NetWork | ZeroBOX

IP Address	Status	Action
123.206.44.194	Active	Moloch
164.124.101.2	Active	Moloch
182.50.132.242	Active	Moloch
198.54.117.210	Active	Moloch
34.102.136.180	Active	Moloch
45.39.199.67	Active	Moloch

Name	Response	Post-Analysis Lookup
www.thafresnelgroup.com
www.cydip.com	A 123.206.44.194	123.206.44.194
www.mpoweru.life	CNAME mpoweru.life A 34.102.136.180	34.102.136.180
www.xn--dlicatbikini-beb.com	CNAME xn--dlicatbikini-beb.com A 34.102.136.180	34.102.136.180
www.thaenablers.com	CNAME thaenablers.com A 34.102.136.180	34.102.136.180
www.caodongmei.com	A 45.39.199.67	45.39.199.67
www.norarahimian.net	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.218
www.stgilespantry.com	CNAME stgilespantry.com A 182.50.132.242	182.50.132.242

TCP Requests

UDP Requests

GET 403 http://www.xn--dlicatbikini-beb.com/p1nr/?sBvD8D=+vXCLrdUYWGMLSeAc6EIZLxRod90t7CXA7cMjBJFBKwrYW2mpEPoYe/XiCHVxQKQoYcICdck&APcT7P=djFDfJXHkHmL

GET 400 http://www.stgilespantry.com/p1nr/?sBvD8D=ro1pg1ieSPLRQQJXGE2GvVgViR5v9blhYSuVVUpFJTfP14kyUBrbAPUBeXdLFqhiFoAhPEFb&APcT7P=djFDfJXHkHmL

GET 404 http://www.cydip.com/p1nr/?sBvD8D=ZGaWET/m5aRCM9pakCj6ctG5V4spLUeE07bass/N5tQ/1dOLPCE7TRyiJFuh9iNzw4wcgE0D&APcT7P=djFDfJXHkHmL

GET 404 http://www.caodongmei.com/p1nr/?sBvD8D=R1Tu5om0bIatwqHgCXtKllC2e9hqKP6J2OwsqOpsoo9g0cnj7hFHf9ulgsmwuY+fwUnD3npC&APcT7P=djFDfJXHkHmL

GET 403 http://www.mpoweru.life/p1nr/?sBvD8D=ZjHCDoNujluw6lRi64KwBSxMvDNX6e2GPzmHgKq0UAaVqhNvy38CjBjjIT6ZBEO9afFQxO8l&APcT7P=djFDfJXHkHmL

GET 0 http://www.norarahimian.net/p1nr/?sBvD8D=7d35Bw0Mn1rBnRMaVERGURzt1iGn4oZRCs4xgIP3mxtfyv7AvC3Y7Vv/TSFiGrtXZAEdE9D3&APcT7P=djFDfJXHkHmL

GET 403 http://www.thaenablers.com/p1nr/?sBvD8D=cAX9NHYQnbzybTmuNWVJ06luNzB8snIgXRxRycWBtqyFmm0R3R5hddFvCi3C+yaHA9cLu6dY&APcT7P=djFDfJXHkHmL

ICMP traffic

Source	Destination	ICMP Type
192.168.56.102	164.124.101.2	3
192.168.56.102	164.124.101.2	3
192.168.56.102	164.124.101.2	3
192.168.56.102	164.124.101.2	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:62770 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 182.50.132.242:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 182.50.132.242:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 182.50.132.242:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 34.102.136.180:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.102:49170 -> 34.102.136.180:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.102:49170 -> 34.102.136.180:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.102:49169 -> 45.39.199.67:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 45.39.199.67:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 45.39.199.67:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 123.206.44.194:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 123.206.44.194:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 123.206.44.194:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 198.54.117.210:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 198.54.117.210:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 34.102.136.180:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.102:49171 -> 198.54.117.210:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts