-By: cache-tyo11932-TYO
X-Cache: MISS
Server-Timing: cache;desc=miss, varnish;desc=miss_miss, dc;desc=fastly_g
X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,GXNXSWFXisshliUcwO20NYMupe6WQf6MVMrzEUOojIKvdC6f7jQjbBWPl6S3s2X1,qquldgcFrj2n046g4RNSVOA8rqzJ1wZ8KdbYeYoU/wo=,2d58ifebGbosy5xc+FRalmTXUK43bAzXXxFMspZCoKkLglUF0lTxR+V8X0EISehBTaOzad26luC4Q5hIhRb9v4/xYpPUQSbYgpRzYcAMqd4=,2UNV7KOq4oGjA5+PKsX47CwY6WAbdpZAX0WENTwFUsxYgeUJqUXtid+86vZww+nL,R8nVwPJv9QJL1m78OROO+HwhU5AT40dXTsocyGZZuds=,j1W3GTXLqH1rFP/nP6vn5udtUVfkxj/eSYAEp3D6B3D4D2PFRhC5HA4zrltzn4LTjD4aNF2Ay2Wc5w0fmuOdcQ==
Via: 1.1 google
Connection: close
GET
403
http://www.docomo-mobileconsulting.com/sy22/?Dxlpd=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&mnSh=Txlhkdx
REQUEST
RESPONSE
BODY
GET /sy22/?Dxlpd=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&mnSh=Txlhkdx HTTP/1.1
Host: www.docomo-mobileconsulting.com
Connection: close
HTTP/1.1 403 Forbidden
Server: nginx
Date: Wed, 18 Oct 2023 22:58:00 GMT
Content-Type: text/html
Content-Length: 146
Connection: close
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49168 -> 172.67.198.50:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49166 -> 97.118.134.29:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49167 -> 167.172.228.26:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49169 -> 34.149.87.45:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49170 -> 185.53.177.52:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts