NetWork | ZeroBOX

IP Address	Status	Action
131.188.40.189	Active	Moloch
141.255.162.34	Active	Moloch
149.56.45.200	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.93	Active	Moloch
212.83.168.196	Active	Moloch
45.66.156.176	Active	Moloch
5.196.71.24	Active	Moloch
51.195.253.209	Active	Moloch
83.212.103.129	Active	Moloch
86.59.21.38	Active	Moloch
95.217.42.50	Active	Moloch

Name	Response	Post-Analysis Lookup
api.wipmania.com	A 212.83.168.196	212.83.168.196

TCP Requests

UDP Requests

GET 200 http://185.215.113.93/pepwn.exe

GET 200 http://api.wipmania.com/

GET 200 http://185.215.113.93/cc11

GET 200 http://86.59.21.38/tor/status-vote/current/consensus.z

ICMP traffic

Source	Destination	ICMP Type
95.217.42.50	192.168.56.101	3
95.217.42.50	192.168.56.101	3
95.217.42.50	192.168.56.101	3

IRC traffic

Command	Params	Type
CONNECT	%s:%s HTTP/1.0	client
CONNECT	%s:%s HTTP/1.1	client

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2400023	ET DROP Spamhaus DROP Listed Traffic Inbound group 24	Misc Attack
TCP 192.168.56.101:49207 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49200 -> 185.215.113.93:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 149.56.45.200:9030 -> 192.168.56.101:49216	2522180	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181	Misc Attack
TCP 192.168.56.101:49216 -> 149.56.45.200:9030	2002950	ET P2P TOR 1.0 Server Key Retrieval	Potential Corporate Privacy Violation
TCP 86.59.21.38:80 -> 192.168.56.101:49212	2522742	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743	Misc Attack
TCP 45.66.156.176:8443 -> 192.168.56.101:49213	2522577	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578	Misc Attack
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49216 -> 149.56.45.200:9030	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49212 -> 86.59.21.38:80	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49216 -> 149.56.45.200:9030	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation
TCP 192.168.56.101:49212 -> 86.59.21.38:80	2028914	ET POLICY TOR Consensus Data Requested	Potential Corporate Privacy Violation
TCP 149.56.45.200:9030 -> 192.168.56.101:49216	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 86.59.21.38:80 -> 192.168.56.101:49212	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 51.195.253.209:9001 -> 192.168.56.101:49218	2522623	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 624	Misc Attack
TCP 192.168.56.101:49218 -> 51.195.253.209:9001	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 5.196.71.24:9001 -> 192.168.56.101:49217	2522640	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 641	Misc Attack
TCP 192.168.56.101:49217 -> 5.196.71.24:9001	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 83.212.103.129:44933 -> 192.168.56.101:49219	2522722	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 723	Misc Attack
TCP 192.168.56.101:49219 -> 83.212.103.129:44933	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 83.212.103.129:44933 -> 192.168.56.101:49219	2018789	ET POLICY TLS possible TOR SSL traffic	Misc activity
TCP 131.188.40.189:443 -> 192.168.56.101:49215	2522139	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140	Misc Attack
TCP 192.168.56.101:49215 -> 131.188.40.189:443	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49219 83.212.103.129:44933	CN=www.ftov32jlnn.com	CN=www.4yohmszal2vz7bh.net	49:b6:3f:00:11:f7:04:03:0c:a2:73:1e:c6:30:cd:24:66:bc:62:8e

Snort Alerts

No Snort Alerts