NetWork | ZeroBOX

IP Address	Status	Action
142.111.47.2	Active	Moloch
147.255.162.204	Active	Moloch
160.124.11.194	Active	Moloch
163.44.239.73	Active	Moloch
164.124.101.2	Active	Moloch
23.227.38.74	Active	Moloch
23.82.57.32	Active	Moloch
34.102.136.180	Active	Moloch
52.20.84.62	Active	Moloch

Name	Response	Post-Analysis Lookup
www.3cheer.com	CNAME 3cheer.com A 34.102.136.180	34.102.136.180
www.lucytime.com	A 160.124.11.194	160.124.11.194
www.ruhexuangou.com	A 23.82.57.32	23.82.57.32
www.essentiallyourscandles.com	CNAME shops.myshopify.com CNAME essentially-yours-candles-by-taylor.myshopify.com A 23.227.38.74	23.227.38.74
www.balloon-artists.com	A 147.255.162.204	147.255.162.204
www.adultpeace.com	CNAME adultpeace.com A 163.44.239.73	163.44.239.73
www.aideliveryrobot.com	A 52.20.84.62	52.20.84.62
www.iotcloud.technology	A 34.102.136.180 CNAME iotcloud.technology	34.102.136.180
www.yunlimall.com	A 142.111.47.2	142.111.47.2

TCP Requests

UDP Requests

POST 0 http://www.yunlimall.com/p2io/

GET 200 http://www.yunlimall.com/p2io/?vh=FG8u3oFYMEksByvCNClu9ACxgqrSnZ6gPOMyaYsdv+YEYVVrg2Qkx51ZmTmiwfcSVwhsWZbW&Sj=CpCLU6p

POST 0 http://www.lucytime.com/p2io/

GET 0 http://www.lucytime.com/p2io/?vh=Ymn5WmwLC00z4pVZK6ihuPaaOKCT+v+tuyygdx+oVo/PHq8Kcnnt5pAnbMy7+QY4AB/111t7&Sj=CpCLU6p

POST 405 http://www.iotcloud.technology/p2io/

GET 403 http://www.iotcloud.technology/p2io/?vh=L/l9chWQ9dl2ZFWb8vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+eskSv5sG7vGkNeAZDxwTr&Sj=CpCLU6p

POST 0 http://www.essentiallyourscandles.com/p2io/

GET 403 http://www.essentiallyourscandles.com/p2io/?vh=tOwaJov3Qh/So8Abi3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yXZ1J0+xHcOVWF/IMli4&Sj=CpCLU6p

POST 405 http://www.3cheer.com/p2io/

GET 403 http://www.3cheer.com/p2io/?vh=hDwxgnCzatE5+wdV9NFToL98ekU0apx9FaU6+ccHPOP6vOP89MFb32Jn1B2/14jOCK3bXPvO&Sj=CpCLU6p

POST 0 http://www.ruhexuangou.com/p2io/

GET 200 http://www.ruhexuangou.com/p2io/?vh=WkKybY+GL5E6d0NB6hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFcselLWyxf3h/8OpmW/H&Sj=CpCLU6p

POST 0 http://www.balloon-artists.com/p2io/

GET 0 http://www.balloon-artists.com/p2io/?vh=/DMwn9vRv8pPZran9syYwdBt6sFcRXVvVa9RfefW4qtbzd0YMa9UIXTiu4mlEuUVWx6wVl8M&Sj=CpCLU6p

POST 301 http://www.adultpeace.com/p2io/

GET 301 http://www.adultpeace.com/p2io/?vh=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&Sj=CpCLU6p

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49211 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 147.255.162.204:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 147.255.162.204:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 147.255.162.204:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 160.124.11.194:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 160.124.11.194:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 160.124.11.194:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 142.111.47.2:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 142.111.47.2:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 142.111.47.2:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 23.82.57.32:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 23.82.57.32:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 23.82.57.32:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 163.44.239.73:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 163.44.239.73:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 163.44.239.73:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts