NetWork | ZeroBOX

IP Address	Status	Action
108.62.76.146	Active	Moloch
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
159.203.181.190	Active	Moloch
164.124.101.2	Active	Moloch
192.185.236.169	Active	Moloch
194.58.112.174	Active	Moloch
34.102.136.180	Active	Moloch
52.58.78.16	Active	Moloch
66.45.250.213	Active	Moloch
75.2.115.196	Active	Moloch
91.195.240.94	Active	Moloch

Name	Response	Post-Analysis Lookup
www.bransolute.com	CNAME bransolute.com A 192.185.236.169	192.185.236.169
www.titanusedcarsworth.com
www.fuzhourexian.com	A 108.62.76.146	108.62.76.146
www.miamiqueensdress.com	A 75.2.115.196	75.2.115.196
pxqrda.sn.files.1drv.com	CNAME odc-sn-files-geo.onedrive.akadns.net CNAME sn-files.fe.1drv.com CNAME sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net A 13.107.42.12 CNAME odc-sn-files-brs.onedrive.akadns.net CNAME l-0003.l-msedge.net	13.107.42.12
www.mobiessence.com	A 52.58.78.16	52.58.78.16
www.beastninjas.com	CNAME beastninjas.com A 34.102.136.180	34.102.136.180
www.kykyryky.art	A 194.58.112.174	194.58.112.174
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13
www.lawmetricssolicitors.com	CNAME lawmetricssolicitors.com A 66.45.250.213	66.45.250.213
www.cannamalism.com	CNAME cannamalism.com A 34.102.136.180	34.102.136.180
www.annettebrownlee.com	CNAME annettebrownlee.com A 159.203.181.190	159.203.181.190
www.hanasugisaki.com	A 91.195.240.94	91.195.240.94

TCP Requests

UDP Requests

GET 302 https://onedrive.live.com/download?cid=7AD84143EE0A85E3&resid=7AD84143EE0A85E3%21111&authkey=AJ7X28D7DpibhQI

GET 200 https://pxqrda.sn.files.1drv.com/y4mVUIaLYjXuhlSuH8C1Poa6N3fD118-kF46y9jgrvjs4vHSLl_xoQY8wtd55BrthF7v-t2d5iFTz3s04C-BMPlOqQiz_sp9Nq8AydX_6J43UIPYHQYcKPvL0MSauM_3AiyMxp9MgKXUTADQfTWxkAFhyB6W1aY9eGKGxPp7V9S8EPug4FwOk9pew7dmpHlBWZpLVhDGiWIkVKnKs_kwtfIdA/Vmxgjqhexkgjojgjzjujxckxtulzbsg?download&psid=1

GET 302 https://onedrive.live.com/download?cid=7AD84143EE0A85E3&resid=7AD84143EE0A85E3%21111&authkey=AJ7X28D7DpibhQI

GET 200 https://pxqrda.sn.files.1drv.com/y4m__S5cMVGcFy7pOBpoFvjnko8AL4p5khOaFXAKHOBONod9wuptZWr2NXTzHqD7-lpVg0Z4e_BbFaeA2ebB7pnq1ItYlfdo7T9V2lPne4uS7rnHRVQMTtbazlN6QF3Xvr5ttEMxOdNqoE0LgqtrG6gcR5LA7BtUZnWvmd77YgDv9vnlh7Jo_tCsgbTdO9ifvgRNPf5-a2WZhEpH7Ud0Xg7oA/Vmxgjqhexkgjojgjzjujxckxtulzbsg?download&psid=1

POST 404 http://www.lawmetricssolicitors.com/6mam/

GET 404 http://www.lawmetricssolicitors.com/6mam/?t6Alv2A=4Gj0yn3nr4YWFpZH4qn2bQ/Mf+Y/K54EnXCw/FRHgkyWUNrW3vdYTE+qdBaiGkNQ4kKGGQ8H&PV=FjVH4F7XA4IHzH0p

POST 405 http://www.cannamalism.com/6mam/

GET 403 http://www.cannamalism.com/6mam/?t6Alv2A=kn71xoO9iU2mX4j71h7bz8HHhkUEjJyTF2/azklG2erytyCHrh0zJMDeYoghQinFk6RtaMTe&PV=FjVH4F7XA4IHzH0p

POST 0 http://www.kykyryky.art/6mam/

GET 404 http://www.kykyryky.art/6mam/?t6Alv2A=YhmCqIEbUGfuw5buP1ux4NwPyUbKdSmuBWvVd54Q/24mN/u1gMwH9i6nnbSMiSrA5lPx01TB&PV=FjVH4F7XA4IHzH0p

POST 410 http://www.mobiessence.com/6mam/

GET 410 http://www.mobiessence.com/6mam/?t6Alv2A=KE8gpfUGztMVNWKMFV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjBrPfhHuDJ31Wqk/Ne1S&PV=FjVH4F7XA4IHzH0p

POST 301 http://www.annettebrownlee.com/6mam/

GET 301 http://www.annettebrownlee.com/6mam/?t6Alv2A=Ha/mqQzo1OymR3PjStfn+lIoGvmqdNIZRSzA7EGDhkCDDPdeV8pHgJAz15x41PetfVMQIZVa&PV=FjVH4F7XA4IHzH0p

POST 404 http://www.fuzhourexian.com/6mam/

GET 500 http://www.fuzhourexian.com/6mam/?t6Alv2A=qbpZFH7voKbXHHWLfMfEAiwyGaz4A1Dlq6aJ6MnbqPgDgfYDR2UnLoNROh/k48NFxcmn1xi3&PV=FjVH4F7XA4IHzH0p

POST 301 http://www.bransolute.com/6mam/

GET 301 http://www.bransolute.com/6mam/?t6Alv2A=3lOIhqUq6P+U3Pv+KiDZArCwgFDmfekdTy2Nm2rSf3PvYUYfwCDamY7ww9DFIoj1y02HC7Ks&PV=FjVH4F7XA4IHzH0p

POST 0 http://www.miamiqueensdress.com/6mam/

GET 403 http://www.miamiqueensdress.com/6mam/?t6Alv2A=EBok50QODh/qmCP7J2xI5qJEvLCVP7z6QxySw5ZUrU5I7S6miF2cwhtfnH/LuNQ5P6YcYCdk&PV=FjVH4F7XA4IHzH0p

POST 405 http://www.beastninjas.com/6mam/

GET 403 http://www.beastninjas.com/6mam/?t6Alv2A=oQhTdcG35KVC+c6Wc2Ae/5c2EVHHJUmgpuEXLTkVZHJt0CPiQFk8QVOcUVYqLYUeTWjjNSS/&PV=FjVH4F7XA4IHzH0p

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49229 -> 192.185.236.169:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 192.185.236.169:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 192.185.236.169:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49233 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49233 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49233 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 66.45.250.213:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 66.45.250.213:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 66.45.250.213:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 194.58.112.174:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 194.58.112.174:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 194.58.112.174:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 52.58.78.16:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 52.58.78.16:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 52.58.78.16:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49231 -> 75.2.115.196:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49231 -> 75.2.115.196:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49231 -> 75.2.115.196:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 159.203.181.190:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 159.203.181.190:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 159.203.181.190:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 108.62.76.146:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 108.62.76.146:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 108.62.76.146:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49201 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
TLSv1 192.168.56.101:49202 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
TLSv1 192.168.56.101:49200 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=onedrive.com	24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de

Snort Alerts

No Snort Alerts