NetWork | ZeroBOX

IP Address	Status	Action
104.21.31.210	Active	Moloch
172.67.148.61	Active	Moloch
172.67.179.248	Active	Moloch
104.192.141.1	Active	Moloch
104.21.65.45	Active	Moloch
104.26.3.60	Active	Moloch
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
172.67.186.79	Active	Moloch
185.65.135.234	Active	Moloch
208.95.112.1	Active	Moloch
23.67.53.58	Active	Moloch
3.232.36.43	Active	Moloch
34.117.59.81	Active	Moloch
34.97.69.225	Active	Moloch
52.95.148.158	Active	Moloch
72.167.225.156	Active	Moloch
88.99.66.31	Active	Moloch

Name	Response	Post-Analysis Lookup
iplogger.com	A 88.99.66.31	88.99.66.31
ipqualityscore.com	A 104.26.2.60 A 172.67.72.12 A 104.26.3.60	104.26.3.60
google.vrthcobj.com		34.97.69.225
d.dirdgame.live	A 172.67.186.79 A 104.21.59.252	172.67.186.79
bitbucket.org	A 104.192.141.1	104.192.141.1
collect.installeranalytics.com	A 3.232.36.43 A 3.209.18.1	3.232.36.43
ipinfo.io	A 34.117.59.81	34.117.59.81
crl.identrust.com	CNAME identrust.edgesuite.net CNAME a1952.dscq.akamai.net A 23.67.53.58 A 23.67.53.11	23.67.53.58
jom.diregame.live	A 104.21.65.45 A 172.67.158.82	172.67.158.82
sanctam.net	A 185.65.135.234	185.65.135.234
google.vrthcobj.com	A 34.97.69.225	34.97.69.225
iplis.ru	A 88.99.66.31	88.99.66.31
b.upstloans.net	A 104.21.31.210 A 172.67.179.248	172.67.179.248
www.svanaturals.com	CNAME svanaturals.com A 72.167.225.156	72.167.225.156
a.upstloans.net	A 172.67.179.248 A 104.21.31.210	104.21.31.210
2551889d-a2db-4908-a9a2-6b0fab0a7a78.s3.eu-west-2.amazonaws.com	A 52.95.148.158 CNAME s3-r-w.eu-west-2.amazonaws.com	52.95.149.146
ip-api.com	A 208.95.112.1	208.95.112.1
source7.boys4dayz.com	A 172.67.148.61 A 104.21.33.188	172.67.148.61

TCP Requests

UDP Requests

GET 200 https://iplis.ru/1S2Qs7

GET 200 https://iplis.ru/favicon.ico

GET 200 https://ipinfo.io/country

GET 403 https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150

GET 200 https://iplogger.com/1ESxy7

GET 302 https://jom.diregame.live/userf/2203/gdgame.exe

GET 200 https://d.dirdgame.live/userf/2203/3cc0e0be954dc849581f9ff1817647de.exe

POST 200 https://a.upstloans.net/report7.4.php

POST 200 https://b.upstloans.net/report7.4.php

POST 200 https://a.upstloans.net/report7.4.php

POST 200 https://collect.installeranalytics.com/

GET 200 https://bitbucket.org/Sanctam/sanctam/raw/6886fdce0f0a2bb81eece107d8acbd20b349ca2f/includes/ethminer

POST 200 https://collect.installeranalytics.com/

GET 302 http://ipinfo.io/country

GET 200 http://ipinfo.io/ip

HEAD 200 http://2551889d-a2db-4908-a9a2-6b0fab0a7a78.s3.eu-west-2.amazonaws.com/SmartPDF/SmartPDF.exe

GET 200 http://2551889d-a2db-4908-a9a2-6b0fab0a7a78.s3.eu-west-2.amazonaws.com/SmartPDF/SmartPDF.exe

GET 200 http://ipinfo.io/ip

GET 200 http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

GET 200 http://ip-api.com/json/?fields=8198

GET 200 http://crl.identrust.com/DSTROOTCAX3CRL.crl

GET 200 http://ip-api.com/json/?fields=8198

ICMP traffic

Source	Destination	ICMP Type
192.168.56.102	164.124.101.2	3
192.168.56.102	34.97.69.225	3
192.168.56.102	34.97.69.225	3
192.168.56.102	34.97.69.225	3
192.168.56.102	34.97.69.225	3
192.168.56.102	34.97.69.225	3
192.168.56.102	34.97.69.225	3
192.168.56.102	34.97.69.225	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49171 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49174 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.102:49174	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49192 -> 172.67.148.61:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49176 -> 104.26.3.60:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49184 -> 104.21.65.45:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 52.95.148.158:80 -> 192.168.56.102:49178	2013414	ET POLICY Executable served from Amazon S3	Potentially Bad Traffic
TCP 52.95.148.158:80 -> 192.168.56.102:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49173 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49170 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49173 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49173 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49187 -> 172.67.186.79:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49182 -> 72.167.225.156:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49206 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49204 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49203 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49226 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49232 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49210 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49248 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49202 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49210 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49210 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49222 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49221 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49224 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49210 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49228 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49223 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49238 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49225 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49239 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49242 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49234 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49237 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49245 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49227 -> 185.65.135.234:58899	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49229 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49230 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49231 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49235 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49236 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49219 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49244 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49241 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49243 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49247 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49246 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49171 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	01:03:e9:82:3a:f4:6d:5a:7f:e9:29:26:08:3c:f4:61:a7:b2:88:bb
TLSv1 192.168.56.102:49180 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	01:03:e9:82:3a:f4:6d:5a:7f:e9:29:26:08:3c:f4:61:a7:b2:88:bb
TLSv1 192.168.56.102:49174 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	9b:8a:7e:73:93:70:47:e8:1f:ef:b1:b9:f4:52:8b:2f:90:2c:85:2e
TLSv1 192.168.56.102:49192 172.67.148.61:443	C=US, O=Let's Encrypt, CN=R3	CN=*.boys4dayz.com	63:06:25:8c:e0:e5:22:17:08:5c:57:74:d1:bf:13:5d:b5:e9:a1:fb
TLSv1 192.168.56.102:49176 104.26.3.60:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	f5:72:da:40:bf:be:27:7c:72:0c:5c:e2:dd:f4:22:7a:4d:b1:41:14
TLSv1 192.168.56.102:49184 104.21.65.45:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	4d:09:7a:e7:f4:eb:aa:0d:0f:42:0e:b4:5e:97:1b:e4:c3:c3:87:e8
TLSv1 192.168.56.102:49170 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	01:03:e9:82:3a:f4:6d:5a:7f:e9:29:26:08:3c:f4:61:a7:b2:88:bb
TLSv1 192.168.56.102:49187 172.67.186.79:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:d2:a2:92:7c:46:a9:cd:c3:c5:28:a5:f9:58:f1:b1:21:82:30:fa
TLSv1 192.168.56.102:49211 172.67.179.248:443	C=US, O=Let's Encrypt, CN=R3	CN=*.upstloans.net	12:ed:3c:4a:ff:c2:a1:8d:83:7a:48:18:92:32:52:dc:a3:6f:83:f7
TLSv1 192.168.56.102:49226 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49232 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49248 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49221 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49222 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49216 104.21.31.210:443	C=US, O=Let's Encrypt, CN=R3	CN=*.upstloans.net	12:ed:3c:4a:ff:c2:a1:8d:83:7a:48:18:92:32:52:dc:a3:6f:83:f7
TLSv1 192.168.56.102:49224 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49218 172.67.179.248:443	None	None	None
TLSv1 192.168.56.102:49228 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49223 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49238 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49225 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49239 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49233 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49242 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49234 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49237 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49245 3.232.36.43:443	None	None	None
TLS 1.2 192.168.56.102:49227 185.65.135.234:58899	C=US, O=Let's Encrypt, CN=R3	CN=sanctam.net	38:bc:f2:94:62:8a:02:9e:90:64:d5:0f:bc:00:83:12:36:86:2c:2a
TLSv1 192.168.56.102:49229 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49230 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49231 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49235 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49236 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49220 172.67.179.248:443	None	None	None
TLS 1.2 192.168.56.102:49244 104.192.141.1:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org	4e:6a:4c:3b:82:15:ef:df:97:38:5e:50:ef:b9:86:42:84:3b:89:f0
TLSv1 192.168.56.102:49219 3.232.36.43:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=installeranalytics.com	46:bc:d9:e4:bb:04:00:59:99:29:4c:3b:84:9e:82:d6:3c:62:8d:2b
TLSv1 192.168.56.102:49240 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49241 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49243 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49247 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49246 3.232.36.43:443	None	None	None

Snort Alerts

No Snort Alerts