NetWork | ZeroBOX

Network Analysis

IP Address Status Action
130.117.252.29 Active Moloch
130.117.252.31 Active Moloch
142.250.66.36 Active Moloch
164.124.101.2 Active Moloch
37.230.138.123 Active Moloch
37.230.138.66 Active Moloch
52.219.140.125 Active Moloch
POST 100 https://connectini.net/Series/SuperNitouDisc.php
REQUEST
RESPONSE
GET 200 https://s3.eu-central-1.wasabisys.com/delice/delice-purify/up-do-dat-emHqRHrKsna22Rea.exe
REQUEST
RESPONSE
GET 200 https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=6
REQUEST
RESPONSE
GET 200 https://s3.eu-central-1.wasabisys.com/delice/delice-purify/hand-emHqRHrKsna22Rea.exe
REQUEST
RESPONSE
GET 0 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
REQUEST
RESPONSE
GET 0 https://www.google.com/
REQUEST
RESPONSE
GET 0 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
REQUEST
RESPONSE
GET 0 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
REQUEST
RESPONSE
HEAD 200 http://s3.eu-central-1.wasabisys.com/delice/delice-prov/poweroff.exe
REQUEST
RESPONSE
GET 200 http://s3.eu-central-1.wasabisys.com/delice/delice-prov/poweroff.exe
REQUEST
RESPONSE
POST 100 http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49169 -> 142.250.66.36:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49168 -> 130.117.252.29:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 130.117.252.31:80 -> 192.168.56.103:49163 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.103:49171 -> 130.117.252.29:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49166 -> 37.230.138.123:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49170 -> 52.219.140.125:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.103:49169
142.250.66.36:443
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=www.google.com 00:94:06:0f:b6:4d:e7:50:72:1e:56:17:9b:c5:85:cf:61:78:42:f1
TLS 1.2
192.168.56.103:49168
130.117.252.29:443
C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.eu-central-1.wasabisys.com 1c:c4:44:2b:7d:4e:fd:e6:d3:c5:df:5f:31:06:9d:1a:90:71:e7:bc
TLS 1.2
192.168.56.103:49171
130.117.252.29:443
C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.eu-central-1.wasabisys.com 1c:c4:44:2b:7d:4e:fd:e6:d3:c5:df:5f:31:06:9d:1a:90:71:e7:bc
TLSv1
192.168.56.103:49166
37.230.138.123:443
C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2
192.168.56.103:49170
52.219.140.125:443
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon CN=*.s3.eu-central-1.amazonaws.com bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb

Snort Alerts

No Snort Alerts