NetWork | ZeroBOX

IP Address	Status	Action
103.127.237.208	Active	Moloch
152.228.216.134	Active	Moloch
154.204.233.149	Active	Moloch
164.124.101.2	Active	Moloch
172.96.191.121	Active	Moloch
18.214.48.22	Active	Moloch
185.104.28.238	Active	Moloch
192.254.233.88	Active	Moloch
198.177.123.159	Active	Moloch
217.194.134.187	Active	Moloch
43.129.164.18	Active	Moloch
45.33.6.223	Active	Moloch
93.125.99.130	Active	Moloch

Name	Response	Post-Analysis Lookup
www.innerpeasnutrition.com	A 154.204.233.149	154.204.233.149
www.minsk-adstr.pro	CNAME minsk-adstr.pro A 93.125.99.130	93.125.99.130
www.unrushlagos.life	A 18.214.48.22 CNAME amanda-d.simplero.com A 35.170.205.142	35.170.205.142
www.ioddinemax.info	A 198.177.123.159	198.177.123.159
www.touslesjeudis-test2.ovh	A 152.228.216.134	152.228.216.134
www.wtwbenefitsapp.com	A 103.127.237.208	103.127.237.208
www.pzr9.com	A 43.129.164.18	43.129.164.18
www.ready-sim.com	A 185.104.28.238	185.104.28.238
www.fokusdongs89.click	CNAME fokusdongs89.click A 172.96.191.121	172.96.191.121
www.jsmaiyou.com	A 217.194.134.187	217.194.134.187
www.subicpearlresorthotel.com	CNAME subicpearlresorthotel.com A 192.254.233.88	192.254.233.88
www.sqlite.org	A 45.33.6.223	45.33.6.223

TCP Requests

UDP Requests

POST 200 http://www.wtwbenefitsapp.com/6tjv/

GET 200 http://www.wtwbenefitsapp.com/6tjv/?vv-9CC=ZekHcMczm1dRtokxNZDo90S9mkxwTcZYZfHK9EQ1vrBiXxapRt+GBgnIAZ7NmICX8PlBD4kZJKEGkx1iFxsaaM15ARq/tjezy4yawwM=&pq2FH=S4AijUGo

GET 200 http://www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip

POST 404 http://www.ready-sim.com/6tjv/

GET 404 http://www.ready-sim.com/6tjv/?vv-9CC=vP6NfS7dbW4c/VsB/A1JURezZpJQ8nsbdWFTlOVf6iuLILrS76/L187Vau3Zr+6SA7xbkoW8K+sU0FMWlbfewoyXotU6Wa8RuVm/2CU=&pq2FH=S4AijUGo

POST 404 http://www.ioddinemax.info/6tjv/

GET 404 http://www.ioddinemax.info/6tjv/?vv-9CC=fT/TJdNtCaICjnQUbIUnRDxeECYphy4YrVvAjvU+q1IskcVwc07AsJLK3tqtGnkOp8a2PyJB1vyRLc2GY7t3W09lxia7P5+VAS1NVX4=&pq2FH=S4AijUGo

POST 404 http://www.unrushlagos.life/6tjv/

GET 404 http://www.unrushlagos.life/6tjv/?vv-9CC=xlJUlHglSOoU+WCfb7fTPB0ne55wcB2OinDKM2+2ognpQIYysf1z9BtCtwIQWly94RFYkrYMsBdvlNEOmEGbARRcASpMTevagbuBWCs=&pq2FH=S4AijUGo

POST 403 http://www.innerpeasnutrition.com/6tjv/

GET 403 http://www.innerpeasnutrition.com/6tjv/?vv-9CC=WCkonbtgklsJqt3U5AwYJ1vBQL+yzEkdXA8xucMJZCRnQC5eVhyQZD76BbsvWN4F2+2X9EJdLRzHIYbKsSuvhyO7xMyIhyiPV1yBlVw=&pq2FH=S4AijUGo

POST 404 http://www.fokusdongs89.click/6tjv/

GET 404 http://www.fokusdongs89.click/6tjv/?vv-9CC=lddPhGieQ3lEt24wxfGSZqEKUhgeh07HzuUXm/iAUma5yHruZSDAYtghKLMKtfuJW8oz7rp+ckpMDOoMhDPkb2WQy1Gqr+rGodidlkk=&pq2FH=S4AijUGo

POST 404 http://www.pzr9.com/6tjv/

GET 404 http://www.pzr9.com/6tjv/?vv-9CC=Xe+4czuF8BNTvCl2jtutD0nc61uG19PQTHhiWjCSfHaBQ4NOq8i8K6quZY+U+HiY2tqWNVv2/OiMBhH2zz7G+0xdm39gVqvBoSlQlAk=&pq2FH=S4AijUGo

POST 404 http://www.subicpearlresorthotel.com/6tjv/

GET 301 http://www.subicpearlresorthotel.com/6tjv/?vv-9CC=z8EanEHhaicdSPwbUmMymlHZg3JWg4d9/pg0TpyNm6NFsGct/BtDMX7PWnf5Qsg1SQP92ELHhW5VyKkGW4ou1D5KNmy23lxxfwDNRJc=&pq2FH=S4AijUGo

POST 404 http://www.touslesjeudis-test2.ovh/6tjv/

GET 404 http://www.touslesjeudis-test2.ovh/6tjv/?vv-9CC=/1l307yFeMFeHrk4mAgZBkH4SykpTjYiA/5hCG+BMYVXlwubXDmDfEwOCf1sFfh9qMjxTdQuOFbq+mW+2MyEO3xWCYiKD3QyLOwlqdk=&pq2FH=S4AijUGo

POST 404 http://www.minsk-adstr.pro/6tjv/

GET 301 http://www.minsk-adstr.pro/6tjv/?vv-9CC=Plpwe/Vj3Si6m7s4WjkFQxqA5vT0CFMrYA9s5aV5DJ4PZlRiX3dSCC0X24ZLQNtV+tbWCzZMNx9DmPvcY1vaNPprvVENxM3YounydDs=&pq2FH=S4AijUGo

POST 0 http://www.jsmaiyou.com/6tjv/

GET 0 http://www.jsmaiyou.com/6tjv/?vv-9CC=GT7mDBetp/BsCYP1aTCFpL/ADJtJH8x8/gvfm7l4NLF0tD2iOM8XYGcDii6V0tjr8Xc6kwylBNXtOHbYpVwzl/f1TWI72f0ir/DsOw8=&pq2FH=S4AijUGo

ICMP traffic

Source	Destination	ICMP Type	Data
192.168.56.101	164.124.101.2	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 18.214.48.22:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 18.214.48.22:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 18.214.48.22:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 18.214.48.22:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 103.127.237.208:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 103.127.237.208:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 103.127.237.208:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 198.177.123.159:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 198.177.123.159:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 198.177.123.159:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 18.214.48.22:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 18.214.48.22:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 18.214.48.22:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 18.214.48.22:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 152.228.216.134:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 152.228.216.134:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 172.96.191.121:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 152.228.216.134:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 172.96.191.121:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 172.96.191.121:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 93.125.99.130:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 93.125.99.130:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 93.125.99.130:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 192.254.233.88:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 192.254.233.88:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 192.254.233.88:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 43.129.164.18:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 43.129.164.18:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 43.129.164.18:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 185.104.28.238:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 185.104.28.238:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 185.104.28.238:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 154.204.233.149:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 154.204.233.149:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 154.204.233.149:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49189 -> 217.194.134.187:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49189 -> 217.194.134.187:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49189 -> 217.194.134.187:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts