Analysis

Category Package Started Completed Duration Log
PCAP 2018-12-20 12:02:54 2018-12-20 12:02:54 0 seconds Show Log

    

MalScore

0.0

Benign


Signatures

No signatures

Hosts

Direct IP Country Name
N 80.209.225.162 [VT] Lithuania
Y 8.8.8.8 [VT] United States
Y 74.125.160.39 [VT] United States
Y 216.58.208.238 [VT] United States
N 104.86.111.161 [VT] Netherlands
N 104.86.111.136 [VT] Netherlands
N 104.86.110.88 [VT] Netherlands
Y ff02::1:3 [VT] unknown
Y ff02::1:2 [VT] unknown

DNS

Name Response Post-Analysis Lookup
my1xbet.top [VT] A 80.209.225.162 [VT]
isrg.trustid.ocsp.identrust.com [VT] CNAME isrg.trustid.ocsp.identrust.com.edgesuite.net [VT]
A 104.86.110.240 [VT]
CNAME a279.dscq.akamai.net [VT]
A 104.86.111.161 [VT]
ocsp.int-x3.letsencrypt.org [VT] CNAME a771.dscq.akamai.net [VT]
A 104.86.111.136 [VT]
CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net [VT]
A 104.86.111.176 [VT]
crl.microsoft.com [VT] A 104.86.110.73 [VT]
A 104.86.110.88 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

Hosts

Direct IP Country Name
N 80.209.225.162 [VT] Lithuania
Y 8.8.8.8 [VT] United States
Y 74.125.160.39 [VT] United States
Y 216.58.208.238 [VT] United States
N 104.86.111.161 [VT] Netherlands
N 104.86.111.136 [VT] Netherlands
N 104.86.110.88 [VT] Netherlands
Y ff02::1:3 [VT] unknown
Y ff02::1:2 [VT] unknown

TCP

Source Source Port Destination Destination Port
192.168.56.25 56531 104.86.110.88 crl.microsoft.com 80
192.168.56.25 56517 104.86.111.136 ocsp.int-x3.letsencrypt.org 80
192.168.56.25 56516 104.86.111.161 isrg.trustid.ocsp.identrust.com 80
192.168.56.25 56508 216.58.208.238 80
192.168.56.25 56510 74.125.160.39 80
192.168.56.25 56515 80.209.225.162 my1xbet.top 443
192.168.56.25 56518 80.209.225.162 my1xbet.top 443
192.168.56.25 56519 80.209.225.162 my1xbet.top 443
192.168.56.25 56520 80.209.225.162 my1xbet.top 443
192.168.56.25 56521 80.209.225.162 my1xbet.top 443
192.168.56.25 56522 80.209.225.162 my1xbet.top 443
192.168.56.25 56523 80.209.225.162 my1xbet.top 443
192.168.56.25 56524 80.209.225.162 my1xbet.top 443
192.168.56.25 56525 80.209.225.162 my1xbet.top 443
192.168.56.25 56526 80.209.225.162 my1xbet.top 443
192.168.56.25 56527 80.209.225.162 my1xbet.top 443
192.168.56.25 56528 80.209.225.162 my1xbet.top 443
192.168.56.25 56529 80.209.225.162 my1xbet.top 443

UDP

Source Source Port Destination Destination Port
fe80::4018:743c:e40c:5248 546 ff02::1:2 547
fe80::4018:743c:e40c:5248 63523 ff02::1:3 5355
fe80::4018:743c:e40c:5248 60394 ff02::1:3 5355
fe80::4018:743c:e40c:5248 54597 ff02::1:3 5355
fe80::4018:743c:e40c:5248 55917 ff02::1:3 5355
fe80::4018:743c:e40c:5248 55679 ff02::1:3 5355
192.168.56.25 57099 224.0.0.252 5355
192.168.56.25 58455 224.0.0.252 5355
192.168.56.25 60123 224.0.0.252 5355
192.168.56.25 62147 224.0.0.252 5355
192.168.56.25 65211 224.0.0.252 5355
192.168.56.25 49938 8.8.8.8 53
192.168.56.25 62599 8.8.8.8 53
192.168.56.25 63195 8.8.8.8 53
192.168.56.25 64907 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
my1xbet.top [VT] A 80.209.225.162 [VT]
isrg.trustid.ocsp.identrust.com [VT] CNAME isrg.trustid.ocsp.identrust.com.edgesuite.net [VT]
A 104.86.110.240 [VT]
CNAME a279.dscq.akamai.net [VT]
A 104.86.111.161 [VT]
ocsp.int-x3.letsencrypt.org [VT] CNAME a771.dscq.akamai.net [VT]
A 104.86.111.136 [VT]
CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net [VT]
A 104.86.111.176 [VT]
crl.microsoft.com [VT] A 104.86.110.73 [VT]
A 104.86.110.88 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

HTTP Requests

URI Data
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: isrg.trustid.ocsp.identrust.com

http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQT9cPV5YjtEiY3GmA1dSsBxw%3D%3D
GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQT9cPV5YjtEiY3GmA1dSsBxw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.int-x3.letsencrypt.org

http://crl.microsoft.com/pki/crl/products/tspca.crl
GET /pki/crl/products/tspca.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:54 GMT
If-None-Match: "8ab194b3d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.56.25 56515 80.209.225.162 my1xbet.top 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.56.25 56518 80.209.225.162 my1xbet.top 443 1d095e68489d3c535297cd8dffb06cb9 Non-Specific Microsoft Socket, Malware Test FP: brazil-malspam-pushes-banload, dhl-malspam-traffic, post-infection-traffic-from-terror-ek-payload, contract-malspam-traffic, cryptowall-traffic, fake-font-update-for-chrome, phishing-malware-run-on-vm, fiesta-ek-post-infection-and-click-fraud-traffic, phishing-malware-sandbox-analysis, angler-ek-traffic, goon-ek-traffic, magnitude-ek-traffic, brazil-malspam-solicitacao-de-orcamento-traffic-example, cryptowall-infection-on-vm, nuclear-ek-traffic, zeus-panda-banker-malspam-traffic, traffic-analysis-pop-quiz, netflix-phishing-traffic, malspam-pushing-remcosrat, sweet-orange-ek-traffic, brazil-malspam-traffic, eitest-hoelflertext-popup-sends-netsupport-manager-rat, eitest-hoeflertext-popup-sends-netsupport-rat, th-run-seamless-rig-ek-sends-ramnit-with-post-infection-traffic, nuclear-ek-from-my-infected-vm, fake-nf-e-malspam-traffic, fake-netflix-login-page-traffic-1st-run, payment-slip-malspam-traffic, rig-ek-traffic, malspam-pushing-smoke-loader, brazil-malspam-traffic-example, smoke-loader-traffic, phishing-malware-run-in-a-vm, boleto-malspam-traffic, infinity-ek-traffic
192.168.56.25 56524 80.209.225.162 my1xbet.top 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.058 seconds )

  • 0.052 NetworkAnalysis
  • 0.004 AnalysisInfo
  • 0.001 BehaviorAnalysis
  • 0.001 Debug

Signatures ( 0.041 seconds )

  • 0.007 antiav_detectreg
  • 0.004 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 ie_martian_children
  • 0.001 network_torgateway

Reporting ( 0.0 seconds )

Task ID 27820
Mongo ID 5c1b8894f28488050bd94320
Cuckoo release 1.3-CAPE
Delete