NetWork | ZeroBOX

IP Address	Status	Action
104.20.67.143	Active	Moloch
131.153.76.130	Active	Moloch
164.124.101.2	Active	Moloch
3.1.85.243	Active	Moloch
41.103.107.68	Active	Moloch
54.254.238.33	Active	Moloch

Name	Response	Post-Analysis Lookup
muslada2251.viewdns.net
marena9201.ddns.net
niogem1171.bounceme.net	A 0.0.0.0	0.0.0.0
muslada2251.myvnc.com
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	104.20.68.143
muslada2251.hopto.org
muslada2251.serveminecraft.net
niogem1171.serveftp.com
niogem1171.servecounterstrike.com
niogem1171.hopto.org	A 0.0.0.0	0.0.0.0
muslada2251.serveftp.com
muslada2251.servecounterstrike.com
muslada2251.3utilities.com	A 3.1.85.243	3.1.85.243
niogem1171.ddns.net
niogem1171.servequake.com
niogem1171.sytes.net
muslada2251.servehalflife.com
muslada2251.gotdns.ch
muslada2251.servequake.com
marena9201.bounceme.net
marena9201.3utilities.com
niogem1171.freedynamicdns.net	A 0.0.0.0	0.0.0.0
marena9201.freedynamicdns.net
rinot972.ddnsking.com	A 41.103.107.68	41.103.107.68
niogem1171.serveminecraft.net
muslada2251.servebeer.com
niogem1171.onthewifi.com
niogem1171.viewdns.net
rinot972.ddns.net
muslada2251.serveirc.com
muslada2251.servemp3.com
marena9201.freedynamicdns.org
niogem1171.zapto.org	A 0.0.0.0	0.0.0.0
muslada2251.bounceme.net
muslada2251.servehttp.com
niogem1171.servehalflife.com
niogem1171.myftp.org	A 0.0.0.0	0.0.0.0
niogem1171.servegame.com
muslada2251.servepics.com
muslada2251.myftp.org
niogem1171.serveblog.net	A 0.0.0.0	0.0.0.0
niogem1171.freedynamicdns.org	A 3.1.85.243	3.1.85.243
muslada2251.ddnsking.com	A 0.0.0.0	0.0.0.0
niogem1171.webhop.me	A 0.0.0.0	0.0.0.0
niogem1171.gotdns.ch	A 0.0.0.0	0.0.0.0
niogem1171.ddnsking.com	A 0.0.0.0	0.0.0.0
muslada2251.redirectme.net
muslada2251.webhop.me
marena9201.gotdns.ch
niogem1171.3utilities.com	A 0.0.0.0	0.0.0.0
muslada2251.myftp.biz
niogem1171.servebeer.com
niogem1171.myftp.biz	A 0.0.0.0	0.0.0.0
niogem1171.servemp3.com
muslada2251.ddns.net
niogem1171.myvnc.com	A 0.0.0.0	0.0.0.0
marena9201.ddnsking.com
muslada2251.zapto.org
niogem1171.servehttp.com
muslada2251.freedynamicdns.org
muslada2251.sytes.net
muslada2251.freedynamicdns.net
niogem1171.servepics.com
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	131.153.76.130
muslada2251.servegame.com
niogem1171.serveirc.com
niogem1171.redirectme.net
muslada2251.serveblog.net
muslada2251.onthewifi.com

TCP Requests

UDP Requests

GET 200 https://pastebin.com/raw/GUqDzHQW

GET 200 https://pastebin.com/raw/h6SvjTQp

GET 200 https://pastebin.com/raw/DVn2TV4Q

GET 200 https://pastebin.com/raw/nEZ87Pwx

GET 200 https://pastebin.com/raw/GUqDzHQW

GET 200 https://pastebin.com/raw/nEZ87Pwx

GET 200 http://54.254.238.33/xm/win.com

GET 200 http://54.254.238.33/xm/64a1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 54.254.238.33:80 -> 192.168.56.101:49217	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 54.254.238.33:80 -> 192.168.56.101:49217	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 54.254.238.33:80 -> 192.168.56.101:49223	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 54.254.238.33:80 -> 192.168.56.101:49223	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:62062 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 54.254.238.33:80 -> 192.168.56.101:49221	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 54.254.238.33:80 -> 192.168.56.101:49221	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:53258 -> 164.124.101.2:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.101:61798 -> 164.124.101.2:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
TCP 192.168.56.101:49224 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:60131 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:57609 -> 164.124.101.2:53	2028676	ET POLICY DNS Query to DynDNS Domain *.ddnsking .com	Potentially Bad Traffic
UDP 192.168.56.101:61681 -> 164.124.101.2:53	2028676	ET POLICY DNS Query to DynDNS Domain *.ddnsking .com	Potentially Bad Traffic
UDP 192.168.56.101:59417 -> 164.124.101.2:53	2028678	ET POLICY DNS Query to DynDNS Domain *.bounceme .net	Potentially Bad Traffic
UDP 192.168.56.101:49349 -> 164.124.101.2:53	2028680	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org	Potentially Bad Traffic
TCP 192.168.56.101:49239 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54813 -> 164.124.101.2:53	2028680	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org	Potentially Bad Traffic
UDP 192.168.56.101:63998 -> 164.124.101.2:53	2028684	ET POLICY DNS Query to DynDNS Domain *.myftp .org	Potentially Bad Traffic
UDP 192.168.56.101:57509 -> 164.124.101.2:53	2028686	ET POLICY DNS Query to DynDNS Domain *.onthewifi .com	Potentially Bad Traffic
UDP 192.168.56.101:63692 -> 164.124.101.2:53	2028692	ET POLICY DNS Query to DynDNS Domain *.servegame .com	Potentially Bad Traffic
UDP 192.168.56.101:53804 -> 164.124.101.2:53	2028701	ET POLICY DNS Query to DynDNS Domain *.viewdns .net	Potentially Bad Traffic
UDP 192.168.56.101:63083 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:56225 -> 164.124.101.2:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
TCP 192.168.56.101:49244 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:61444 -> 164.124.101.2:53	2028691	ET POLICY DNS Query to DynDNS Domain *.serveftp .com	Potentially Bad Traffic
UDP 192.168.56.101:61055 -> 164.124.101.2:53	2028694	ET POLICY DNS Query to DynDNS Domain *.servehttp .com	Potentially Bad Traffic
UDP 192.168.56.101:49911 -> 164.124.101.2:53	2028693	ET POLICY DNS Query to DynDNS Domain *.servehalflife .com	Potentially Bad Traffic
UDP 192.168.56.101:62380 -> 164.124.101.2:53	2028696	ET POLICY DNS Query to DynDNS Domain *.serveminecraft .net	Potentially Bad Traffic
UDP 192.168.56.101:55247 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54130 -> 164.124.101.2:53	2028678	ET POLICY DNS Query to DynDNS Domain *.bounceme .net	Potentially Bad Traffic
UDP 192.168.56.101:62594 -> 164.124.101.2:53	2028679	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .net	Potentially Bad Traffic
UDP 192.168.56.101:51074 -> 164.124.101.2:53	2028686	ET POLICY DNS Query to DynDNS Domain *.onthewifi .com	Potentially Bad Traffic
UDP 192.168.56.101:51507 -> 164.124.101.2:53	2028687	ET POLICY DNS Query to DynDNS Domain *.redirectme .net	Potentially Bad Traffic
UDP 192.168.56.101:59985 -> 164.124.101.2:53	2028689	ET POLICY DNS Query to DynDNS Domain *.serveblog .net	Potentially Bad Traffic
UDP 192.168.56.101:60905 -> 164.124.101.2:53	2028690	ET POLICY DNS Query to DynDNS Domain *.servecounterstrike .com	Potentially Bad Traffic
UDP 192.168.56.101:63012 -> 164.124.101.2:53	2028694	ET POLICY DNS Query to DynDNS Domain *.servehttp .com	Potentially Bad Traffic
UDP 192.168.56.101:58490 -> 164.124.101.2:53	2028697	ET POLICY DNS Query to DynDNS Domain *.servemp3 .com	Potentially Bad Traffic
UDP 192.168.56.101:61124 -> 164.124.101.2:53	2028698	ET POLICY DNS Query to DynDNS Domain *.servepics .com	Potentially Bad Traffic
UDP 192.168.56.101:50130 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:62255 -> 164.124.101.2:53	2028678	ET POLICY DNS Query to DynDNS Domain *.bounceme .net	Potentially Bad Traffic
UDP 192.168.56.101:53608 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.101:56401 -> 164.124.101.2:53	2013823	ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain	Potentially Bad Traffic
UDP 192.168.56.101:56401 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:50849 -> 164.124.101.2:53	2013823	ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain	Potentially Bad Traffic
UDP 192.168.56.101:50849 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:58290 -> 164.124.101.2:53	2028691	ET POLICY DNS Query to DynDNS Domain *.serveftp .com	Potentially Bad Traffic
UDP 192.168.56.101:56988 -> 164.124.101.2:53	2028693	ET POLICY DNS Query to DynDNS Domain *.servehalflife .com	Potentially Bad Traffic
UDP 192.168.56.101:58861 -> 164.124.101.2:53	2028695	ET POLICY DNS Query to DynDNS Domain *.serveirc .com	Potentially Bad Traffic
UDP 192.168.56.101:52610 -> 164.124.101.2:53	2028696	ET POLICY DNS Query to DynDNS Domain *.serveminecraft .net	Potentially Bad Traffic
UDP 192.168.56.101:50858 -> 164.124.101.2:53	2028697	ET POLICY DNS Query to DynDNS Domain *.servemp3 .com	Potentially Bad Traffic
UDP 192.168.56.101:57479 -> 164.124.101.2:53	2028676	ET POLICY DNS Query to DynDNS Domain *.ddnsking .com	Potentially Bad Traffic
UDP 192.168.56.101:58402 -> 164.124.101.2:53	2028679	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .net	Potentially Bad Traffic
TCP 54.254.238.33:80 -> 192.168.56.101:49229	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 54.254.238.33:80 -> 192.168.56.101:49229	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:62986 -> 164.124.101.2:53	2028684	ET POLICY DNS Query to DynDNS Domain *.myftp .org	Potentially Bad Traffic
UDP 192.168.56.101:51547 -> 164.124.101.2:53	2028685	ET POLICY DNS Query to DynDNS Domain *.myvnc .com	Potentially Bad Traffic
UDP 192.168.56.101:60516 -> 164.124.101.2:53	2028685	ET POLICY DNS Query to DynDNS Domain *.myvnc .com	Potentially Bad Traffic
UDP 192.168.56.101:56371 -> 164.124.101.2:53	2028687	ET POLICY DNS Query to DynDNS Domain *.redirectme .net	Potentially Bad Traffic
UDP 192.168.56.101:49954 -> 164.124.101.2:53	2028688	ET POLICY DNS Query to DynDNS Domain *.servebeer .com	Potentially Bad Traffic
UDP 192.168.56.101:57333 -> 164.124.101.2:53	2028688	ET POLICY DNS Query to DynDNS Domain *.servebeer .com	Potentially Bad Traffic
UDP 192.168.56.101:52905 -> 164.124.101.2:53	2028689	ET POLICY DNS Query to DynDNS Domain *.serveblog .net	Potentially Bad Traffic
UDP 192.168.56.101:57596 -> 164.124.101.2:53	2028690	ET POLICY DNS Query to DynDNS Domain *.servecounterstrike .com	Potentially Bad Traffic
UDP 192.168.56.101:57451 -> 164.124.101.2:53	2028699	ET POLICY DNS Query to DynDNS Domain *.servequake .com	Potentially Bad Traffic
UDP 192.168.56.101:58519 -> 164.124.101.2:53	2028698	ET POLICY DNS Query to DynDNS Domain *.servepics .com	Potentially Bad Traffic
UDP 192.168.56.101:51869 -> 164.124.101.2:53	2028702	ET POLICY DNS Query to DynDNS Domain *.webhop .me	Potentially Bad Traffic
UDP 192.168.56.101:54098 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
UDP 192.168.56.101:56990 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.101:59610 -> 164.124.101.2:53	2028692	ET POLICY DNS Query to DynDNS Domain *.servegame .com	Potentially Bad Traffic
UDP 192.168.56.101:57456 -> 164.124.101.2:53	2028695	ET POLICY DNS Query to DynDNS Domain *.serveirc .com	Potentially Bad Traffic
UDP 192.168.56.101:65266 -> 164.124.101.2:53	2028699	ET POLICY DNS Query to DynDNS Domain *.servequake .com	Potentially Bad Traffic
UDP 192.168.56.101:52806 -> 164.124.101.2:53	2028701	ET POLICY DNS Query to DynDNS Domain *.viewdns .net	Potentially Bad Traffic
UDP 192.168.56.101:51610 -> 164.124.101.2:53	2028702	ET POLICY DNS Query to DynDNS Domain *.webhop .me	Potentially Bad Traffic
UDP 192.168.56.101:55835 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:63120 -> 164.124.101.2:53	2028676	ET POLICY DNS Query to DynDNS Domain *.ddnsking .com	Potentially Bad Traffic
UDP 192.168.56.101:58791 -> 164.124.101.2:53	2028679	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .net	Potentially Bad Traffic
UDP 192.168.56.101:63457 -> 164.124.101.2:53	2028680	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49167 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49174 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49175 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49168 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49170 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49172 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49224 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49239 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49244 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLS 1.3 192.168.56.101:49274 131.153.76.130:80	None	None	None

Snort Alerts

No Snort Alerts