Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dat-voip-sit-cio.trycloudflare.com | 104.16.230.132 |
GET
403
https://dat-voip-sit-cio.trycloudflare.com/V8.ps1
REQUEST
RESPONSE
BODY
| : | GET /V8.ps1 HTTP/1.1 |
| Accept: | */* |
| Accept-Encoding: | gzip, deflate |
| User-Agent: | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E) |
| Host: | dat-voip-sit-cio.trycloudflare.com |
| Connection: | Keep-Alive |
| : | HTTP/1.1 403 Forbidden |
| Date: | Tue, 08 Apr 2025 00 |
| Content-Type: | text/html; charset=UTF-8 |
| Transfer-Encoding: | chunked |
| Connection: | keep-alive |
| X-Frame-Options: | SAMEORIGIN |
| Vary: | Accept-Encoding |
| Server: | cloudflare |
| CF-RAY: | 92cda609098aa7cc-ICN |
| Content-Encoding: | gzip |
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49162 -> 104.16.230.132:443 | 2058175 | ET HUNTING TryCloudFlare Domain in TLS SNI | Misc activity |
| TCP 192.168.56.101:49162 -> 104.16.230.132:443 | 2060250 | ET INFO Observed trycloudflare .com Domain in TLS SNI | Misc activity |
| TCP 192.168.56.101:49162 -> 104.16.230.132:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| UDP 192.168.56.101:59002 -> 164.124.101.2:53 | 2034552 | ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com) | Potentially Bad Traffic |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49162 104.16.230.132:443 |
C=US, O=Google Trust Services, CN=WR1 | CN=trycloudflare.com | c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94 |
Snort Alerts
No Snort Alerts
