NetWork | ZeroBOX

Network Analysis

IP Address Status Action
117.18.232.200 Active Moloch
103.235.46.191 Active Moloch
103.43.11.126 Active Moloch
164.124.101.2 Active Moloch
23.82.204.168 Active Moloch
GET 200 https://hm.baidu.com/hm.js?9053860856a19b8bcc9f5a5d26bf4859
REQUEST
RESPONSE
GET 0 https://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1365x1024&vl=893&et=0&ja=1&ln=ko&lo=0&rnd=2027123326&si=9053860856a19b8bcc9f5a5d26bf4859&v=1.3.0&lv=1&sn=13537&r=0&ww=1365&u=http%3A%2F%2Fwww.wenolira.top%2Fdesjardinsadmin%2F&tt=%E4%B8%83%E5%8F%B0%E6%B2%B3%E7%9A%86%E6%9D%82%E7%A7%9F%E5%94%AE%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8
REQUEST
RESPONSE
GET 301 http://wenolira.top/desjardinsadmin/
REQUEST
RESPONSE
GET 200 http://www.wenolira.top/desjardinsadmin/
REQUEST
RESPONSE
GET 200 http://www.wenolira.top/common.js
REQUEST
RESPONSE
GET 200 http://www.wenolira.top/tj.js
REQUEST
RESPONSE
GET 200 http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 103.235.46.191:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49165 -> 23.82.204.168:80 2023882 ET INFO HTTP Request to a *.top domain Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 103.235.46.191:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49190 -> 117.18.232.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49180 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49174 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49191 -> 117.18.232.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 103.43.11.126:443 -> 192.168.56.101:49175 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 103.43.11.126:443 -> 192.168.56.101:49182 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49177 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49178 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49179 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49181 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49185 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 117.18.232.200:443 -> 192.168.56.101:49192 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49170 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49183 -> 103.43.11.126:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49168
103.235.46.191:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com 48:6a:ed:d1:68:52:e5:97:4f:a0:92:46:b3:3c:56:46:3d:d9:9c:d5
TLSv1
192.168.56.101:49169
103.235.46.191:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com 48:6a:ed:d1:68:52:e5:97:4f:a0:92:46:b3:3c:56:46:3d:d9:9c:d5

Snort Alerts

No Snort Alerts