Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dat-voip-sit-cio.trycloudflare.com | 104.16.231.132 |
GET
404
https://dat-voip-sit-cio.trycloudflare.com/shell.ps1
REQUEST
RESPONSE
BODY
GET /shell.ps1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Host: dat-voip-sit-cio.trycloudflare.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Thu, 03 Apr 2025 00:57:21 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 92a49c78f949aa72-ICN
CF-Cache-Status: DYNAMIC
Vary: Accept-Encoding
Server: cloudflare
Content-Encoding: gzip
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| UDP 192.168.56.101:59002 -> 164.124.101.2:53 | 2034552 | ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com) | Potentially Bad Traffic |
| TCP 192.168.56.101:49161 -> 104.16.230.132:443 | 2058175 | ET HUNTING TryCloudFlare Domain in TLS SNI | Misc activity |
| TCP 192.168.56.101:49161 -> 104.16.230.132:443 | 2060250 | ET INFO Observed trycloudflare .com Domain in TLS SNI | Misc activity |
| TCP 192.168.56.101:49161 -> 104.16.230.132:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49161 104.16.230.132:443 |
C=US, O=Google Trust Services, CN=WR1 | CN=trycloudflare.com | c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94 |
Snort Alerts
No Snort Alerts