NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

NetWork | ZeroBOX

IP Address	Status	Action
142.251.220.78	Active	Moloch
164.124.101.2	Active	Moloch
172.217.31.4	Active	Moloch
185.244.226.4	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
52.219.140.16	Active	Moloch

Name	Response	Post-Analysis Lookup
360devtracking.com	A 37.230.138.66	37.230.138.66
www.google.com	A 172.217.31.4	142.250.76.132
connectini.net	A 37.230.138.123	37.230.138.123
wewewe.s3.eu-central-1.amazonaws.com	A 52.219.140.16 CNAME s3-r-w.eu-central-1.amazonaws.com	3.5.138.115
n8w5.c12.e2-1.dev
google.com	A 142.251.220.78	142.250.206.206
link.storjshare.io	A 185.244.226.4	185.244.226.4

TCP Requests

UDP Requests

POST 100 https://connectini.net/Series/SuperNitouDisc.php

GET 200 https://link.storjshare.io/s/jxjnpyegksik26mz4wqismdyexpq/yokoso/fullham/enel/hand-M2u7HcEuL9S7AFLW.exe?download=1

GET 303 https://link.storjshare.io/jx573tmlnr5wf7adrak4haxbcyra/yokoso/fullham/enel/up-do-dat-M2u7HcEuL9S7AFLW.exe?download=1

GET 0 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe

GET 200 https://link.storjshare.io/s/jx573tmlnr5wf7adrak4haxbcyra/yokoso/fullham/enel/up-do-dat-M2u7HcEuL9S7AFLW.exe?download=1

GET 0 https://www.google.com/

GET 0 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe

GET 0 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe

GET 200 https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=7

POST 100 https://connectini.net/Series/Conumer2kenpachi.php

GET 200 https://connectini.net/Series/kenpachi/2/goodchannel/KR.json

GET 200 https://connectini.net/Series/configPoduct/2/goodchannel.json

HEAD 303 http://link.storjshare.io/juwxjm5rlewtkplox6e4e3btskgq/yokoso%2Ffullham%2Fmanatara%2Fpoweroff.exe?download=1

GET 200 http://link.storjshare.io/s/juwxjm5rlewtkplox6e4e3btskgq/yokoso/fullham/manatara/poweroff.exe?download=1

GET 303 http://link.storjshare.io/juwxjm5rlewtkplox6e4e3btskgq/yokoso%2Ffullham%2Fmanatara%2Fpoweroff.exe?download=1

GET 200 http://link.storjshare.io/s/juwxjm5rlewtkplox6e4e3btskgq/yokoso/fullham/manatara/poweroff.exe?download=1

POST 100 http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies

POST 100 http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies

ICMP traffic

Source	Destination	ICMP Type	Data
192.168.56.101	142.251.220.78	8	\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
142.251.220.78	192.168.56.101	0	\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2038505	ET INFO File Sharing Service Domain in DNS Lookup (link .storjshare .io)	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 185.244.226.4:443	2038506	ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 185.244.226.4:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2038505	ET INFO File Sharing Service Domain in DNS Lookup (link .storjshare .io)	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 52.219.140.16:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.244.226.4:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.244.226.4:80 -> 192.168.56.101:49165	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.101:49168 -> 172.217.31.4:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2038505	ET INFO File Sharing Service Domain in DNS Lookup (link .storjshare .io)	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 185.244.226.4:443	2038506	ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 185.244.226.4:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.244.226.4:80 -> 192.168.56.101:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.244.226.4:80 -> 192.168.56.101:49163	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49170 185.244.226.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=link.storjshare.io	ef:8c:1d:0f:34:70:c2:fe:82:ba:2e:e4:b1:d3:10:79:a3:e4:9b:84
TLS 1.2 192.168.56.101:49169 52.219.140.16:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.s3.eu-central-1.amazonaws.com	0a:60:dd:74:9f:3c:a8:45:07:d7:82:2d:33:8b:29:e1:53:36:f8:c3
TLS 1.2 192.168.56.101:49168 172.217.31.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	48:e3:15:66:fc:ea:15:bf:d2:34:c1:dd:60:d4:23:a3:63:57:89:8d
TLSv1 192.168.56.101:49179 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.101:49167 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.101:49171 185.244.226.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=link.storjshare.io	ef:8c:1d:0f:34:70:c2:fe:82:ba:2e:e4:b1:d3:10:79:a3:e4:9b:84

Snort Alerts

No Snort Alerts