{ "sig": { "source": "STI-PreProd", "sid": 1003120103, "updated": "2024-09-13", "version": 0, "created": "2024-07-20" }, "@version": "1", "@timestamp": "2025-07-19T07:53:35.630Z", "in_iface": "tppdummy0", "dest_port": 443, "net_info": { "src_agg": "private-class-a.internet", "dest": [ "Internet" ], "dest_agg": "internet", "src": [ "Internet", "Private class A" ] }, "timestamp": "2025-07-19T09:53:35.630517+0200", "alert": { "signature": "SN DGA SNI high random .org", "lateral": "internet", "category": "Potential Corporate Privacy Violation", "gid": 2, "action": "allowed", "rev": 4, "metadata": { "created_at": [ "2024_07_20" ], "dga_asset": [ "src_ip" ], "provider": [ "Stamus" ], "dga_key": [ "tls.sni" ], "signature_severity": [ "Critical" ], "stamus_type": [ "doc" ], "updated_at": [ "2024_09_13" ], "stamus_classification": [ "dga_high_random" ] }, "source": { "net_info_agg": "internet", "net_info": [ "Internet" ], "port": 443, "ip": "95.211.174.92" }, "signature_id": 1003120103, "severity": 1, "target": { "net_info_agg": "private-class-a.internet", "net_info": [ "Private class A", "Internet" ], "port": 49446, "ip": "10.10.31.102" } }, "log": { "file": { "path": "/var/log/suricata/eve-nsm-1.json" }, "offset": 694194074 }, "dest_ip": "95.211.174.92", "capture_file": "/var/log/suricata/pcaps//log-1752898828-3.pcap", "logger": "logstash-manager", "host": "discord-probe", "tls": { "sni": "3ch2jctqf4pa.org", "notbefore": "2016-05-23T00:12:05", "subject": "C=US, ST=Ayy Lmao, O=Sinkhole Party, CN=sinkhole", "serial": "00:B8:07:7A:24:81:26:8A:CE", "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "ja3": { "agent": [ "Malware Test FP: eitest-rig-ek-3rd-run, rig-ek-sends-cerber-ransomware-after-southcoastdrones.com.au, boleto-malspam-infection-traffic, eitest-rig-ek-sends-vawtrak, eitest-rig-ek-5th-run, malspam-traffic", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2306.97 Safari/537.36", "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" ], "string": "771,49192-49191-49172-49171-159-158-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24-25,0", "hash": "3b483d0b34894548b602e8d18cdc24c5", "agent_count": 3 }, "notafter": "2017-05-23T00:12:05", "cipher_security": "degraded", "ja3s": { "hash": "9099266b09da09a1d9e1839ae9ad5682", "string": "771,49192,65281-11" }, "issuerdn": "C=US, ST=Ayy Lmao, O=Sinkhole Party, CN=sinkhole", "ja4": "t12d260600_e99a3d2b2b8b_e92d56a09595", "version": "TLS 1.2", "fingerprint": "dd:d5:a8:92:7e:3a:74:79:2b:c7:06:d4:aa:97:99:c9:ac:d8:d4:e0" }, "type": "json-log", "hostname_info": { "host": "3ch2jctqf4pa.org", "tld": "org", "domain_without_tld": "3ch2jctqf4pa", "subdomain": "", "url": "3ch2jctqf4pa.org", "domain": "3ch2jctqf4pa.org" }, "src_ip": "10.10.31.102", "event_type": "stamus", "metadata": { "flowbits": [ "stamus.dga" ] }, "community_id": "1:eD4tlD0kUYeBQflEQwf0pT6F9Ic=", "packet_info": { "linktype": 1 }, "tx_id": 0, "ether": { "src_mac": "00:08:02:1c:47:ae", "dest_mac": "20:e5:2a:b6:93:f1" }, "agent": { "name": "discord-probe", "ephemeral_id": "a5d86292-1abc-4554-8bec-2fa5ef87ca3a", "type": "filebeat", "hostname": "discord-probe", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "version": "7.17.29" }, "pkt_src": "wire/pcap", "proto": "TCP", "input": { "type": "log" }, "flow_id": 2082868959557456, "stamus": { "asset_info": { "event_id": 298304, "incident_id": 113960, "first_seen": "2025-01-28T20:40:07.045733Z", "last_seen": "2025-07-19T07:53:35.990509Z", "kill_chain": "command_and_control", "state": "ongoing" }, "family_id": 3, "pk": 53667, "asset": "10.10.31.102", "family_type": "generic", "threat_name": "Malicious DGA Domain", "offender_type": "ip", "method_id": 1003120103, "family_name": "Generic CnC", "asset_net_info": "private-class-a.internet", "event_id": 298304, "extra_info": null, "asset_type": "ip", "source": "95.211.174.92", "kill_chain": "command_and_control", "threat_id": 1095, "incidents_id": [ 113960 ] }, "stream": 1, "src_port": 49446, "packet": "IOUqtpPxAAgCHEeuCABFAAAoE79AAIAGr3EKCh9mX9OuXMEmAbvJWb4hNvBccFAQ9bmkvQAAAAAAAAAA", "see_id": "6c2b59a0d0f2", "payload_printable": "...........X....`.t...q:.../....2.....@.J.. .{p\r8j..{.@.....'=..'.....|H.....4.(.'.............=.<.5./.,.+.$.#.\n...j.@.8.2.\n.........L.........3ch2jctqf4pa.org.\n.................\r...............................", "see_name": "STS-500-QALAB-SSP", "flow": { "src_port": 49446, "bytes_toclient": 1509, "bytes_toserver": 450, "pkts_toclient": 3, "dest_port": 443, "pkts_toserver": 4, "start": "2025-07-19T09:53:35.550491+0200", "dest_ip": "95.211.174.92", "src_ip": "10.10.31.102" }, "app_proto": "tls", "direction": "to_server", "tags": [ "beats_input_codec_json_applied" ], "uuid": "0b9c49c3-9bc1-4f7e-a43c-49e628091858", "alerted": true, "tenant": 9, "geoip": { "timezone": "Europe/Amsterdam", "coordinate": [ 4.8995, 52.3824 ], "continent_code": "EU", "country_code2": "NL", "country_name": "Netherlands", "latitude": 52.3824, "ip": "95.211.174.92", "country_code3": "NL", "registered_country": { "geoname_id": 2750405, "iso_code": "NL", "name": "Netherlands", "is_in_european_union": true }, "longitude": 4.8995, "continent": { "geoname_id": 6255148, "name": "Europe", "code": "EU" }, "provider": { "autonomous_system_number": 60781, "autonomous_system_organization": "LeaseWeb Netherlands B.V." }, "country": { "geoname_id": 2750405, "iso_code": "NL", "name": "Netherlands", "is_in_european_union": true }, "location": { "lat": 52.3824, "lon": 4.8995 } }, "_id": "bWZRNpgBY5wsHhhkmy53" }