NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.20 09:11
mainbas.bat
11.20 09:11
dll007.dll
11.20 09:11
exe004.exe
11.20 09:11
exe010.exe
11.20 09:11
blecher.exe
11.20 09:11
GetAdapterInfo.exe
11.20 09:11
dll004.dll
11.20 09:11
dll008.dll
11.20 09:11
bestthingsalwaysgetbes...
11.20 09:11
DKM-9067291.pdf.lnk

Latest News
11.21 01:11
Malicious NSOCKS proxy...
11.21 12:11
What is the State of R...
11.21 12:11
Phishing ospitato su G...
11.21 12:11
Automation in Action —...
11.21 12:11
French AI Startup Back...
11.21 12:11
Protekt 2024 – Sichere...
11.21 12:11
Hagebau erreicht E-Mai...
11.21 12:11
IT Sicherheitsnews stü...
11.21 12:11
Palo Alto Networks sec...
11.21 12:11
Boss Byproducts: Calth...

NetWork | ZeroBOX

IP Address	Status	Action
117.18.232.200	Active	Moloch
103.235.46.191	Active	Moloch
103.43.11.126	Active	Moloch
164.124.101.2	Active	Moloch
23.82.204.168	Active	Moloch

Name	Response	Post-Analysis Lookup
www.wenolira.top	A 23.82.204.168	23.82.204.168
hm.baidu.com	A 103.235.46.191 CNAME hm.e.shifen.com	103.235.46.191
www.668810.top	A 103.43.11.126	103.43.11.126
wenolira.top	A 23.82.204.168	23.82.204.168

TCP Requests

UDP Requests

GET 200 https://hm.baidu.com/hm.js?9053860856a19b8bcc9f5a5d26bf4859

GET 0 https://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1365x1024&vl=893&et=0&ja=1&ln=ko&lo=0&rnd=956046660&si=9053860856a19b8bcc9f5a5d26bf4859&v=1.3.0&lv=1&sn=13537&r=0&ww=1365&u=http%3A%2F%2Fwww.wenolira.top%2Fpncadmin%2F&tt=%E4%B8%83%E5%8F%B0%E6%B2%B3%E7%9A%86%E6%9D%82%E7%A7%9F%E5%94%AE%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8

GET 301 http://wenolira.top/pncadmin/

GET 200 http://www.wenolira.top/pncadmin/

GET 200 http://www.wenolira.top/common.js

GET 200 http://www.wenolira.top/tj.js

GET 200 http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 23.82.204.168:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 103.235.46.191:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 103.43.11.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 103.43.11.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 103.43.11.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 103.43.11.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.43.11.126:443 -> 192.168.56.101:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 103.43.11.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.43.11.126:443 -> 192.168.56.101:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 117.18.232.200:443 -> 192.168.56.101:49191	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 103.43.11.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 103.43.11.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 103.43.11.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 103.235.46.191:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 103.43.11.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49170 103.235.46.191:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com	48:6a:ed:d1:68:52:e5:97:4f:a0:92:46:b3:3c:56:46:3d:d9:9c:d5
TLSv1 192.168.56.101:49169 103.235.46.191:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com	48:6a:ed:d1:68:52:e5:97:4f:a0:92:46:b3:3c:56:46:3d:d9:9c:d5

Snort Alerts

No Snort Alerts