Analysis

Category Package Started Completed Duration Log
PCAP 2019-11-04 09:29:39 2019-11-04 09:29:39 0 seconds Show Log

    

MalScore

1.0

Benign


Signatures

Looks up the external IP address
domain: ipv4bot.whatismyipaddress.com

Hosts

Direct IP Country Name
Y 95.211.136.23 [VT] Netherlands
N 88.198.32.168 [VT] Germany
N 66.171.248.178 [VT] United States
Y 51.15.113.84 [VT] France
Y 194.109.206.212 [VT] Netherlands
Y 193.23.244.244 [VT] Germany
Y 154.35.32.5 [VT] United States
Y 137.74.19.202 [VT] France
N 103.129.222.66 [VT] unknown

DNS

Name Response Post-Analysis Lookup
atmacareklame.ch [VT] A 88.198.32.168 [VT]
kelurahanmojosurakarta.com [VT] A 103.129.222.66 [VT]
ipv4bot.whatismyipaddress.com [VT] A 66.171.248.178 [VT]

Hosts

Direct IP Country Name
Y 95.211.136.23 [VT] Netherlands
N 88.198.32.168 [VT] Germany
N 66.171.248.178 [VT] United States
Y 51.15.113.84 [VT] France
Y 194.109.206.212 [VT] Netherlands
Y 193.23.244.244 [VT] Germany
Y 154.35.32.5 [VT] United States
Y 137.74.19.202 [VT] France
N 103.129.222.66 [VT] unknown

TCP

Source Source Port Destination Destination Port
10.10.15.101 49167 103.129.222.66 kelurahanmojosurakarta.com 443
10.10.15.101 49173 137.74.19.202 80
10.10.15.101 49170 154.35.32.5 443
10.10.15.101 49172 193.23.244.244 443
10.10.15.101 49171 194.109.206.212 443
10.10.15.101 49175 51.15.113.84 9001
10.10.15.101 49177 66.171.248.178 ipv4bot.whatismyipaddress.com 80
10.10.15.101 49159 88.198.32.168 atmacareklame.ch 80
10.10.15.101 49174 95.211.136.23 443

UDP

Source Source Port Destination Destination Port
10.10.15.101 49800 10.10.15.1 53
10.10.15.101 54918 10.10.15.1 53
10.10.15.101 63653 10.10.15.1 53

DNS

Name Response Post-Analysis Lookup
atmacareklame.ch [VT] A 88.198.32.168 [VT]
kelurahanmojosurakarta.com [VT] A 103.129.222.66 [VT]
ipv4bot.whatismyipaddress.com [VT] A 66.171.248.178 [VT]

HTTP Requests

URI Data
http://atmacareklame.ch/templates/protostar/html/xl/
GET /templates/protostar/html/xl/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: atmacareklame.ch
DNT: 1
Connection: Keep-Alive

http://ipv4bot.whatismyipaddress.com/
GET / HTTP/1.1
Host: ipv4bot.whatismyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
10.10.15.101 49167 103.129.222.66 kelurahanmojosurakarta.com 443 4d7a28d6f2263ed61de88ca66eb011e3 Test FP: Nuclear Exploit Kit, Malware Test FP: brazil-malspam-pushes-banload, eitest-campaign-hoeflertext-popup-traffic, parking-service-malspam-traffic-2nd-run, globeimposter-malspam-traffic, fake-font-update-for-chrome, eitest-tech-support-scam-after-canadoodles.com, rig-ek-sends-qbot-traffic, neutrino-ek-traffic, upatre-dyre-malspam-traffic, cerber-kovter-malspam-traffic, pseudodarkleech-rig-ek-sends-cerber-ransomware, necurs-botnet-malspam-pushes-globeimposter, income-report-malspam-traffic, angler-ek-sends-cryptowall-3.0-traffic, dridex-confirmation-letter-dridex-traffic, contract-malspam-traffic, angler-ek-traffic, malspam-pushing-formbook-info-stealer, kovter-locky-malspam-traffic, portuguese-malspam-traffic, fake-av-page-after-viewing-mitchandgina.com, zeuspandabanker-malspam-traffic, magnitude-ek-traffic, necurs-botnet-malspam-traffic, eitest-campaign-fake-av-page-traffic, java-update-traffic-edited, necurs-botnet-malspam-pushes-globeimposter-traffic, necurs-botnet-malspam-traffic-2nd-run, mole-ransomware-malspam-2nd-attempt-on-a-physical-host, usps-malspam-traffic-2-of-2-panda-banker-only, loki-bot-malspam-traffic, boleto-malspam-infection-from-pdf-attachment, nuclear-ek-from-windigo-group-traffic, brazil-boleto-malspam-traffic, pseudo-darkleech-angler-ek-traffic, neutrino-ek-sends-teslacrypt-2.0-traffic, japanese-malspam-traffic, malspam-email-infected-vm-traffic, portuguese-invoice-malspam-traffic, brazil-malspam-traffic, compromised-site-generates-angler-and-rig-ek-traffic, flashpack-ek-traffic, chanitor-vawtrak-traffic, whatsapp-malspam-traffic, necurs-botnet-malspam-traffic-1st-run, necurs-botnet-malspam-pushes-globeimposter-ransomware, angler-ek-and-ransomware-traffic, eitest-hoeflertext-popup-sends-netsupport-manager-rat, fake-hoeflertext-font-pushes-netsupport-manager-rat, ups-themed-kovter-malspam-traffic, chanitor-vawtrak-malspam-traffic, nuclear-ek-from-my-infected-vm, fake-flash-player-installs-coinminer-malware, malspam-pushing-smoke-loader, brazil-detran-malspam-traffic, brazil-malspam-traffic-example, eitest-campaign-hoeflertext-popup-sends-netsupport-manager-rat, rig-ek-sends-zbot, tt-copy-malspam-traffic, operation-windigo-nuclear-ek-traffic, fiesta-ek-infection-traffic, eitest-angler-ek-sends-panda-banker, emotet-malspam-traffic, nuclear-ek-traffic, eitest-angler-ek-traffic, usps-malspam-sends-exe-file-with-post-infection-traffic, fedex-malspam-traffic, malspam-traffic, boleto-malspam-link-from-email-full-infection, angler-ek-delivers-ransomware, emotet-and-zeus-panda-banker-traffic, hancitor-malspam-traffic, boleto-malspam-traffic, angler-and-magnitude-ek-traffic, brazilian-malspam-traffic
10.10.15.101 49173 137.74.19.202 80 1be3ecebe5aa9d3654e6e703d81f6928 Malware Test FP: nuclear-ek-traffic, malspam-traffic
10.10.15.101 49172 193.23.244.244 443 1be3ecebe5aa9d3654e6e703d81f6928 Malware Test FP: nuclear-ek-traffic, malspam-traffic
10.10.15.101 49171 194.109.206.212 443 1be3ecebe5aa9d3654e6e703d81f6928 Malware Test FP: nuclear-ek-traffic, malspam-traffic
10.10.15.101 49175 51.15.113.84 9001 1be3ecebe5aa9d3654e6e703d81f6928 Malware Test FP: nuclear-ek-traffic, malspam-traffic
10.10.15.101 49174 95.211.136.23 443 1be3ecebe5aa9d3654e6e703d81f6928 Malware Test FP: nuclear-ek-traffic, malspam-traffic
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 6.261 seconds )

  • 3.82 CAPE
  • 2.432 NetworkAnalysis
  • 0.007 AnalysisInfo
  • 0.002 Debug

Signatures ( 0.097 seconds )

  • 0.016 ransomware_files
  • 0.012 antiav_detectreg
  • 0.006 infostealer_ftp
  • 0.005 antiav_detectfile
  • 0.005 ransomware_extensions
  • 0.004 persistence_autorun
  • 0.004 infostealer_bitcoin
  • 0.004 infostealer_im
  • 0.003 browser_security
  • 0.003 infostealer_mail
  • 0.003 masquerade_process_name
  • 0.003 network_torgateway
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 antianalysis_detectfile
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 geodo_banking_trojan
  • 0.002 disables_browser_warn
  • 0.002 ie_martian_children
  • 0.001 betabot_behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 modify_security_center_warnings
  • 0.001 modify_uac_prompt
  • 0.001 persistence_shim_database
  • 0.001 recon_checkip
  • 0.001 recon_fingerprint
  • 0.001 stealth_hiddenreg

Reporting ( 0.0 seconds )

Task ID 104872
Mongo ID 5dbfef8d59d72c39e0d12ef6
Cuckoo release 1.3-CAPE
Delete