NetWork | ZeroBOX

IP Address	Status	Action
147.182.174.188	Active	Moloch
15.164.81.167	Active	Moloch
151.101.52.209	Active	Moloch
164.124.101.2	Active	Moloch
185.199.109.133	Active	Moloch
185.205.210.106	Active	Moloch
208.95.112.1	Active	Moloch

Name	Response	Post-Analysis Lookup
objects.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.108.133
repo1.maven.org	CNAME sonatype.map.fastly.net A 151.101.52.209	199.232.196.209
str-master.pw	A 147.182.174.188	147.182.174.188
github.com	A 15.164.81.167	52.78.231.108
ip-api.com	A 208.95.112.1	208.95.112.1

TCP Requests

UDP Requests

GET 404 http://str-master.pw/strigoi/server/ping.php?lid=6PFI-EG99-VOD4-MX23-B7M4

GET 200 http://ip-api.com/json/

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49162 -> 15.164.81.167:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49164 -> 151.101.52.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49166 -> 185.199.109.133:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49163 -> 151.101.52.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49165 -> 151.101.52.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.102:61695 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49188 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49178 -> 147.182.174.188:80	2030359	ET MALWARE STRRAT Initial HTTP Activity	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 147.182.174.188:80	2016777	ET INFO HTTP Request to a *.pw domain	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49162 15.164.81.167:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7
TLS 1.2 192.168.56.102:49164 151.101.52.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.102:49166 185.199.109.133:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com	70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7
TLS 1.2 192.168.56.102:49163 151.101.52.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.102:49165 151.101.52.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0

Snort Alerts

No Snort Alerts