popup
NetWork | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Network Analysis

Download pcap
Hosts 5 DNS 3 TCP 4 UDP 9 HTTP(S) 5 ICMP 0 IRC 0 Suricata Snort
IP Address Status Action
13.107.42.12 Active Moloch
13.107.42.13 Active Moloch
164.124.101.2 Active Moloch
185.189.112.27 Active Moloch
192.227.158.111 Active Moloch
GET 302 https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21106&authkey=ABWUN04e3lg3neg
REQUEST
RESPONSE
BODY 

            

        


    



        
            

    
        GET
        
        200
        https://zya3ig.sn.files.1drv.com/y4mhGDkKmL3VDLSUrEWHAJjnel-AVhbdeVNYyQnBqeWWrlxrQZ9NszEAsvT8XGLPe7mkz9QTC2UI2gLMghScHsnFP_Z6_KMpHHOIsKBYLdy8Z_oB67tIlMC6eqSbrKMSaRvkdLdJNSecdujzF4iBhESi-AinVSWep0qzarT4IY-QFmPWqsXK9v3smoVL9-Ky_SUCQSiGojuKkheE7LkfMcRgw/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
        
    
    


        

            

                
 REQUEST

                

                    
                    
                

            

            

                
 RESPONSE

                

                    
                    
                

            

        


        

            

                 BODY
                
            

            

                

            

        


    



        
            

    
        GET
        
        302
        https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21106&authkey=ABWUN04e3lg3neg
        
    
    


        

            

                
 REQUEST

                

                    
                    
                

            

            

                
 RESPONSE

                

                    
                    
                

            

        


        

            

                 BODY
                
            

            

                

            

        


    



        
            

    
        GET
        
        200
        https://zya3ig.sn.files.1drv.com/y4mOTz_QAR6NiYt2v34fuSPi5mluFwXvFkGg8tgtdufNHC3Zp9FIYVKG-COsmBXTAwBxjc8xosZ0KnX7YbZwmx2gL8VpE8j5-03OKW0BG2tczyDzTjZtpuri4UXT7gVUL5_4LtiWlB8bzeQv8EGyVBirb0QKQzgVoopEqx_2Y5-ilTcGCMR2XMNsrjj0y-XdrvdZ12IIfBEs2MBrH5lxUUseg/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
        
    
    


        

            

                
 REQUEST

                

                    
                    
                

            

            

                
 RESPONSE

                

                    
                    
                

            

        


        

            

                 BODY
                
            

            

                

            

        


    



        
        
            

    
        GET
        
        200
        http://192.227.158.111/credit.exe
        
    
    


        

            

                
 REQUEST

                

                    
                    
                

            

            

                
 RESPONSE

                

                    
                    
                

            

        


        

            

                 BODY
                
            

            

                

            

        


    



        
	




                            
ICMP traffic



No ICMP traffic performed.



                            
IRC traffic



No IRC requests performed.



                            
Suricata Alerts


    

        

            Flow
            SID
            Signature
            Category
        

        
        

            
                TCP
                192.168.56.102:49166 ->
                192.227.158.111:80
            
            2016141
            ET INFO Executable Download from dotted-quad Host
            A Network Trojan was detected
        

        
        

            
                TCP
                192.168.56.102:49169 ->
                13.107.42.13:443
            
            906200056
            SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
            undefined
        

        
        

            
                TCP
                192.168.56.102:49171 ->
                13.107.42.12:443
            
            906200056
            SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
            undefined
        

        
        

            
                TCP
                192.168.56.102:49170 ->
                13.107.42.12:443
            
            906200056
            SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
            undefined
        

        
        

            
                TCP
                192.227.158.111:80 ->
                192.168.56.102:49166
            
            2018959
            ET POLICY PE EXE or DLL Windows file download HTTP
            Potential Corporate Privacy Violation
        

        
        

            
                TCP
                192.227.158.111:80 ->
                192.168.56.102:49166
            
            2016538
            ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
            Potentially Bad Traffic
        

        
        

            
                TCP
                192.227.158.111:80 ->
                192.168.56.102:49166
            
            2021076
            ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
            Potentially Bad Traffic
        

        
    




Suricata TLS


    

        

            Flow
            Issuer
            Subject
            Fingerprint
        

        
        

            
                TLSv1 

                192.168.56.102:49169 

                13.107.42.13:443
            		
            C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02
            CN=onedrive.com
            24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de
        

        
        

            
                TLSv1 

                192.168.56.102:49171 

                13.107.42.12:443
            		
            C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02
            C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com
            77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
        

        
        

            
                TLSv1 

                192.168.56.102:49170 

                13.107.42.12:443
            		
            C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02
            C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com
            77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
        

        
    





                            
Snort Alerts


    
No Snort Alerts