NetWork | ZeroBOX

Network Analysis

IP Address Status Action
13.107.42.12 Active Moloch
13.107.42.13 Active Moloch
164.124.101.2 Active Moloch
62.102.148.152 Active Moloch
GET 302 https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21128&authkey=AHwv5d2XqgZhJTg
REQUEST
RESPONSE
GET 200 https://a2ooiw.sn.files.1drv.com/y4m-DtusEGdlWhmlRB9W9DH3UrnVHV-LboxupN_yLq3KU4drRJETI9tgtkiUXtXaK5FqWdNquQhyxx9L_gwMLPJUY_k5XNap3ppghjTnPIUW47IPZ_7LmMTNgwxNhuipdELBpTC5ecx-Tgn_IjtpNErT657fkkX2jFJT_IDJQoqSSG2_v9bq7nuKh8C0RynsDJnNPeRRHVd2P8852lisgHDgg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1
REQUEST
RESPONSE
GET 302 https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21128&authkey=AHwv5d2XqgZhJTg
REQUEST
RESPONSE
GET 200 https://a2ooiw.sn.files.1drv.com/y4mE7XbSQXuZC9yYWp7AUZU0ZKgvmTacBuyD7WsIASM6IO9-p1TuQ8utdj6pKiooBRT7NSppFynY2HU1E7LUO7MTQprfN3i3jeghtE0I055rFBxTM0RGdo2IK0TDKRmgj68KbY9MMsf_ejwdv1lkwxXjAuH1OrWGGrYHCcD-ohf6XGb9Nv4UPD9_gKiMQXEj0jeN9Iazhno6ozmNeNyI-iWlg/Dhfjtcfiwqjptzsveipvvutmlisezrk?download&psid=1
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49164 -> 13.107.42.13:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49165 -> 13.107.42.12:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49166 -> 13.107.42.12:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49164
13.107.42.13:443
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 CN=onedrive.com 24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de
TLSv1
192.168.56.102:49165
13.107.42.12:443
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
TLSv1
192.168.56.102:49166
13.107.42.12:443
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49

Snort Alerts

No Snort Alerts