NetWork | ZeroBOX

IP Address	Status	Action
142.250.204.83	Active	Moloch
163.44.239.72	Active	Moloch
164.124.101.2	Active	Moloch
34.102.136.180	Active	Moloch
34.98.99.30	Active	Moloch
54.36.145.173	Active	Moloch

Name	Response	Post-Analysis Lookup
www.tomrings.com
www.onpar-golf.com	CNAME onpar-golf.com A 34.102.136.180	34.102.136.180
www.urfavvpimp.com
www.angelsmoonsexshop.com	A 54.36.145.173	54.36.145.173
www.sprtnet.com	A 34.98.99.30 CNAME sprtnet.com	34.98.99.30
www.mailbroadcastdelivery.club
www.thehendrixcollection.com	CNAME thehendrixcollection.com A 34.102.136.180	34.102.136.180
www.hanlansmojitovillage.net	CNAME hanlansmojitovillage.net A 34.102.136.180	34.102.136.180
www.kankanlol.com	A 34.98.99.30 CNAME kankanlol.com	34.98.99.30
www.yamano-ue.com	CNAME yamano-ue.com A 163.44.239.72	163.44.239.72
www.menucoders.com	A 142.250.204.83 CNAME ghs.googlehosted.com	172.217.175.19

TCP Requests

UDP Requests

GET 301 http://www.yamano-ue.com/nthe/?Bb=OPSTabmmEXV1zVa1ryRuQq6A4ABGL5nerV70FY85LrvGP9kj1LcjL/YglTrk5au/rYBhTrYm&uTg4S=yVCTVb0X

GET 403 http://www.kankanlol.com/nthe/?Bb=cvH84XOE1Mc69dma6+LElktmjB8SWHOwfxyzVXpixFUMpSEf83XEW4B9ZBGynhTDB4YXkroJ&uTg4S=yVCTVb0X

GET 301 http://www.angelsmoonsexshop.com/nthe/?Bb=T5s/0fbgdl+MaeIuYdVOHRh9jCSGWhC3hP7gi/tBX2fjRLX1bb3e6M4tG92ag7ym3EbeFXtg&uTg4S=yVCTVb0X

GET 403 http://www.onpar-golf.com/nthe/?Bb=B6rYep0S73RNFmWsau/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57ybOi0sWW5tf90o6VPCZy&uTg4S=yVCTVb0X

GET 301 http://www.menucoders.com/nthe/?Bb=2/6tfhI6PmzLXkibMbYMuhqxPUXSwPisEi/Yg6xjUm32Bq9HT7zDahDLd/hxqMxFYlEHT94T&uTg4S=yVCTVb0X

GET 403 http://www.hanlansmojitovillage.net/nthe/?Bb=54OfAHeNbwRIeCfiK96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3r9WBXmbjhC4FqUNXJfm&uTg4S=yVCTVb0X

GET 403 http://www.sprtnet.com/nthe/?Bb=iuhjL64HlYD5oaL8MtJSfYbzkjMORTvI821/9thXQYEXQWvmyYKnNoBIBvBP+GMkqvupGokD&uTg4S=yVCTVb0X

GET 403 http://www.thehendrixcollection.com/nthe/?Bb=qp5tTycjraYi6SJsXJzwoJew8M45iHa3mcoNtA6+f44Y1u07iGIt/R0L13x3Q7wmKkJP7e6a&uTg4S=yVCTVb0X

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49171 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 34.102.136.180:80	2221045	SURICATA HTTP Unexpected Request body	Generic Protocol Command Decode
TCP 192.168.56.102:49170 -> 142.250.204.83:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 142.250.204.83:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 142.250.204.83:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 54.36.145.173:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 54.36.145.173:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 54.36.145.173:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 34.102.136.180:80 -> 192.168.56.102:49173	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 192.168.56.102:49172 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 163.44.239.72:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 163.44.239.72:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 163.44.239.72:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts