NetWork | ZeroBOX

IP Address	Status	Action
104.192.141.1	Active	Moloch
144.76.136.153	Active	Moloch
164.124.101.2	Active	Moloch
176.113.115.145	Active	Moloch
179.43.155.247	Active	Moloch
212.113.119.255	Active	Moloch

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
transfer.sh	A 144.76.136.153	144.76.136.153

TCP Requests

UDP Requests

POST 200 http://212.113.119.255/joomla/index.php

GET 200 http://179.43.155.247/cc.exe

POST 200 http://212.113.119.255/joomla/index.php

GET 404 http://212.113.119.255/joomla/Plugins/cred64.dll

GET 200 http://212.113.119.255/joomla/Plugins/clip64.dll

POST 200 http://212.113.119.255/joomla/index.php

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49176 -> 179.43.155.247:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49176 -> 179.43.155.247:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.101:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.101:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 212.113.119.255:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49192 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 104.192.141.1:443 -> 192.168.56.101:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49192 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49188 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 144.76.136.153:443 -> 192.168.56.101:49193	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.101:49207	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49207 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.101:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49200 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49200 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.101:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49200 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 104.192.141.1:443 -> 192.168.56.101:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 179.43.155.247:80 -> 192.168.56.101:49176	2014819	ET INFO Packed Executable Download	Misc activity
TCP 104.192.141.1:443 -> 192.168.56.101:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.101:49203	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49187 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.101:49209	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.101:49204	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.101:49218	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.101:49213	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49213 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49195 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49195 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49195 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2034316	ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.101:49217	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 179.43.155.247:80 -> 192.168.56.101:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2035139	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)	Misc activity
TCP 179.43.155.247:80 -> 192.168.56.101:49176	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 179.43.155.247:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49217 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.101:49219	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.101:49223	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 144.76.136.153:443 -> 192.168.56.101:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49223 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.101:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 179.43.155.247:80 -> 192.168.56.101:49176	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.101:49174 -> 212.113.119.255:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 212.113.119.255:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 212.113.119.255:80 -> 192.168.56.101:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 212.113.119.255:80 -> 192.168.56.101:49174	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 212.113.119.255:80 -> 192.168.56.101:49174	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 104.192.141.1:443 -> 192.168.56.101:49212	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49212 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.101:49214	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.101:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.101:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49191 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49191 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49199 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49199 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 144.76.136.153:443 -> 192.168.56.101:49201	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.101:49224	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2034316	ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2035139	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)	Misc activity
TCP 192.168.56.101:49196 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49196 -> 144.76.136.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 104.192.141.1:443 -> 192.168.56.101:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.101:49222	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49222 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49200 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49195 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49192 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49191 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.101:49196 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts