NetWork | ZeroBOX

IP Address	Status	Action
164.124.101.2	Active	Moloch
18.215.128.143	Active	Moloch
198.54.117.211	Active	Moloch
209.99.40.222	Active	Moloch
34.102.136.180	Active	Moloch
34.98.99.30	Active	Moloch
58.64.137.69	Active	Moloch

Name	Response	Post-Analysis Lookup
www.thechikspot.com	A 209.99.40.222	209.99.40.222
www.centerforcommonground.com	CNAME centerforcommonground.com A 34.102.136.180	34.102.136.180
www.snowbirdsrus.com	CNAME snowbirdsrus.com A 34.102.136.180	34.102.136.180
www.michaelhavemeyer.com	CNAME michaelhavemeyer.com A 34.98.99.30	34.98.99.30
www.dogloveya.com	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.218
www.carlsbadbeachwear.com
www.hasanmedicalservice.com	A 209.99.40.222	209.99.40.222
www.plucknplace.com	A 18.215.128.143 A 52.4.209.250 A 18.213.250.117	18.213.250.117
www.card05pay.site	A 58.64.137.69	58.64.137.69

TCP Requests

UDP Requests

GET 200 http://www.thechikspot.com/imi7/?yh3pw8MP=jfKrbmqtKIROC3jopnAexMxZvl6PPYgwjS2bdZjPmKFEaqZDOvTGYe16sPKJ4BMCd6t9dzlO&Tj=CpCL

GET 0 http://www.dogloveya.com/imi7/?yh3pw8MP=T9Hn1ejqmupgNID7LSmEzzyeQuqG+1BC5C+znv1UgT+8/r2oBOZwduZwY3jpIqhQKVmA5iEm&Tj=CpCL

GET 404 http://www.card05pay.site/imi7/?yh3pw8MP=nSaRJKeZecJidfWP+63vuBEL2RmhvFlJwjcN95OObN9p2Rvebmagz5JzwepqmCP3yFpdjwAH&Tj=CpCL

GET 403 http://www.michaelhavemeyer.com/imi7/?yh3pw8MP=dGxYOlUZEb8CdsQ8nc6zI4yoFv4614+15rcfthsf6tIOfVvWhpCfc0EcQqsOm3j1ib7D3Pg9&Tj=CpCL

GET 200 http://www.plucknplace.com/imi7/?yh3pw8MP=gZAQBlns3fHfYlT2vm4W/qy6vp010Mj1FdyDzNui+FDZWIHfJokhWsVo88cHConYgvYgNcLO&Tj=CpCL

GET 403 http://www.snowbirdsrus.com/imi7/?yh3pw8MP=iRpoU8uFUSqXL+AxSdTxwNNnuXFsoIJYx/BxEip71OfgOL+fpxLcDN9rZqDy4xW1QCzoPaNO&Tj=CpCL

GET 200 http://www.hasanmedicalservice.com/imi7/?yh3pw8MP=36a/pWAUo31W6XoGvo/EFTJaRW8hdP7wY8dwAf89+AmPJeYNnKnA1bZm+urrEDalaZ6CShBz&Tj=CpCL

GET 403 http://www.centerforcommonground.com/imi7/?yh3pw8MP=YIJxH2qMsszJDWRat1FWAyyBgkCetiUnfSIgxqU4fMzgZJb49d9IfvA+Tkx18KDkxz1oCxjg&Tj=CpCL

ICMP traffic

Source	Destination	ICMP Type	Data
192.168.56.102	164.124.101.2	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 58.64.137.69:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 58.64.137.69:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 58.64.137.69:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 209.99.40.222:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 209.99.40.222:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 209.99.40.222:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 198.54.117.211:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 198.54.117.211:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 198.54.117.211:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 18.215.128.143:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 18.215.128.143:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 18.215.128.143:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 209.99.40.222:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 209.99.40.222:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 209.99.40.222:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts