NetWork | ZeroBOX

IP Address	Status	Action
151.101.40.209	Active	Moloch
164.124.101.2	Active	Moloch
185.199.111.154	Active	Moloch
208.95.112.1	Active	Moloch
34.104.35.123	Active	Moloch
46.183.221.118	Active	Moloch
52.78.231.108	Active	Moloch

Name	Response	Post-Analysis Lookup
repo1.maven.org	A 151.101.40.209 CNAME sonatype.map.fastly.net	199.232.196.209
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123
str-master.pw
github-releases.githubusercontent.com	A 185.199.108.154 A 185.199.111.154 A 185.199.109.154 A 185.199.110.154	185.199.111.154
github.com	A 52.78.231.108	52.78.231.108
ip-api.com	A 208.95.112.1	208.95.112.1

TCP Requests

UDP Requests

POST 200 https://update.googleapis.com/service/update2?cup2key=10:1185578559&cup2hreq=210abae0c0bf4c085ef3a032bf41ca5b683c508249b56d231bc6b32b3afcc509

GET 200 http://ip-api.com/json/

HEAD 200 http://edgedl.me.gvt1.com/edgedl/release2/chrome/ANHii5UY3d-4EiotgE5WL8M_91.0.4472.124/91.0.4472.124_chrome_installer.exe

GET 206 http://edgedl.me.gvt1.com/edgedl/release2/chrome/ANHii5UY3d-4EiotgE5WL8M_91.0.4472.124/91.0.4472.124_chrome_installer.exe

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 151.101.40.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49165 -> 52.78.231.108:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49167 -> 151.101.40.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49168 -> 151.101.40.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49169 -> 185.199.111.154:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
UDP 192.168.56.102:49669 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 172.217.161.131:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.104.35.123:80 -> 192.168.56.102:49187	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.102:49187	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49185 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49166 151.101.40.209:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org	74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd
TLS 1.2 192.168.56.102:49165 52.78.231.108:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7
TLS 1.2 192.168.56.102:49167 151.101.40.209:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org	74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd
TLS 1.2 192.168.56.102:49168 151.101.40.209:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org	74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd
TLS 1.2 192.168.56.102:49169 185.199.111.154:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com	70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7
TLS 1.2 192.168.56.102:49186 172.217.161.131:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	f6:fd:3d:f7:f5:a4:58:28:2f:0c:7e:7d:9d:80:25:2b:b6:a2:84:72

Snort Alerts

No Snort Alerts