NetWork | ZeroBOX

IP Address	Status	Action
108.170.14.102	Active	Moloch
164.124.101.2	Active	Moloch
170.130.13.86	Active	Moloch
172.120.106.61	Active	Moloch
192.0.78.25	Active	Moloch
195.110.124.133	Active	Moloch
45.39.212.162	Active	Moloch
63.250.43.7	Active	Moloch
91.136.8.131	Active	Moloch

Name	Response	Post-Analysis Lookup
www.discovercotswoldcottages.com	A 91.136.8.131	91.136.8.131
www.szyyglass.com	A 172.120.106.61	172.120.106.61
www.fis.photos	A 192.0.78.25 A 192.0.78.24 CNAME fis.photos	192.0.78.25
www.publicationsplace.com	A 108.170.14.102 CNAME emailforts.com	108.170.14.102
www.ahljsm.com	A 45.39.212.162	45.39.212.162
www.szesdkj.com	A 170.130.13.86	170.130.13.86
www.conquershirts.store	CNAME conquershirts.store A 195.110.124.133	195.110.124.133
www.goldsteelconstruction.com	A 63.250.43.7 A 63.250.43.8 CNAME goldsteelconstruction.com	63.250.43.7
www.geniuseven.net

TCP Requests

UDP Requests

GET 200 http://www.szesdkj.com/ef6c/?EZA4Dv=fLa1O6LgDU4JmATAWF+Un0DhSyi8xEXua0Xgw1gdYMhmHbBdgR9nT+JgCDSJbt7Dlll1cLDk&DzrLH=VBZHTpkXnn1TKz

GET 404 http://www.conquershirts.store/ef6c/?EZA4Dv=95iB74+m3m1QSa2Yie21q98JT48wC3F76MvrX9tv4DSLixTQWiFMLp60PgPoHI6cr/owSd7w&DzrLH=VBZHTpkXnn1TKz

GET 404 http://www.publicationsplace.com/ef6c/?EZA4Dv=69obzrOqqjyeWfIWJOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtImRdCopiSdNHcaNy3Iv&DzrLH=VBZHTpkXnn1TKz

GET 301 http://www.goldsteelconstruction.com/ef6c/?EZA4Dv=+ynMDYrLpnTu4DfE9YT4eJW6S19U/jXmPWBe5dZQ+v1t/rZPvFp+0gZRwCHmFKY3Fyif9Dcg&DzrLH=VBZHTpkXnn1TKz

GET 200 http://www.ahljsm.com/ef6c/?EZA4Dv=IVc4rtgM9gra+fG0jQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1GAK8aa2SvCjoWspa1ZS&DzrLH=VBZHTpkXnn1TKz

GET 200 http://www.szyyglass.com/ef6c/?EZA4Dv=WJZ/PBlgU2sqxbhuKWSW0gAF450CRpcifwWN2Hn02+HJZd2OB2qk7jd6844pcDa/ZUIS0tAu&DzrLH=VBZHTpkXnn1TKz

GET 301 http://www.fis.photos/ef6c/?EZA4Dv=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&DzrLH=VBZHTpkXnn1TKz

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 195.110.124.133:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 170.130.13.86:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 195.110.124.133:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 170.130.13.86:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 195.110.124.133:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 170.130.13.86:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.39.212.162:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.39.212.162:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.39.212.162:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 172.120.106.61:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 172.120.106.61:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 172.120.106.61:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 108.170.14.102:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 108.170.14.102:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 108.170.14.102:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 192.0.78.25:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 192.0.78.25:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 192.0.78.25:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 63.250.43.7:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 63.250.43.7:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 63.250.43.7:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts