Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.google.com | 216.58.197.132 |
- UDP Requests
-
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:59370 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
192.168.56.101:62449 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
https://www.google.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 09 Mar 2021 01:56:37 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2021-03-09-01; expires=Thu, 08-Apr-2021 01:56:37 GMT; path=/; domain=.google.com; Secure
Set-Cookie: NID=210=CMENCw3fA6ccae36yFANlC9pwCK0qnizd8RUz_PaCE1MwnTNuStNKEPbWHOmEmdOV3J5lBnoVAvX8NAiz6F1yZFMToK24xUzODJBD3udMzhm83OlmZcpV5tdwrlOgM_c2P0jevqPmKE-Y2BJ_WhjbbiCleXv1Qcy6saQMcQM7H4; expires=Wed, 08-Sep-2021 01:56:37 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET
200
https://www.bing.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Host: www.bing.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND"
Set-Cookie: MUID=21D4E65059D7614A0441E9A558446013; domain=.bing.com; expires=Sun, 03-Apr-2022 01:56:37 GMT; path=/; secure; SameSite=None
Set-Cookie: MUIDB=21D4E65059D7614A0441E9A558446013; expires=Sun, 03-Apr-2022 01:56:37 GMT; path=/
Set-Cookie: _EDGE_S=F=1&SID=1451BF447B17684F0155B0B17A84692C; domain=.bing.com; path=/
Set-Cookie: _EDGE_V=1; domain=.bing.com; expires=Sun, 03-Apr-2022 01:56:37 GMT; path=/
Set-Cookie: SRCHD=AF=NOFORM; domain=.bing.com; expires=Thu, 09-Mar-2023 01:56:37 GMT; path=/
Set-Cookie: SRCHUID=V=2&GUID=0232C33742154C638FCC445DAE2F5820&dmnchg=1; domain=.bing.com; expires=Thu, 09-Mar-2023 01:56:37 GMT; path=/
Set-Cookie: SRCHUSR=DOB=20210309; domain=.bing.com; expires=Thu, 09-Mar-2023 01:56:37 GMT; path=/
Set-Cookie: SRCHHPGUSR=SRCHLANGV2=ko; domain=.bing.com; expires=Thu, 09-Mar-2023 01:56:37 GMT; path=/
Set-Cookie: _SS=SID=1451BF447B17684F0155B0B17A84692C; domain=.bing.com; path=/
Set-Cookie: ULC=; domain=.bing.com; expires=Mon, 08-Mar-2021 01:56:37 GMT; path=/
Set-Cookie: _HPVN=CS=eyJQbiI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiUCJ9LCJTYyI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiSCJ9LCJReiI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiVCJ9LCJBcCI6dHJ1ZSwiTXV0ZSI6dHJ1ZSwiTGFkIjoiMjAyMS0wMy0wOVQwMDowMDowMFoiLCJJb3RkIjowLCJEZnQiOm51bGwsIk12cyI6MCwiRmx0IjowLCJJbXAiOjF9; domain=.bing.com; expires=Thu, 09-Mar-2023 01:56:37 GMT; path=/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-MSEdge-Ref: Ref A: E5CD5A0229BC4D9C981B0FC5C4B2A2AD Ref B: SLAEDGE1014 Ref C: 2021-03-09T01:56:37Z
Date: Tue, 09 Mar 2021 01:56:36 GMT
POST
200
http://18.157.168.193/index.php
REQUEST
RESPONSE
BODY
POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 18.157.168.193
Content-Length: 89
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 09 Mar 2021 01:56:46 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1c PHP/7.3.7
X-Powered-By: PHP/7.3.7
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
POST
200
http://18.157.168.193/index.php
REQUEST
RESPONSE
BODY
POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 18.157.168.193
Content-Length: 3070
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 09 Mar 2021 01:56:54 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1c PHP/7.3.7
X-Powered-By: PHP/7.3.7
Content-Length: 5
Content-Type: text/html; charset=UTF-8
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49205 -> 18.157.168.193:80 | 2025885 | ET MALWARE AZORult Variant.4 Checkin M2 | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49205 -> 18.157.168.193:80 | 2018358 | ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 | Potentially Bad Traffic |
| TCP 192.168.56.101:49198 -> 142.250.199.68:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49201 -> 204.79.197.200:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 18.157.168.193:80 -> 192.168.56.101:49205 | 2029139 | ET MALWARE AZORult v3.2 Server Response M1 | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49208 -> 18.157.168.193:80 | 2018358 | ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 | Potentially Bad Traffic |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49198 142.250.199.68:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com | f9:97:99:ce:ba:c4:fa:12:4e:9f:5d:44:b2:0b:89:44:57:9f:dd:55 |
|
TLSv1 192.168.56.101:49201 204.79.197.200:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | CN=www.bing.com | dc:c1:ac:40:22:1b:57:e3:9b:c9:2e:d2:eb:9b:a4:53:07:7f:62:f4 |
Snort Alerts
No Snort Alerts