NetWork | ZeroBOX

IP Address	Status	Action
104.16.13.194	Active	Moloch
156.237.130.173	Active	Moloch
163.44.239.73	Active	Moloch
164.124.101.2	Active	Moloch
172.67.138.177	Active	Moloch
198.54.117.215	Active	Moloch
74.220.199.8	Active	Moloch
99.83.154.118	Active	Moloch

Name	Response	Post-Analysis Lookup
www.fuhaitongxin.com	A 156.237.130.173	156.237.130.173
www.cyrilgraze.com	A 172.67.138.177 A 104.21.65.7	172.67.138.177
www.defenestration.world	A 99.83.154.118	99.83.154.118
www.cmannouncements.com	A 74.220.199.8	74.220.199.8
www.procircleacademy.com	CNAME target.clickfunnels.com A 104.16.13.194 A 104.16.14.194 A 104.16.15.194 A 104.16.16.194 A 104.16.12.194	104.16.12.194
www.adultpeace.com	CNAME adultpeace.com A 163.44.239.73	163.44.239.73
www.m678.xyz
www.boogerstv.com	CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.216 A 198.54.117.210 A 198.54.117.218 A 198.54.117.217 A 198.54.117.211	198.54.117.210

TCP Requests

UDP Requests

POST 0 http://www.defenestration.world/p2io/

GET 403 http://www.defenestration.world/p2io/?ETYPCTH=lrOqxb+TUC8Po5HmYZ1tkMjkgx31NOkXgmck/5zOeb61pSaxp+mpU5HJ8/bv+r3dcUpLXcCA&VRfXx=00GP1JE0pz-tHNA0

POST 0 http://www.fuhaitongxin.com/p2io/

GET 404 http://www.fuhaitongxin.com/p2io/?ETYPCTH=CqJktM7UGR26O9R1i2rMnV6ue2YAEq5Rd3PPV6e4Hl6CDdUsDohA0iBr0JiOXGWnot9DaOMs&VRfXx=00GP1JE0pz-tHNA0

POST 0 http://www.cyrilgraze.com/p2io/

GET 301 http://www.cyrilgraze.com/p2io/?ETYPCTH=PONkgH6OT+IdHpvpbj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsMLieTk0sG+frQWfUBsy&VRfXx=00GP1JE0pz-tHNA0

POST 301 http://www.adultpeace.com/p2io/

GET 301 http://www.adultpeace.com/p2io/?ETYPCTH=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&VRfXx=00GP1JE0pz-tHNA0

POST 405 http://www.boogerstv.com/p2io/

GET 0 http://www.boogerstv.com/p2io/?ETYPCTH=fW2NkW2hr8hPz8wwd/m+egXTc5dWq8qtohIQX9xRv3Snfsyr1ZmLXS10rFsoitOMGqtVMq3V&VRfXx=00GP1JE0pz-tHNA0

POST 0 http://www.cmannouncements.com/p2io/

GET 200 http://www.cmannouncements.com/p2io/?ETYPCTH=wzEdtbrAF/I1cRkF/h093gtD2EzP1yO8zPBZTUdll922Z1OUYyEpwi72EGdxEgGIGaDMgw4G&VRfXx=00GP1JE0pz-tHNA0

POST 0 http://www.procircleacademy.com/p2io/

GET 302 http://www.procircleacademy.com/p2io/?ETYPCTH=tgVoMP8jv8oJh0LH0MPWwDnGYGbnfEGTJ+yRL/Ijcc1+MHyU0MyQxKIFLUwq3WzUPcz2/uvN&VRfXx=00GP1JE0pz-tHNA0

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:62324 -> 164.124.101.2:53	2027870	ET INFO Observed DNS Query to .world TLD	Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 172.67.138.177:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 172.67.138.177:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 172.67.138.177:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 99.83.154.118:80	2027879	ET INFO HTTP Request to Suspicious *.world Domain	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 99.83.154.118:80	2027879	ET INFO HTTP Request to Suspicious *.world Domain	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 99.83.154.118:80	2027879	ET INFO HTTP Request to Suspicious *.world Domain	Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 104.16.13.194:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 104.16.13.194:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 104.16.13.194:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 99.83.154.118:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 99.83.154.118:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 99.83.154.118:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 99.83.154.118:80	2027879	ET INFO HTTP Request to Suspicious *.world Domain	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 74.220.199.8:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 74.220.199.8:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 74.220.199.8:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 156.237.130.173:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 156.237.130.173:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 156.237.130.173:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 198.54.117.215:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 198.54.117.215:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 198.54.117.215:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 163.44.239.73:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 163.44.239.73:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 163.44.239.73:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts