NetWork | ZeroBOX

IP Address	Status	Action
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
185.157.162.137	Active	Moloch

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
xxggqg.bn.files.1drv.com	CNAME odc-bn-files-geo.onedrive.akadns.net CNAME bn-files.fe.1drv.com CNAME odc-bn-files-brs.onedrive.akadns.net A 13.107.42.12 CNAME bn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net CNAME l-0003.l-msedge.net	13.107.42.12
blackwealth001.duckdns.org	A 185.157.162.137
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13

TCP Requests

UDP Requests

GET 302 https://onedrive.live.com/download?cid=F547EE3E8FFF6BF5&resid=F547EE3E8FFF6BF5%21453&authkey=AOijTcPaFAa_sFY

GET 200 https://xxggqg.bn.files.1drv.com/y4mo-OJo9wpmax2OvB29vRxbCR_XHI1S9TO9DxkvzSDmOtvVCfdjFA5iJe_tsCB5hke4QTjJLqf2DXsOokiGFDWYTUPxE1cccg9s5CHpH4mgpeJk7DEz2hTWHtbtslcxa5Szl4466KRJBjr-OM68hUz0Mri9n2FXq4bERFOmqvGuyLFMUhC1mk5TTcJ_Nro0Wjpsy2YHstADf0g6Zn42Lxg-w/Oywnaspxncyxayhkogvpxcsolzrnnly?download&psid=1

GET 302 https://onedrive.live.com/download?cid=F547EE3E8FFF6BF5&resid=F547EE3E8FFF6BF5%21453&authkey=AOijTcPaFAa_sFY

GET 200 https://xxggqg.bn.files.1drv.com/y4mZ04JFnfIkWTrcbGjKJqnT1_whH5a4gewQUd9rU-zn-XASy9kj8861d5lBJpZeiYItjRRzNnljnkwb-cBR7SG3qIXnbzoRculh-hJehFsDMopV_mS3cHJ15pKloJfM014cqwcYcymtXfE3IbN-GlX5I6C_DkCFpK_5vHbP03E9NaOhkc8UXhmv9g4lALU24-ASME_KLf4QhHXs5iYy9VoUg/Oywnaspxncyxayhkogvpxcsolzrnnly?download&psid=1

GET 200 http://geoplugin.net/json.gp

ICMP traffic

Source	Destination	ICMP Type
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3
192.168.56.103	164.124.101.2	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 13.107.42.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 13.107.42.12:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:51958 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:51958 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:51958 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:51958 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:57573 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60693 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:51958 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:51958 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60693 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63462 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:49347 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60556 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60556 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60556 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60556 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60556 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.103:49164 -> 13.107.42.12:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:60693 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60693 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60693 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60693 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=onedrive.com	77:7f:f2:95:29:a7:e3:cc:0f:bf:2f:ba:2e:6f:2a:38:62:8b:48:4d
TLSv1 192.168.56.103:49163 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	c2:e0:68:f2:b8:12:58:f2:43:68:ba:74:5a:78:76:f9:19:2d:a1:60
TLS 1.3 192.168.56.103:49177 185.157.162.137:59085	None	None	None
TLSv1 192.168.56.103:49164 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	c2:e0:68:f2:b8:12:58:f2:43:68:ba:74:5a:78:76:f9:19:2d:a1:60

Snort Alerts

No Snort Alerts