NetWork | ZeroBOX

IP Address	Status	Action
13.107.21.200	Active	Moloch
137.184.73.79	Active	Moloch
142.250.199.68	Active	Moloch
164.124.101.2	Active	Moloch

Name	Response	Post-Analysis Lookup
www.google.com	A 142.250.199.68	172.217.161.36

TCP Requests

UDP Requests

GET 200 https://www.google.com/

GET 0 https://www.bing.com/

HTTP/1.1 200 OK Cache-Control: private Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND" Set-Cookie: SUID=M; domain=.bing.com; expires=Tue, 02-Nov-2021 01:57:13 GMT; path=/ Set-Cookie: MUID=0AB5B37B739364430704A399723165AD; domain=.bing.com; expires=Sat, 26-Nov-2022 01:57:13 GMT; path=/; secure; SameSite=None Set-Cookie: MUIDB=0AB5B37B739364430704A399723165AD; expires=Sat, 26-Nov-2022 01:57:13 GMT; path=/ Set-Cookie: _EDGE_S=F=1&SID=1256D30F04926CE72172C3ED05306DC7; domain=.bing.com; path=/ Set-Cookie: _EDGE_V=1; domain=.bing.com; expires=Sat, 26-Nov-2022 01:57:13 GMT; path=/ Set-Cookie: SRCHD=AF=NOFORM; domain=.bing.com; expires=Wed, 01-Nov-2023 01:57:13 GMT; path=/ Set-Cookie: SRCHUID=V=2&GUID=FAE7956981F548209D05715B295B5563&dmnchg=1; domain=.bing.com; expires=Wed, 01-Nov-2023 01:57:13 GMT; path=/ Set-Cookie: SRCHUSR=DOB=20211101; domain=.bing.com; expires=Wed, 01-Nov-2023 01:57:13 GMT; path=/ Set-Cookie: SRCHHPGUSR=SRCHLANG=ko; domain=.bing.com; expires=Wed, 01-Nov-2023 01:57:13 GMT; path=/ Set-Cookie: _SS=SID=1256D30F04926CE72172C3ED05306DC7; domain=.bing.com; path=/ Set-Cookie: ULC=; domain=.bing.com; expires=Sun, 31-Oct-2021 01:57:13 GMT; path=/ Set-Cookie: _HPVN=CS=eyJQbiI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiUCJ9LCJTYyI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiSCJ9LCJReiI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiVCJ9LCJBcCI6dHJ1ZSwiTXV0ZSI6dHJ1ZSwiTGFkIjoiMjAyMS0xMS0wMVQwMDowMDowMFoiLCJJb3RkIjowLCJEZnQiOm51bGwsIk12cyI6MCwiRmx0IjowLCJJbXAiOjF9; domain=.bing.com; expires=Wed, 01-Nov-2023 01:57:13 GMT; path=/ X-SNR-Routing: 1 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Cache: CONFIG_NOCACHE Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 93167858F7B64141840D8931D0B62E96 Ref B: SLAEDGE0712 Ref C: 2021-11-01T01:57:13Z Date: Mon, 01 Nov 2021 01:57:13 GMT

POST 404 http://137.184.73.79/file/logs/fre.php

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49201 -> 13.107.21.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 142.250.199.68:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 137.184.73.79:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49205 -> 137.184.73.79:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 137.184.73.79:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49209 -> 137.184.73.79:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 137.184.73.79:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 137.184.73.79:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 137.184.73.79:80 -> 192.168.56.101:49209	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 192.168.56.101:49205 -> 137.184.73.79:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.101:49205 -> 137.184.73.79:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.101:49207 -> 137.184.73.79:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49207 -> 137.184.73.79:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 137.184.73.79:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.101:49207 -> 137.184.73.79:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.101:49208 -> 137.184.73.79:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49208 -> 137.184.73.79:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 137.184.73.79:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 137.184.73.79:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 137.184.73.79:80 -> 192.168.56.101:49208	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49201 13.107.21.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=www.bing.com	af:e3:17:ed:18:4a:d9:1c:24:8a:89:d5:ac:11:b3:27:96:02:37:c8
TLSv1 192.168.56.101:49198 142.250.199.68:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	69:df:10:e4:b5:e7:83:17:80:2c:45:61:ab:73:93:d4:42:04:e3:20

Snort Alerts

No Snort Alerts