NetWork | ZeroBOX

IP Address	Status	Action
107.180.58.44	Active	Moloch
108.167.181.248	Active	Moloch
148.66.138.194	Active	Moloch
164.124.101.2	Active	Moloch
173.230.252.50	Active	Moloch
192.185.16.122	Active	Moloch
192.185.32.234	Active	Moloch
192.185.79.55	Active	Moloch
208.91.198.106	Active	Moloch
209.188.15.214	Active	Moloch
23.212.13.232	Active	Moloch
23.40.44.112	Active	Moloch
35.155.6.125	Active	Moloch
83.150.213.154	Active	Moloch

Name	Response	Post-Analysis Lookup
ntf.gov.sb	A 192.185.32.234	192.185.32.234
marcoislandguidebook.com	A 192.185.79.55	192.185.79.55
ppml.com.kh	A 209.188.15.214	209.188.15.214
bycec.in	A 208.91.198.106	208.91.198.106
vitiligomatch.com	A 192.185.16.122	192.185.16.122
labrie-sabette.com	A 173.230.252.50	173.230.252.50
www.akseral.com	A 83.150.213.154 CNAME akseral.com	83.150.213.154
alpax.elcanotradingcorp.com	A 108.167.181.248	108.167.181.248
houzzlink.com	A 148.66.138.194	148.66.138.194
incoming.telemetry.mozilla.org	A 34.215.28.152 A 52.27.200.224 CNAME pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com A 44.235.28.153 CNAME telemetry-incoming.r53-2.services.mozilla.com A 35.155.6.125 A 54.184.190.181 A 52.38.70.232 A 44.239.250.14 A 34.216.113.46	52.42.229.170
www.microsoft.com	CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net CNAME e13678.dscb.akamaiedge.net A 23.212.13.232	23.212.13.232
definitionupdates.microsoft.com	CNAME e3673.g.akamaiedge.net CNAME definitionupdates.microsoft.com.edgekey.net A 23.40.44.112	23.40.44.112
bellaloveboutique.com	A 107.180.58.44	107.180.58.44

TCP Requests

UDP Requests

GET 302 http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49593 -> 23.212.13.232:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49591 -> 35.155.6.125:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49594 -> 23.40.44.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.16.122:443 -> 192.168.56.103:49603	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49601 -> 192.185.16.122:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49605 -> 107.180.58.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49610 -> 209.188.15.214:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49602 -> 192.185.16.122:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 209.188.15.214:443 -> 192.168.56.103:49611	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49613 -> 192.185.79.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 107.180.58.44:443 -> 192.168.56.103:49607	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.185.79.55:443 -> 192.168.56.103:49615	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49617 -> 192.185.32.234:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49618 -> 192.185.32.234:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49623 -> 208.91.198.106:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49609 -> 209.188.15.214:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 208.91.198.106:443 -> 192.168.56.103:49624	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49621 -> 208.91.198.106:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49626 -> 148.66.138.194:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49631 -> 173.230.252.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49627 -> 148.66.138.194:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.66.138.194:443 -> 192.168.56.103:49628	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49636 -> 83.150.213.154:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49636 -> 83.150.213.154:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 83.150.213.154:443 -> 192.168.56.103:49636	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49638 -> 108.167.181.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 83.150.213.154:443 -> 192.168.56.103:49636	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49639 -> 108.167.181.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 108.167.181.248:443 -> 192.168.56.103:49640	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49606 -> 107.180.58.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 173.230.252.50:443 -> 192.168.56.103:49632	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49635 -> 83.150.213.154:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49635 -> 83.150.213.154:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49635 -> 83.150.213.154:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49614 -> 192.185.79.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.32.234:443 -> 192.168.56.103:49619	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49630 -> 173.230.252.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49634 -> 83.150.213.154:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49634 -> 83.150.213.154:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49634 -> 83.150.213.154:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 83.150.213.154:443 -> 192.168.56.103:49634	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 83.150.213.154:443 -> 192.168.56.103:49634	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 83.150.213.154:443 -> 192.168.56.103:49635	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 83.150.213.154:443 -> 192.168.56.103:49635	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49591 35.155.6.125:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=Mountain View, O=Mozilla Corporation, OU=Cloud Services, CN=*.telemetry.mozilla.org	6d:3c:6a:a4:5f:46:eb:8b:b6:fb:8f:08:44:02:01:61:a0:25:c3:c8
TLSv1 192.168.56.103:49594 23.40.44.112:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=download.microsoft.com	e7:01:d1:e2:a1:0e:a1:84:0b:d0:c6:2e:a2:42:7a:f4:7b:40:91:c5
TLSv1 192.168.56.103:49593 23.212.13.232:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=www.microsoft.com	9b:2b:8a:e6:51:69:aa:47:7c:57:83:d6:48:0f:29:6e:f4:8c:f1:4d

Snort Alerts

No Snort Alerts