NetWork | ZeroBOX

IP Address	Status	Action
103.101.161.13	Active	Moloch
15.197.142.173	Active	Moloch
154.95.193.109	Active	Moloch
164.124.101.2	Active	Moloch
34.102.136.180	Active	Moloch
34.80.190.141	Active	Moloch
37.123.118.150	Active	Moloch
75.2.85.42	Active	Moloch
92.223.73.24	Active	Moloch

Name	Response	Post-Analysis Lookup
www.boraeresici.com	A 92.223.73.24 CNAME boraeresicicom.b-cdn.net	92.223.73.24
www.pinupcams.info
www.dwticket.com	A 154.95.193.109	154.95.193.109
www.big-food.biz	A 34.80.190.141 CNAME td-balancer-ae1-190-141.wixdns.net CNAME 47363d5c-balancer.wixdns.net CNAME www13.wixdns.net CNAME balancer.wixdns.net	34.80.190.141
www.babyfloki.tech
www.purodetalle.com
www.duocvietpharmacy.com	A 103.101.161.13 CNAME duocvietpharmacy.com	103.101.161.13
www.donerightcleaningnation.info	CNAME donerightcleaningnation.info A 34.102.136.180	34.102.136.180
www.royzoom.com	A 15.197.142.173 A 3.33.152.147 CNAME royzoom.com	3.33.152.147
www.hoedetamni.quest	A 37.123.118.150	37.123.118.150
www.hokozaki.com	A 75.2.85.42 A 99.83.196.71 CNAME hokozaki.com	75.2.85.42

TCP Requests

UDP Requests

GET 403 http://www.donerightcleaningnation.info/gab8/?RR=nJF/EarIVI5Qk4/nkKqB5E8nYaEjku2rKmG4yev569YVDjTCBnN42BpL3GUrnktlAcqJ5MJn&rP0xPb=8pMPQv

GET 0 http://www.boraeresici.com/gab8/?RR=C6SAXr8o/G/VasXP2qBsDB1rn5jVEpLr3WZGajDPG/enBmYnBlFkkW82TIheSrxSSIWa+io/&rP0xPb=8pMPQv

GET 404 http://www.big-food.biz/gab8/?RR=LyDWg/CbKx7XCNBvEg0eZR1cQLqXvz1qY5+JBDlT0r1TOlXYu0a/AMMMX2MSX+io67Q/a5cW&rP0xPb=8pMPQv

GET 403 http://www.hoedetamni.quest/gab8/?RR=Zf6VUcDX8pplrTFlSUrwMEMdRMHbm2PdB5lK9i72fbf3yYXitiZmAhqsEZoP0weDi8Lt5HBd&rP0xPb=8pMPQv

GET 404 http://www.dwticket.com/gab8/?RR=HOeYYU0SOE5oBEWYEJfQlPqAuMlhJCJqNltQQ8P1ZCsBwPVGflaZC0gWM6xtBsiq7k9qF/Iu&rP0xPb=8pMPQv

GET 403 http://www.hokozaki.com/gab8/?RR=9UqA4We6CmJOZtdlrtx8Ll2PAB5bY0fc2EBVlPc3Z1q0wA4JYe3Rllr0D4AWeYjh1yNqb1oO&rP0xPb=8pMPQv

GET 403 http://www.royzoom.com/gab8/?RR=ZIawR5WdNK8LsYg64y/ZuRppdufcVyCLEEhqXcgQhf+tR4phV0yge9w0mkSWMgIPzVTRYdnK&rP0xPb=8pMPQv

GET 301 http://www.duocvietpharmacy.com/gab8/?RR=UORo3IfrbXgOVCBiwz8H30B54EFwHnTBxT9tOqS6gRUO74gX21pm7ETNcpAoGCferi4tV5m1&rP0xPb=8pMPQv

ICMP traffic

Source	Destination	ICMP Type	Data
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49171 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 75.2.85.42:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 75.2.85.42:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 75.2.85.42:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 34.80.190.141:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 34.80.190.141:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 34.80.190.141:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
UDP 192.168.56.103:53498 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 92.223.73.24:80	2221045	SURICATA HTTP Unexpected Request body	Generic Protocol Command Decode
TCP 192.168.56.103:49177 -> 15.197.142.173:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 15.197.142.173:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 15.197.142.173:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 154.95.193.109:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 154.95.193.109:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 154.95.193.109:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 37.123.118.150:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 37.123.118.150:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 37.123.118.150:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 103.101.161.13:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 103.101.161.13:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 103.101.161.13:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts