NetWork | ZeroBOX

IP Address	Status	Action
141.255.162.34	Active	Moloch
162.247.74.201	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.93	Active	Moloch
193.11.164.243	Active	Moloch
195.201.103.59	Active	Moloch
212.83.168.196	Active	Moloch
213.32.71.116	Active	Moloch
23.129.64.201	Active	Moloch
45.66.156.176	Active	Moloch
86.59.21.38	Active	Moloch
95.143.193.125	Active	Moloch
95.217.229.211	Active	Moloch
95.217.42.50	Active	Moloch

Name	Response	Post-Analysis Lookup
api.wipmania.com	A 212.83.168.196	212.83.168.196

TCP Requests

UDP Requests

GET 200 http://api.wipmania.com/

GET 200 http://95.143.193.125/tor/status-vote/current/consensus.z

GET 200 http://185.215.113.93/cc11

GET 200 http://23.129.64.201/tor/server/fp/0011bd2485ad45d984ec4159c88fc066e5e3300e+005079a42356183cea5a3add239303f44f12e7ea+00cc4ac22501360c541185ee7e4466efb7032cae+00cce6a84e6d63a1a42e105839bc8ed5d4b16669+00e1649e69ff91d7f01e74a5e62ef14f7d9915e4+019feb22ce04cbd0489b7f24be038518b64fa223+034168fa4180b8662439fc714e4bdd7c6b39f5df+041646640ab306ea74b001966e86169b04cc88d2+05051aa95fb65c64e6a99fc0963cedeb211c88ba+05499507da8b381370e0858a784c3afe13dc927f+0a3c9ebb64ee062aa170bb9bf2b84ffb02da88c9+0a4ed4c74020740a904f3a9936030b7a4c6170bb+0b19bbfdc498ccea23027b1d7bd8e20121b95e60+0b37ec8be844f5c20e5b84a885608de0c7dbea47+0c93559d6d7e95b41561424345b0b176fbe66f00+0d2d4b1d27468806bb1edfb02715eee91e1ab94e.z

GET 200 http://86.59.21.38/tor/server/fp/d5f09497548a39071d14ac9e9aa926a0f8a748f2+d5f5502c1762a0b737a81a6bdb78ddbf7efc7725+d60c2d85ead93d23f1c00874d334bbf8a96cd529.z

GET 200 http://185.215.113.93/cc11

GET 200 http://185.215.113.93/cc22

GET 200 http://api.wipmania.com/

ICMP traffic

Source	Destination	ICMP Type
95.217.42.50	192.168.56.101	3
95.217.42.50	192.168.56.101	3
95.217.42.50	192.168.56.101	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.93:80 -> 192.168.56.101:49208	2400023	ET DROP Spamhaus DROP Listed Traffic Inbound group 24	Misc Attack
TCP 45.66.156.176:8443 -> 192.168.56.101:49206	2522577	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49209	2520073	ET TOR Known Tor Exit Node Traffic group 74	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49209	2522074	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49209	2500216	ET COMPROMISED Known Compromised or Hostile Host Traffic group 109	Misc Attack
TCP 192.168.56.101:49200 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49203 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 95.143.193.125:80 -> 192.168.56.101:49207	2520104	ET TOR Known Tor Exit Node Traffic group 105	Misc Attack
TCP 95.143.193.125:80 -> 192.168.56.101:49207	2522105	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106	Misc Attack
TCP 195.201.103.59:3333 -> 192.168.56.101:49212	2522318	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319	Misc Attack
TCP 86.59.21.38:80 -> 192.168.56.101:49214	2522742	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743	Misc Attack
TCP 192.168.56.101:49212 -> 195.201.103.59:3333	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 195.201.103.59:3333 -> 192.168.56.101:49212	2018789	ET POLICY TLS possible TOR SSL traffic	Misc activity
TCP 192.168.56.101:49214 -> 86.59.21.38:80	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 23.129.64.201:80	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49214 -> 86.59.21.38:80	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation
TCP 192.168.56.101:49209 -> 23.129.64.201:80	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation
TCP 86.59.21.38:80 -> 192.168.56.101:49214	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 23.129.64.201:80 -> 192.168.56.101:49209	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49218 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49207 -> 95.143.193.125:80	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49207 -> 95.143.193.125:80	2028914	ET POLICY TOR Consensus Data Requested	Potential Corporate Privacy Violation
TCP 95.143.193.125:80 -> 192.168.56.101:49207	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 162.247.74.201:443 -> 192.168.56.101:49211	2520015	ET TOR Known Tor Exit Node Traffic group 16	Misc Attack
TCP 162.247.74.201:443 -> 192.168.56.101:49211	2522015	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16	Misc Attack
TCP 162.247.74.201:443 -> 192.168.56.101:49211	2500120	ET COMPROMISED Known Compromised or Hostile Host Traffic group 61	Misc Attack
TCP 95.217.229.211:9001 -> 192.168.56.101:49210	2522809	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 810	Misc Attack
TCP 192.168.56.101:49211 -> 162.247.74.201:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49210 -> 95.217.229.211:9001	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 193.11.164.243:9030 -> 192.168.56.101:49213	2522302	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303	Misc Attack
TCP 192.168.56.101:49213 -> 193.11.164.243:9030	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49213 -> 193.11.164.243:9030	2028914	ET POLICY TOR Consensus Data Requested	Potential Corporate Privacy Violation
TCP 193.11.164.243:9030 -> 192.168.56.101:49213	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49212 195.201.103.59:3333	CN=www.3gg2v7jrf2gop4.com	CN=www.gzazujcdd6f7t.net	35:7f:f1:a8:7a:9a:d2:0a:54:ec:b7:21:3e:eb:ba:d6:9d:08:cd:7a
TLSv1 192.168.56.101:49211 162.247.74.201:443	CN=www.adxrs6re5yxnwldtusi.com	CN=www.j4utjsuqj6osi2monp.net	bc:69:b9:d5:4d:1c:ca:2e:9d:67:fc:2e:21:c5:68:92:dc:10:0e:6f

Snort Alerts

No Snort Alerts