Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.tron-pk.xyz | 172.67.152.75 | |
| www.salvanandcie.com |
CNAME
cdn1.wixdns.net
|
34.149.87.45 |
| www.rykuruh.cfd | ||
| www.texwwfrx.com | 104.21.88.236 | |
| www.free-indeed.faith | 91.195.240.19 |
- UDP Requests
-
-
192.168.56.101:137 192.168.56.103:137
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:62576 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:49154 239.255.255.250:1900
-
GET
429
http://www.salvanandcie.com/tb8i/?-ZeTi6B=UMOMUPRltOuIOavlOV9TAbzOI3NyPSxU0IiF98vYZIoJYysmNQovnALCNihIDsZ76SkBnDz1&2d=lnxh
REQUEST
RESPONSE
BODY
GET /tb8i/?-ZeTi6B=UMOMUPRltOuIOavlOV9TAbzOI3NyPSxU0IiF98vYZIoJYysmNQovnALCNihIDsZ76SkBnDz1&2d=lnxh HTTP/1.1
Host: www.salvanandcie.com
Connection: close
HTTP/1.1 429 Too Many Requests
Content-Length: 0
Accept-Ranges: bytes
Date: Sun, 26 Nov 2023 04:38:53 GMT
X-Served-By: cache-hnd18738-HND
X-Cache: MISS
X-Seen-By: yvSunuo/8ld62ehjr5B7kA==
Via: 1.1 google
Connection: close
GET
200
http://www.free-indeed.faith/tb8i/?-ZeTi6B=mjsfGumS0MCj+go/ckdO0h+daXKQjTCMjol4fCy+GQ9z9EIRohWOFaX9TAL/50qANRa4gnnD&2d=lnxh
REQUEST
RESPONSE
BODY
GET /tb8i/?-ZeTi6B=mjsfGumS0MCj+go/ckdO0h+daXKQjTCMjol4fCy+GQ9z9EIRohWOFaX9TAL/50qANRa4gnnD&2d=lnxh HTTP/1.1
Host: www.free-indeed.faith
Connection: close
HTTP/1.1 200 OK
date: Sun, 26 Nov 2023 04:39:14 GMT
content-type: text/html; charset=UTF-8
transfer-encoding: chunked
vary: Accept-Encoding
x-powered-by: PHP/8.1.17
expires: Mon, 26 Jul 1997 05:00:00 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_FeIIVsKk3zRoijBkhcRijuag7OxDq7OGYQHNMHUjukTO+AUbTo7mIulaQ1sMswIuAqs5niGQu9PNcmcZG0zzoA==
last-modified: Sun, 26 Nov 2023 04:39:14 GMT
x-cache-miss-from: parking-698fb476bf-g877q
server: NginX
connection: close
GET
301
http://www.texwwfrx.com/tb8i/?-ZeTi6B=zluqp2Qif7Juk0jSJTDTdhTVgLgB+eVfrKJdSE4Bz8PdBwx7LJWv3E/FDzXvfZ8eIpu6oPdn&2d=lnxh
REQUEST
RESPONSE
BODY
GET /tb8i/?-ZeTi6B=zluqp2Qif7Juk0jSJTDTdhTVgLgB+eVfrKJdSE4Bz8PdBwx7LJWv3E/FDzXvfZ8eIpu6oPdn&2d=lnxh HTTP/1.1
Host: www.texwwfrx.com
Connection: close
HTTP/1.1 301 Moved Permanently
Date: Sun, 26 Nov 2023 04:39:33 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 26 Nov 2023 05:39:33 GMT
Location: https://www.texwwfrx.com/tb8i/?-ZeTi6B=zluqp2Qif7Juk0jSJTDTdhTVgLgB+eVfrKJdSE4Bz8PdBwx7LJWv3E/FDzXvfZ8eIpu6oPdn&2d=lnxh
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ae%2FUE6HbmSlo2mlUDDgl6Ru49aGEQwP3s8Imbx5WqG9ZbEYnplNk75GXThxbIyHW5QqImMUKORmKaX50x0vByPlvqyJzA%2F%2BoolaBzm7BEa8w0Bh4ObQE%2BZv0wV%2BOKtxNYCcj"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82bf72c21fbc7c2f-LAX
alt-svc: h3=":443"; ma=86400
GET
301
http://www.tron-pk.xyz/tb8i/?-ZeTi6B=5rJxyOnP1GB0ESD4ttWy9/4jFy42toRxagw3E+bnB/pmFdmTHJRzMwLMKKbb+ploXs+4W+sP&2d=lnxh
REQUEST
RESPONSE
BODY
GET /tb8i/?-ZeTi6B=5rJxyOnP1GB0ESD4ttWy9/4jFy42toRxagw3E+bnB/pmFdmTHJRzMwLMKKbb+ploXs+4W+sP&2d=lnxh HTTP/1.1
Host: www.tron-pk.xyz
Connection: close
HTTP/1.1 301 Moved Permanently
Date: Sun, 26 Nov 2023 04:39:53 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: https://www.tron-pk.xyz/tb8i/?-ZeTi6B=5rJxyOnP1GB0ESD4ttWy9/4jFy42toRxagw3E+bnB/pmFdmTHJRzMwLMKKbb+ploXs+4W+sP&2d=lnxh
Strict-Transport-Security: max-age=31536000
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oABOBUx66os5T5XTVKKf57bKJhAfE60G5%2BC532XldXozhg77jFOV6n6rncBKCvXVGjlVvG8YSSbaooX0jTbBWzze1S9M%2FxAOVm%2F6VHF9kXtcRz6zBDfUNJEnA%2B6LFMJICuw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82bf73410cf35220-LAX
alt-svc: h3=":443"; ma=86400
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49171 -> 104.21.32.135:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49171 -> 104.21.32.135:80 | 2031088 | ET HUNTING Request to .XYZ Domain with Minimal Headers | Potentially Bad Traffic |
| TCP 192.168.56.103:49166 -> 34.149.87.45:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49169 -> 172.67.154.55:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49167 -> 91.195.240.19:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts