Analysis

Category Package Started Completed Duration Log
PCAP 2019-12-02 00:09:16 2019-12-02 00:09:16 0 seconds Show Log

    

MalScore

0.0

Benign


Signatures

No signatures

Hosts

Direct IP Country Name
N 212.103.175.10 [VT] Egypt
N 185.199.109.154 [VT] Netherlands
N 151.101.240.133 [VT] United States
Y 148.72.150.250 [VT] United States
N 140.82.118.3 [VT] United States
Y ff02::1:ff89:3db [VT] unknown
Y ff02::16 [VT] unknown
Y ff02::2 [VT] unknown

DNS

Name Response Post-Analysis Lookup
github.com [VT] A 140.82.118.3 [VT]
github.com [VT]
github.githubassets.com [VT] A 185.199.108.154 [VT]
A 185.199.111.154 [VT]
A 185.199.109.154 [VT]
A 185.199.110.154 [VT]
github.githubassets.com [VT]
avatars1.githubusercontent.com [VT] CNAME github.map.fastly.net [VT]
A 151.101.240.133 [VT]
avatars1.githubusercontent.com [VT]
camo.githubusercontent.com [VT]
camo.githubusercontent.com [VT]
raw.githubusercontent.com [VT]
raw.githubusercontent.com [VT]
holmes.PassSafe.com [VT]
holmes.PassSafe.com [VT]
local [VT] NXDOMAIN [VT]
detectportal.firefox.com [VT] A 212.103.175.24 [VT]
A 212.103.175.10 [VT]
detectportal.firefox.com [VT] AAAA 2001:41a8:44:3::4f8c:501b [VT]
CNAME detectportal.firefox.com-v2.edgesuite.net [VT]
CNAME detectportal.prod.mozaws.net [VT]
CNAME a1089.dscd.akamai.net [VT]
AAAA 2001:41a8:44:3::4f8c:5010 [VT]

Hosts

Direct IP Country Name
N 212.103.175.10 [VT] Egypt
N 185.199.109.154 [VT] Netherlands
N 151.101.240.133 [VT] United States
Y 148.72.150.250 [VT] United States
N 140.82.118.3 [VT] United States
Y ff02::1:ff89:3db [VT] unknown
Y ff02::16 [VT] unknown
Y ff02::2 [VT] unknown

TCP

Source Source Port Destination Destination Port
10.0.2.15 60640 140.82.118.3 github.com 443
10.0.2.15 60654 140.82.118.3 github.com 443
10.0.2.15 60656 140.82.118.3 github.com 443
10.0.2.15 60658 140.82.118.3 github.com 443
10.0.2.15 51454 148.72.150.250 443
10.0.2.15 59478 151.101.240.133 avatars1.githubusercontent.com 443
10.0.2.15 59480 151.101.240.133 avatars1.githubusercontent.com 443
10.0.2.15 59482 151.101.240.133 avatars1.githubusercontent.com 443
10.0.2.15 59484 151.101.240.133 avatars1.githubusercontent.com 443
10.0.2.15 59492 151.101.240.133 avatars1.githubusercontent.com 443
10.0.2.15 59494 151.101.240.133 avatars1.githubusercontent.com 443
10.0.2.15 54400 185.199.109.154 github.githubassets.com 443
10.0.2.15 54402 185.199.109.154 github.githubassets.com 443
10.0.2.15 38064 212.103.175.10 detectportal.firefox.com 80
10.0.2.15 38090 212.103.175.10 detectportal.firefox.com 80
192.168.56.1 60270 192.168.56.101 80
192.168.56.1 60271 192.168.56.101 80
192.168.56.1 60273 192.168.56.101 80
192.168.56.1 60274 192.168.56.101 80
192.168.56.1 60275 192.168.56.101 80
192.168.56.1 60276 192.168.56.101 80
192.168.56.1 60277 192.168.56.101 80
192.168.56.1 60278 192.168.56.101 80
192.168.56.1 60279 192.168.56.101 80
192.168.56.1 60280 192.168.56.101 80
192.168.56.1 60281 192.168.56.101 80
192.168.56.1 60282 192.168.56.101 80
192.168.56.1 60283 192.168.56.101 80
192.168.56.1 60284 192.168.56.101 80
192.168.56.1 60285 192.168.56.101 80
192.168.56.1 60286 192.168.56.101 80
192.168.56.1 60287 192.168.56.101 80
192.168.56.1 60289 192.168.56.101 80
192.168.56.1 60290 192.168.56.101 80
192.168.56.1 60291 192.168.56.101 80
192.168.56.1 60298 192.168.56.101 21
192.168.56.1 60299 192.168.56.101 17071
192.168.56.1 60300 192.168.56.101 39718
192.168.56.1 60301 192.168.56.101 11961

UDP

Source Source Port Destination Destination Port
0.0.0.0 68 255.255.255.255 67
10.0.2.15 33834 192.168.1.1 53
10.0.2.15 34557 192.168.1.1 53
10.0.2.15 36593 192.168.1.1 53
10.0.2.15 39982 192.168.1.1 53
10.0.2.15 40475 192.168.1.1 53
10.0.2.15 42863 192.168.1.1 53
10.0.2.15 44282 192.168.1.1 53
10.0.2.15 46587 192.168.1.1 53
10.0.2.15 52057 192.168.1.1 53
10.0.2.15 54367 192.168.1.1 53
10.0.2.15 54383 192.168.1.1 53
10.0.2.15 55191 192.168.1.1 53
10.0.2.15 59108 192.168.1.1 53
10.0.2.2 67 10.0.2.15 68
10.0.2.2 67 255.255.255.255 68
192.168.56.1 50959 192.168.56.101 53
192.168.56.1 50960 192.168.56.101 53
192.168.56.100 67 255.255.255.255 68

DNS

Name Response Post-Analysis Lookup
github.com [VT] A 140.82.118.3 [VT]
github.com [VT]
github.githubassets.com [VT] A 185.199.108.154 [VT]
A 185.199.111.154 [VT]
A 185.199.109.154 [VT]
A 185.199.110.154 [VT]
github.githubassets.com [VT]
avatars1.githubusercontent.com [VT] CNAME github.map.fastly.net [VT]
A 151.101.240.133 [VT]
avatars1.githubusercontent.com [VT]
camo.githubusercontent.com [VT]
camo.githubusercontent.com [VT]
raw.githubusercontent.com [VT]
raw.githubusercontent.com [VT]
holmes.PassSafe.com [VT]
holmes.PassSafe.com [VT]
local [VT] NXDOMAIN [VT]
detectportal.firefox.com [VT] A 212.103.175.24 [VT]
A 212.103.175.10 [VT]
detectportal.firefox.com [VT] AAAA 2001:41a8:44:3::4f8c:501b [VT]
CNAME detectportal.firefox.com-v2.edgesuite.net [VT]
CNAME detectportal.prod.mozaws.net [VT]
CNAME a1089.dscd.akamai.net [VT]
AAAA 2001:41a8:44:3::4f8c:5010 [VT]

HTTP Requests

URI Data
http://holmes.safepass.com/QWxtb3N0VGhlcmVKdXN0cGFzcw==
GET /QWxtb3N0VGhlcmVKdXN0cGFzcw== HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/cVNGVXFaV3pNWG5CckJTY3E=
GET /cVNGVXFaV3pNWG5CckJTY3E= HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/MjAwQ29kZW1lYW5zPw==
GET /MjAwQ29kZW1lYW5zPw== HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/QXV0b3NweVdhdHNvbg==
GET /QXV0b3NweVdhdHNvbg== HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/QXV0b3NweUhvbG1lcw==
GET /QXV0b3NweUhvbG1lcw== HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/QyJdXyt1ajxfLmZLUWs9U1k=
GET /QyJdXyt1ajxfLmZLUWs9U1k= HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/aFNZdldEc0NrVWVySFlOdXE=
GET /aFNZdldEc0NrVWVySFlOdXE= HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/SEZzTU13Q1BZTkhSU3BEcGo=
GET /SEZzTU13Q1BZTkhSU3BEcGo= HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/NWJIV3B6MmFmN3RUUHpWNVI=
GET /NWJIV3B6MmFmN3RUUHpWNVI= HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: "5-592dadf4793dc"
If-Modified-Since: Wed, 18 Sep 2019 21:53:50 GMT

http://holmes.safepass.com/SG9sbWVzJldhdHNvblBhc3M=
GET /SG9sbWVzJldhdHNvblBhc3M= HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/Q2Fpcm9TZWN1cml0eUNhbXA=
GET /Q2Fpcm9TZWN1cml0eUNhbXA= HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/U2hlcmxva0hvbG1lczI=
GET /U2hlcmxva0hvbG1lczI= HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/UGFzczJyZFNvbHZlMjI=
GET /UGFzczJyZFNvbHZlMjI= HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/Qy8tdHQ6KytIa2tCVWhkZyQ=
GET /Qy8tdHQ6KytIa2tCVWhkZyQ= HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/Yzs3WnFqTkBSbi1bZiRZJA==
GET /Yzs3WnFqTkBSbi1bZiRZJA== HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://holmes.safepass.com/JiFzbndCQEdtWVR+a1Y5XTYl
GET /JiFzbndCQEdtWVR+a1Y5XTYl HTTP/1.1
Host: holmes.safepass.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

http://detectportal.firefox.com/success.txt
GET /success.txt HTTP/1.1
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
Connection: keep-alive

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.56.101 192.168.56.1 3
192.168.56.101 192.168.56.1 3

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
10.0.2.15 60640 140.82.118.3 github.com 443 2699b84e0d3de6dfa570e9b160d02409 unknown
10.0.2.15 60654 140.82.118.3 github.com 443 2699b84e0d3de6dfa570e9b160d02409 unknown
10.0.2.15 60656 140.82.118.3 github.com 443 2699b84e0d3de6dfa570e9b160d02409 unknown
10.0.2.15 60658 140.82.118.3 github.com 443 2699b84e0d3de6dfa570e9b160d02409 unknown
10.0.2.15 59478 151.101.240.133 avatars1.githubusercontent.com 443 10ed84409cde78ad0c8e2dc45e455405 unknown
10.0.2.15 59480 151.101.240.133 avatars1.githubusercontent.com 443 10ed84409cde78ad0c8e2dc45e455405 unknown
10.0.2.15 59482 151.101.240.133 avatars1.githubusercontent.com 443 10ed84409cde78ad0c8e2dc45e455405 unknown
10.0.2.15 59484 151.101.240.133 avatars1.githubusercontent.com 443 10ed84409cde78ad0c8e2dc45e455405 unknown
10.0.2.15 59492 151.101.240.133 avatars1.githubusercontent.com 443 55e67872cb9fde018f845d0006ddd2ab unknown
10.0.2.15 54400 185.199.109.154 github.githubassets.com 443 10ed84409cde78ad0c8e2dc45e455405 unknown
10.0.2.15 54402 185.199.109.154 github.githubassets.com 443 10ed84409cde78ad0c8e2dc45e455405 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.406 seconds )

  • 0.224 CAPE
  • 0.176 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.047 seconds )

  • 0.008 ransomware_files
  • 0.007 antiav_detectreg
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 ie_martian_children
  • 0.001 masquerade_process_name
  • 0.001 network_torgateway
  • 0.001 recon_checkip

Reporting ( 0.0 seconds )

Task ID 115098
Mongo ID 5de4562ecc55ef79ed47193f
Cuckoo release 1.3-CAPE
Delete