NetWork | ZeroBOX

IP Address	Status	Action
142.250.204.83	Active	Moloch
164.124.101.2	Active	Moloch
192.0.78.24	Active	Moloch
194.9.94.85	Active	Moloch
198.54.117.211	Active	Moloch
198.54.117.244	Active	Moloch
35.186.238.101	Active	Moloch
45.39.212.162	Active	Moloch
91.136.8.131	Active	Moloch

Name	Response	Post-Analysis Lookup
www.discovercotswoldcottages.com	A 91.136.8.131	91.136.8.131
www.brondairy.com
www.fis.photos	A 192.0.78.25 A 192.0.78.24 CNAME fis.photos	192.0.78.25
www.narbaal.com	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.218
www.ahljsm.com	A 45.39.212.162	45.39.212.162
www.csspadding.com
www.gaminghallarna.net	A 194.9.94.86 A 194.9.94.85	194.9.94.85
www.softandcute.store
www.satellitphonestore.com	A 35.186.238.101	35.186.238.101
www.redelirevearyseuiop.xyz	A 198.54.117.244	198.54.117.244
www.vngc.xyz	CNAME ghs.google.com A 142.250.204.83	216.58.220.115

TCP Requests

UDP Requests

POST 0 http://www.ahljsm.com/ef6c/

GET 200 http://www.ahljsm.com/ef6c/?Jdvd=IVc4rtgM9gra+fG0jQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1GAK8aa2SvCjoWspa1ZS&nbiHFd=R2Mxt

POST 0 http://www.discovercotswoldcottages.com/ef6c/

GET 403 http://www.discovercotswoldcottages.com/ef6c/?Jdvd=BIDo9GBbq26+tRTULeHAa20kRn4DZ7/ZgIW2IC+7vRIIeELykZIx4inPOl/SIZLSvHjtcUe3&nbiHFd=R2Mxt

POST 405 http://www.vngc.xyz/ef6c/

GET 301 http://www.vngc.xyz/ef6c/?Jdvd=wSkjLUNz9KMnKLEpTJsPicKZ1kuS/lhbyPtlijpm6RS6Gnr6JEITfVGplX7ZAvxV+33Wr+ZN&nbiHFd=R2Mxt

POST 301 http://www.fis.photos/ef6c/

GET 301 http://www.fis.photos/ef6c/?Jdvd=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&nbiHFd=R2Mxt

POST 0 http://www.redelirevearyseuiop.xyz/ef6c/

GET 0 http://www.redelirevearyseuiop.xyz/ef6c/?Jdvd=+zggs108Zt88mF3I15I6Vl7MIKEVgTDkllssvVc7oGo+vC3UJFm7tcArJeeO3BpO4YdkYwbo&nbiHFd=R2Mxt

POST 405 http://www.narbaal.com/ef6c/

GET 0 http://www.narbaal.com/ef6c/?Jdvd=Qfq1eVj1tbY6wk2fC6TNcABTYUkfKUx3lN3xLkopolv8k3yEzrfjTRmV/Ar6z0XOJR0dF2R8&nbiHFd=R2Mxt

POST 0 http://www.gaminghallarna.net/ef6c/

GET 200 http://www.gaminghallarna.net/ef6c/?Jdvd=klh7vGPfywtzHDqBe0mXtw9R4RUvLJCc3Nh/2lv7lW0muO/R44RuNcsYgcRk+/HbCIQeLGan&nbiHFd=R2Mxt

POST 405 http://www.satellitphonestore.com/ef6c/

GET 403 http://www.satellitphonestore.com/ef6c/?Jdvd=2HQYiK3SqCAOAD8t1I4UDgwc9i5WnuBSVk/U/jy+BINbcOU7l/xUqscit0kTEHSPOQww5Ion&nbiHFd=R2Mxt

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49206 -> 91.136.8.131:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 91.136.8.131:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 91.136.8.131:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 194.9.94.85:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 194.9.94.85:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 194.9.94.85:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 142.250.204.83:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 142.250.204.83:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 142.250.204.83:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 142.250.204.83:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 35.186.238.101:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 35.186.238.101:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 35.186.238.101:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 198.54.117.244:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 198.54.117.244:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 198.54.117.244:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 198.54.117.244:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 45.39.212.162:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 45.39.212.162:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 45.39.212.162:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 192.0.78.24:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 192.0.78.24:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 192.0.78.24:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.211:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.211:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.211:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts