Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
- TCP Requests
- UDP Requests
-
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62325 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
192.168.56.101:62449 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
https://35.166.81.240/waters/travel/new21
REQUEST
RESPONSE
BODY
GET /waters/travel/new21 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0
update: /waters/travel/new21
Host: 35.166.81.240
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Content-Type: application/octet-stream
Content-Length: 123392
Connection: keep-alive
Date: 2021-03-23 01:49:55
X-Tag: 2
Set-Cookie: pulled=8lQm3P5yWg7DU78W1C4D1X_wFbDbNk-DDYOh-yd-U-e75Drr-R3I3SRDkJxZONuKeStN6Ie55PLmzXHTKAVVd5yztx6lyt86DD_s5TphgwseclFjRSIMvv4ZvB0LghgIAHf4g59oRxijaAgmLuzorxfIDvfzcUCLQhEezcdl_ZCNVnuFboHYDAaPlctI9_RWiuuX02b29CdPHrjZbKobUyTQ_7j7a_KAVHJ79Mio2ZW4Uyug2xNDjujVlMW96TuA
Set-Cookie: allocated=qaQUtT2TVca5rp0jccur%2Fzbguwz%2F%2BaWz%2FJt2OqPUT9X3eyB1FutryBSxCiyECX85sX16SwK%2FaKqVKdlARbtwHDQmt2lCej%2BM3nerN%2Bj%2F8nXHH89bXYTvTZh0US6GPnn0
Set-Cookie: dSID=616926
Set-Cookie: xPid=tlapHz21u6CMzpn3QaK3aHoN0dHwlArwr4adKy3F-24gg4MrhEoJudJhHpWdNkNNkHQM2hcZOvqmYVq2tlHCCltaR-biEiQA7zzH1IZ6aWzn36zYyyVfwB91WJ25CSe5QlN13ecS3rQhVIUGfScnty2RRtHjFWtYeLSEVe5AFHFFGOTTLIN7WubbafVluM5J_M6g5veLtn_NZW-0pX-L1PUfOIFMLaMEtHkXvIdQzWvB1fNjw4e60S7un56uXDQM
Set-Cookie: blocked=false
Set-Cookie: sharp04=829462
Vary: Accept
Pragma: public
Accept-Ranges: bytes
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Content-Disposition: attachment; filename="inLT53ZYyQv8HRqqpERb"
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.101 | 8.8.7.7 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 8.8.7.7 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 8.8.7.7 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 8.8.7.7 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 8.8.7.7 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
| 192.168.56.101 | 8.8.7.7 | 8 | abcdefghijklmnopqrstuvwabcdefghi |
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49213 -> 35.166.81.240:443 | 2028401 | ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex | Unknown Traffic |
| TCP 35.166.81.240:443 -> 192.168.56.101:49213 | 2023476 | ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) | A Network Trojan was detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49213 35.166.81.240:443 |
C=AT, ST=Bohn, L=Bohn, O=Amadey TM, OU=Amadey Org, CN=amadeamadey.at | C=AT, ST=Bohn, L=Bohn, O=Amadey TM, OU=Amadey Org, CN=amadeamadey.at | db:43:d0:55:5c:42:2f:4a:67:c8:eb:0d:da:a9:e7:13:22:8f:d9:28 |
Snort Alerts
No Snort Alerts