Hi, sorry to be paranoid, but could you please explain why sandbox report shows IP traffic to 4 IPs that are connected to ransomware:
20.99.132.105:443 (TCP)
20.99.133.109:443 (TCP)
20.99.184.37:443 (TCP)
23.216.147.64:443 (TCP)
Behavior sandbox - You have to register to be able to see this link. Register HERE! If you are already a member please log in! If you still you are not able to see the link you need to activate your account or an administrator need to activate your account!
4 Ransomware IPs - You have to register to be able to see this link. Register HERE! If you are already a member please log in! If you still you are not able to see the link you need to activate your account or an administrator need to activate your account!
-- Closed Thread
Results 1 to 2 of 2
Thread: Question
-
Question
21-01-2023 01:03 AM #1Membru junior
- Member since
- Jan 2023
- Posts
- 1
- Mentioned
- 0 Post(s)
Question
Last edited by Tiger; 27-03-2023 at 09:47 PM. Reason: tag
-
Question
21-01-2023 12:27 PM #2Administrator
- Member since
- Sep 2010
- Location
- 127.0.0.1
- Posts
- 10,212
- Blog Entries
- 3
- Mentioned
- 177 Post(s)
Hello. Those IP address aren't malicious. Those IP belongs to Akamai and they are used by Microsoft to manage traffic to their servers.
Sources:
You have to register to be able to see this link. Register HERE! If you are already a member please log in! If you still you are not able to see the link you need to activate your account or an administrator need to activate your account!
You have to register to be able to see this link. Register HERE! If you are already a member please log in! If you still you are not able to see the link you need to activate your account or an administrator need to activate your account!
Most of the time sandboxes collects information per machine and not per application (or process) level. For example if another application, which isn't related to the scanned one, creates a network connection to a server then DNS/IP of the server will appear in the report too. They monitor at machine level to avoid missing information and they have a good reason to do that. To give you a simple example, at process level they would miss some information if a scanned application decided to inject all its malicious code into another application as they monitor only the scanned application.
Look at this You have to register to be able to see this link. Register HERE! If you are already a member please log in! If you still you are not able to see the link you need to activate your account or an administrator need to activate your account! , you can find there 20.99.132.105, 20.99.184.37 and 23.216.147.64. Does it means that this executable is malicious? Answer: No.
PS: Socradar.io should validate their IOCs before posting them... all of them, except for that URL, couldn't be considered malicious or IOCs...====== MY RULES =====- Do not bother me with private messages (including Steam or Facebook) related to WarGods Cheat Defender unless I have specifically asked you to do so. If you have an issue or question, please use the search function first. Only post on the forum if you cannot find anything useful.
- Always provide the necessary information. Read the request model carefully before posting. Do not write lengthy stories in your post as I don't have time to read them. Just include the required information.
- Keep in mind this is a free service. I have limited free time and other important priorities. Do not bother me if I haven't replied to your topic within an hour. Only remind me about your topic/PM if I haven't responded within a week. I try to resolve all issues once or twice a week or whenever I am free.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Partners
