| IP Address | Port | Hostname | |
|---|---|---|---|
| Source | 157.55.130.164 (United States) | 40028 | |
| Destination | (local) | 41041 |
Description:
- Turkojan is a RAT, details here:
- http://turkojan.blogspot.com/
- http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/turkojan
- It is generally associated with malicious actors.
False Positive:
- PROBABLY
- Possible code reuse or someone picked up old malware.
- Suspicious:
- Endpoint belongs to Microsoft. It is not in published Azure space, but it is adjacent to that space.
- No PTR, no reverse DNS services or threat crowd turn it up.
- Ports are 40k plus.
- Traffic is all, or appears to be, encrypted.
- Not suspicious:
- Matching text is small.
- Turkojan is very old malware. The probability that new infections are happening is low.
- No other events on this system.
Action:
- Enough indicators here to scan if possible.
- This is an Android phone on the WiFi.
- False Positive since this is a windows RAT.
- No further action.
Comments