Analysis

Category Package Started Completed Duration Log
PCAP 2020-04-21 15:30:14 2020-04-21 15:30:14 0 seconds Show Log

    


Signatures

Created network traffic indicative of malicious activity
signature: ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection

Hosts

No hosts contacted.

DNS

No domains contacted.


Sorry! No behavior.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-04-09 16:31:15.997 192.168.241.247 [VT] 57003 207.154.225.43 [VT] 1433 TCP 1 2001583 16 ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection Misc activity 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-04-09 16:29:13.171 192.168.241.247 [VT] 49339 50.16.245.226 [VT] 443 OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.ipify.org a8:ec:3c:8e:03:51:58:e5:a9:c0:b5:fe:8c:d1:b4:ec:ed:4c:09:a9 TLSv1

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-04-09 16:28:10.953 192.168.241.247 [VT] 49325 66.42.43.37 [VT] 80 200 t.awcna.com [VT] /mail.jsp?1*u0x1cc2*u0x1cc2-PC application/octet-stream None None 3178
2020-04-09 16:28:19.114 192.168.241.247 [VT] 49328 66.42.43.37 [VT] 80 200 t.awcna.com [VT] /x.js application/javascript None None 2732
2020-04-09 16:28:19.602 192.168.241.247 [VT] 49328 66.42.43.37 [VT] 80 200 t.awcna.com [VT] /x.jsp?mail_20200409?HAPUBWS-PC&424615AC-906A-8A4B-9F9B-ACD0FD5406A6&6A:1E:01:EB:17:D3&6.1.7601&32&1586456984.68138 application/octet-stream Lemon-Duck-JKjmItL8ZN-kgsHTI0Gp None 7765
2020-04-09 16:28:22.444 192.168.241.247 [VT] 49328 66.42.43.37 [VT] 80 None t.awcna.com [VT] /report.jsp?HAPUBWS-PC&424615AC-906A-8A4B-9F9B-ACD0FD5406A6&6A:1E:01:EB:17:D3&7%20Professional%20_6.1.7601&0&HAPUBWS-PC$&WORKGROUP&&VirtualBox%20Graphics%20Adapter&0&1&&&&&&4374.296&158645698&0.1 None Lemon-Duck-JKjmItL8ZN-kgsHTI0Gp None 0
2020-04-09 16:28:23.036 192.168.241.247 [VT] 49330 207.154.225.82 [VT] 80 200 207.154.225.82 [VT] /if.bin?HAPUBWS-PC&424615AC-906A-8A4B-9F9B-ACD0FD5406A6&6A:1E:01:EB:17:D3 application/octet-stream None None 49373
2020-04-09 16:28:23.036 192.168.241.247 [VT] 49330 207.154.225.82 [VT] 80 None None [VT] /libhtp::request_uri_not_seen None None None 0
2020-04-09 16:28:23.176 192.168.241.247 [VT] 49331 207.154.225.82 [VT] 80 200 207.154.225.82 [VT] /if_mail.bin?HAPUBWS-PC&424615AC-906A-8A4B-9F9B-ACD0FD5406A6&6A:1E:01:EB:17:D3&7%20Professional%20_6.1.7601&0&HAPUBWS-PC$&WORKGROUP&&VirtualBox%20Graphics%20Adapter&0&1&&&&&&4374.296&158645698&0.1 application/octet-stream Lemon-Duck-JKjmItL8ZN-kgsHTI0Gp None 34001
2020-04-09 16:28:26.677 192.168.241.247 [VT] 49332 23.211.108.26 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d048f45186e299e0 application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-04-09 16:28:29.415 192.168.241.145 [VT] 49477 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:28:29.841 192.168.241.227 [VT] 49234 192.168.241.247 [VT] 5357 None None [VT] /libhtp::request_uri_not_seen None None None 0
2020-04-09 16:28:30.008 192.168.241.143 [VT] 49317 192.168.241.247 [VT] 5357 None None [VT] /libhtp::request_uri_not_seen None None None 0
2020-04-09 16:28:30.434 192.168.241.247 [VT] 49333 192.168.241.145 [VT] 5357 200 192.168.241.145 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:28:31.026 192.168.241.230 [VT] 49392 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:28:32.654 192.168.241.227 [VT] 49234 192.168.241.247 [VT] 5357 None 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ None WSDAPI None 0
2020-04-09 16:28:32.764 192.168.241.143 [VT] 49317 192.168.241.247 [VT] 5357 None 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ None WSDAPI None 0
2020-04-09 16:28:35.569 192.168.241.247 [VT] 49334 192.168.241.140 [VT] 5357 200 192.168.241.140 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:28:41.492 192.168.241.247 [VT] 49335 66.42.43.37 [VT] 80 200 gcjzlxih.jp [VT] /w.js application/javascript None None 2732
2020-04-09 16:28:43.661 192.168.241.247 [VT] 49335 66.42.43.37 [VT] 80 200 gcjzlxih.jp [VT] /w.jsp?mail_20200409?HAPUBWS-PC&424615AC-906A-8A4B-9F9B-ACD0FD5406A6&6A:1E:01:EB:17:D3&6.1.7601&32&1586457051.29075 application/octet-stream Lemon-Duck-IrvOXkLld9f-GmyCXBw None 7765
2020-04-09 16:28:49.115 192.168.241.247 [VT] 49335 66.42.43.37 [VT] 80 200 gcjzlxih.jp [VT] /report.jsp?HAPUBWS-PC&424615AC-906A-8A4B-9F9B-ACD0FD5406A6&6A:1E:01:EB:17:D3&7%20Professional%20_6.1.7601&0&HAPUBWS-PC$&WORKGROUP&&VirtualBox%20Graphics%20Adapter&0&1&df5c8f&&&&&4401.203&158645705&0.1 application/octet-stream Lemon-Duck-IrvOXkLld9f-GmyCXBw None 2517
2020-04-09 16:29:14.357 192.168.241.83 [VT] 49385 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:29:43.259 192.168.241.247 [VT] 49340 192.168.241.83 [VT] 5357 200 192.168.241.83 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:29:47.391 192.168.241.230 [VT] 49404 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:29:47.402 192.168.240.53 [VT] 49312 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:29:47.411 192.168.241.247 [VT] 49341 192.168.241.74 [VT] 5357 200 192.168.241.74 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:29:48.654 192.168.241.74 [VT] 49239 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:29:49.200 192.168.241.190 [VT] 52340 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:29:49.256 192.168.241.232 [VT] 49296 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:30:36.493 192.168.241.148 [VT] 49291 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:31:22.211 192.168.241.189 [VT] 49411 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
2020-04-09 16:31:22.541 192.168.241.247 [VT] 49338 207.154.225.82 [VT] 80 None 207.154.225.82 [VT] /report.json?type=mail&u=&c1=0&c2=0&c3=0 None None None 0
2020-04-09 16:31:25.194 192.168.241.189 [VT] 49414 192.168.241.247 [VT] 5357 200 192.168.241.247 [VT] /733c94c5-cebb-4f98-a75f-22a797d1d50b/ application/soap+xml WSDAPI None 3999
Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Processing ( 5.825 seconds )

  • 5.322 Suricata
  • 0.478 CAPE
  • 0.015 AnalysisInfo
  • 0.005 BehaviorAnalysis
  • 0.005 Debug

Signatures ( 0.053000000000000005 seconds )

  • 0.011 ransomware_files
  • 0.007 antiav_detectreg
  • 0.006 ransomware_extensions
  • 0.004 antiav_detectfile
  • 0.003 persistence_autorun
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_ftp
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_files
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 kibex_behavior
  • 0.001 tinba_behavior
  • 0.001 antianalysis_detectreg
  • 0.001 geodo_banking_trojan
  • 0.001 browser_security
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name
  • 0.001 revil_mutexes

Reporting ( 1.788 seconds )

  • 1.788 PCAP2CERT