NetWork | ZeroBOX

IP Address	Status	Action
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
172.217.161.142	Active	Moloch
172.217.25.14	Active	Moloch
175.208.134.150	Active	Moloch
18.200.206.178	Active	Moloch
34.250.171.60	Active	Moloch
34.255.131.204	Active	Moloch
52.218.52.233	Active	Moloch
54.171.169.161	Active	Moloch
62.113.216.169	Active	Moloch
74.6.231.21	Active	Moloch

Name	Response	Post-Analysis Lookup
ping.giraffic.com	CNAME mlb-127500491.eu-west-1.elb.amazonaws.com CNAME mlb.giraffic.com A 34.250.171.60 A 52.214.72.80	52.214.72.80
rendezvous1.giraffic.com	A 18.200.206.178	18.200.206.178
yahoo.com	A 74.6.231.21 A 74.6.231.20 A 74.6.143.26 A 74.6.143.25 A 98.137.11.163 A 98.137.11.164	74.6.231.21
mseed.giraffic.com	A 54.171.169.161 CNAME ec2-54-171-169-161.eu-west-1.compute.amazonaws.com	54.171.169.161
facebook.com	A 157.240.215.35	157.240.215.35
rendezvous3.giraffic.com	A 18.200.206.178	18.200.206.178
srv.giraffic.com
mlb.giraffic.com	CNAME mlb-127500491.eu-west-1.elb.amazonaws.com A 34.250.171.60 A 52.214.72.80	52.214.72.80
rendezvous7.giraffic.com	A 18.200.206.178	18.200.206.178
test.giraffic.com
google.com	A 172.217.161.142	172.217.31.174
chromodoris.s3.amazonaws.com	CNAME s3-3-w.amazonaws.com A 52.218.52.233	52.218.41.130
rendezvous9.giraffic.com	A 18.200.206.178	18.200.206.178
rendezvous5.giraffic.com	A 18.200.206.178	18.200.206.178

TCP Requests

UDP Requests

GET 200 http://chromodoris.s3.amazonaws.com/GirafficInstall1.0.0.25.exe

GET 200 http://mlb.giraffic.com/inst_report.php?op=15549906_1.0.0.25_Watchdog_Silent_Install&msg=Init

GET 200 http://mlb.giraffic.com/inst_report.php?op=15569187_1.0.0.25_Agent_Silent_Install&msg=Init

GET 200 http://mlb.giraffic.com/inst_report.php?op=15569187_1.0.0.25_Agent_Silent_Install&msg=Installation_Complete

GET 200 http://mlb.giraffic.com/inst_report.php?op=15549906_1.0.0.25_Watchdog_Silent_Install&msg=Installation_Complete

ICMP traffic

Source	Destination	ICMP Type
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	34.255.131.204	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3
192.168.56.102	62.113.216.169	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:52053 -> 175.208.134.150:52053	2018904	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)	Generic Protocol Command Decode
UDP 192.168.56.102:52053 -> 18.200.206.178:3478	2018904	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)	Generic Protocol Command Decode
UDP 192.168.56.102:52053 -> 18.200.206.178:3478	2018907	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)	Generic Protocol Command Decode
UDP 192.168.56.102:52053 -> 18.200.206.178:3478	2018905	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)	Generic Protocol Command Decode
UDP 18.200.206.178:3478 -> 192.168.56.102:52053	2018908	ET INFO Session Traversal Utilities for NAT (STUN Binding Response)	Generic Protocol Command Decode
TCP 52.218.52.233:80 -> 192.168.56.102:49859	2013414	ET POLICY Executable served from Amazon S3	Potentially Bad Traffic
TCP 52.218.52.233:80 -> 192.168.56.102:49859	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49820 34.250.171.60:443	CN=ip-10-226-5-106.eu-west-1.compute.internal	CN=ip-10-226-5-106.eu-west-1.compute.internal	c4:ac:9f:36:1f:de:3c:54:da:16:e7:91:eb:d3:f8:b1:d8:87:3f:0d
TLS 1.2 192.168.56.102:49825 34.250.171.60:443	CN=ip-10-226-5-106.eu-west-1.compute.internal	CN=ip-10-226-5-106.eu-west-1.compute.internal	c4:ac:9f:36:1f:de:3c:54:da:16:e7:91:eb:d3:f8:b1:d8:87:3f:0d
TLS 1.2 192.168.56.102:49827 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49832 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49834 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49836 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49835 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49839 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49840 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49853 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49849 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49838 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49851 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49841 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49844 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49852 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49846 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49837 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49843 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49848 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49857 34.250.171.60:8443	CN=ip-10-226-5-106.eu-west-1.compute.internal	CN=ip-10-226-5-106.eu-west-1.compute.internal	c4:ac:9f:36:1f:de:3c:54:da:16:e7:91:eb:d3:f8:b1:d8:87:3f:0d
TLS 1.2 192.168.56.102:49850 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49854 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49833 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49842 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49845 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49847 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49858 34.250.171.60:8443	CN=ip-10-226-5-106.eu-west-1.compute.internal	CN=ip-10-226-5-106.eu-west-1.compute.internal	c4:ac:9f:36:1f:de:3c:54:da:16:e7:91:eb:d3:f8:b1:d8:87:3f:0d
TLS 1.2 192.168.56.102:49855 34.250.171.60:443	CN=ip-10-226-5-106.eu-west-1.compute.internal	CN=ip-10-226-5-106.eu-west-1.compute.internal	c4:ac:9f:36:1f:de:3c:54:da:16:e7:91:eb:d3:f8:b1:d8:87:3f:0d
TLS 1.2 192.168.56.102:49856 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49860 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49866 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49870 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49867 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49868 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49874 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49869 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8
TLS 1.2 192.168.56.102:49871 54.171.169.161:443	C=US, O=Let's Encrypt, CN=R3	CN=mseed.giraffic.com	a5:8f:e5:6a:2f:0c:78:88:a6:7a:12:ec:be:59:27:bc:ec:3f:7b:c8

Snort Alerts

No Snort Alerts