NetWork | ZeroBOX

IP Address	Status	Action
104.21.84.71	Active	Moloch
156.231.25.88	Active	Moloch
164.124.101.2	Active	Moloch
198.54.117.216	Active	Moloch
199.59.242.153	Active	Moloch
23.82.12.30	Active	Moloch
31.13.83.16	Active	Moloch
34.102.136.180	Active	Moloch

Name	Response	Post-Analysis Lookup
www.gaigoilaocai.com	A 104.21.84.71 A 172.67.187.204	172.67.187.204
www.333s998.com	A 31.13.83.16	108.160.169.175
www.thetravellingwitch.com	A 23.82.12.30	23.82.12.30
www.peak-valleyadvertising.com	CNAME peak-valleyadvertising.com A 34.102.136.180	34.102.136.180
www.pon.xyz	CNAME 71822.bodis.com A 199.59.242.153	199.59.242.153
www.hk6628.com	A 34.102.136.180 CNAME hk6628.com	34.102.136.180
www.frystmor.city	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.211
www.cuadorcoast.com	A 156.231.25.88	156.231.25.88

TCP Requests

UDP Requests

POST 0 http://www.thetravellingwitch.com/wufn/

GET 302 http://www.thetravellingwitch.com/wufn/?uZhPcRQ=SkZZDimVFNr5ByBNwXdupEC24fazy/RNnO17U5xCKPPDvCtbTF67loPH83UjHGCD+yr52EUp&U4kp=Ntx4ZRIXOr7dPRJ

POST 405 http://www.frystmor.city/wufn/

GET 0 http://www.frystmor.city/wufn/?uZhPcRQ=eWg3OYora75B6Z+tLCzm5f6Ri2Qy6T4wPAbOFkNyDPrqSJvJlKf467sJrNVRbgaUTepkudSS&U4kp=Ntx4ZRIXOr7dPRJ

POST 405 http://www.hk6628.com/wufn/

GET 403 http://www.hk6628.com/wufn/?uZhPcRQ=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&U4kp=Ntx4ZRIXOr7dPRJ

POST 400 http://www.333s998.com/wufn/

GET 400 http://www.333s998.com/wufn/?uZhPcRQ=VTesff5V8BaVQfct7ufB+ZGDNoZjfYL94mUu5cNf67hmTMf3dCw98cZx4Ykp6QvQWnzQdmMu&U4kp=Ntx4ZRIXOr7dPRJ

POST 405 http://www.peak-valleyadvertising.com/wufn/

GET 403 http://www.peak-valleyadvertising.com/wufn/?uZhPcRQ=FgzG7Qx2bDHQRqzBshosqp2KyuZ4BKgjCPQpIPsUZT2saqt6xf80CxpLR0Dj1LrdceOnKHHp&U4kp=Ntx4ZRIXOr7dPRJ

POST 0 http://www.gaigoilaocai.com/wufn/

GET 301 http://www.gaigoilaocai.com/wufn/?uZhPcRQ=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&U4kp=Ntx4ZRIXOr7dPRJ

POST 0 http://www.pon.xyz/wufn/

GET 200 http://www.pon.xyz/wufn/?uZhPcRQ=TjHmMFEWoC7f3AvZD4fy73K0u4EyZw5fKqkeqDjs9aj0G9oQA4BDCe56sbMIcecYmi82gg8d&U4kp=Ntx4ZRIXOr7dPRJ

POST 0 http://www.cuadorcoast.com/wufn/

GET 0 http://www.cuadorcoast.com/wufn/?uZhPcRQ=kYzY+WOATOJvl0LGKoTI9L4ky9M8/RXPaPgWsg9EorAZ9N2DAW9xe5TyjlQCxAJLBvRqjfNR&U4kp=Ntx4ZRIXOr7dPRJ

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49217 -> 156.231.25.88:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 156.231.25.88:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 156.231.25.88:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 31.13.83.16:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 31.13.83.16:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 31.13.83.16:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 199.59.242.153:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 199.59.242.153:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 199.59.242.153:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 199.59.242.153:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 23.82.12.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 23.82.12.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 23.82.12.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 198.54.117.216:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 198.54.117.216:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 198.54.117.216:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 104.21.84.71:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 104.21.84.71:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 104.21.84.71:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts