Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| s4.gtsystems.hu |
CNAME
shadowman.dnse.hu
|
- TCP Requests
- UDP Requests
-
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.101:137
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:64897 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.103:123
-
8.8.8.8:53 192.168.56.103:50800
-
GET
200
http://168.138.162.78/output0//resources0.xml
REQUEST
RESPONSE
BODY
GET /output0//resources0.xml HTTP/1.1
Host: 168.138.162.78
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 19 Feb 2025 02:00:08 GMT
Server: Apache/2.4.62 (Debian)
Last-Modified: Sat, 15 Feb 2025 03:05:09 GMT
ETag: "24a9-62e258f0e2340"
Accept-Ranges: bytes
Content-Length: 9385
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/xml
GET
200
http://168.138.162.78/output0/client/cabal.exe
REQUEST
RESPONSE
BODY
GET /output0/client/cabal.exe HTTP/1.1
Host: 168.138.162.78
HTTP/1.1 200 OK
Date: Wed, 19 Feb 2025 02:00:08 GMT
Server: Apache/2.4.62 (Debian)
Last-Modified: Thu, 28 Nov 2024 08:57:39 GMT
ETag: "19a00-627f5463ae6c0"
Accept-Ranges: bytes
Content-Length: 104960
Content-Type: application/x-msdos-program
GET
200
http://168.138.162.78/output0/updates/update_1.7z
REQUEST
RESPONSE
BODY
GET /output0/updates/update_1.7z HTTP/1.1
Host: 168.138.162.78
HTTP/1.1 200 OK
Date: Wed, 19 Feb 2025 02:00:09 GMT
Server: Apache/2.4.62 (Debian)
Last-Modified: Thu, 28 Nov 2024 12:47:14 GMT
ETag: "2cfe6-627f87b48b880"
Accept-Ranges: bytes
Content-Length: 184294
Content-Type: application/x-7z-compressed
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.103 | 164.124.101.2 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49162 -> 168.138.162.78:80 | 2016141 | ET INFO Executable Download from dotted-quad Host | Potentially Bad Traffic |
| TCP 168.138.162.78:80 -> 192.168.56.103:49162 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 168.138.162.78:80 -> 192.168.56.103:49162 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
| TCP 168.138.162.78:80 -> 192.168.56.103:49162 | 2021076 | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts