Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| minutes-amazing-curriculum-maui.trycloudflare.com | 104.16.230.132 |
GET
200
https://minutes-amazing-curriculum-maui.trycloudflare.com/update.bat
REQUEST
RESPONSE
BODY
GET /update.bat HTTP/1.1
Host: minutes-amazing-curriculum-maui.trycloudflare.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 04 May 2025 04:06:55 GMT
Content-Type: text/plain
Content-Length: 4237
Connection: keep-alive
CF-Ray: 93a520ca0902d1d1-ICN
CF-Cache-Status: DYNAMIC
Accept-Ranges: bytes
ETag: "bb9d6d0934426d7a0ff6ff628c9233b8-1746277860-4237"
Last-Modified: Sat, 03 May 2025 13:11:00 GMT
Server: cloudflare
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| UDP 192.168.56.101:59002 -> 164.124.101.2:53 | 2034552 | ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com) | Potentially Bad Traffic |
| TCP 192.168.56.101:49167 -> 104.16.230.132:443 | 2058175 | ET HUNTING TryCloudFlare Domain in TLS SNI | Misc activity |
| TCP 192.168.56.101:49167 -> 104.16.230.132:443 | 2060250 | ET INFO Observed trycloudflare .com Domain in TLS SNI | Misc activity |
| TCP 192.168.56.101:49167 -> 104.16.230.132:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49167 104.16.230.132:443 |
C=US, O=Google Trust Services, CN=WR1 | CN=trycloudflare.com | 37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b |
Snort Alerts
No Snort Alerts