NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

NetWork | ZeroBOX

IP Address	Status	Action
144.76.136.153	Active	Moloch
164.124.101.2	Active	Moloch
185.246.220.85	Active	Moloch
23.67.53.17	Active	Moloch

Name	Response	Post-Analysis Lookup
apps.identrust.com	CNAME identrust.edgesuite.net CNAME a1952.dscq.akamai.net A 23.67.53.17 A 23.67.53.27	23.67.53.17
transfer.sh	A 144.76.136.153	144.76.136.153

TCP Requests

UDP Requests

GET 200 http://185.246.220.85/secbobbyzx.exe

GET 200 http://apps.identrust.com/roots/dstrootcax3.p7c

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:63709 -> 8.8.8.8:53	2034316	ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)	Potentially Bad Traffic
UDP 192.168.56.102:63709 -> 8.8.8.8:53	2035139	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)	Misc activity
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2034316	ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)	Potentially Bad Traffic
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2035139	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)	Misc activity
TCP 192.168.56.102:49166 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 192.168.56.102:49166 -> 144.76.136.153:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49162 -> 185.246.220.85:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 144.76.136.153:443	2035145	ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	Misc activity
TCP 185.246.220.85:80 -> 192.168.56.102:49162	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 144.76.136.153:443 -> 192.168.56.102:49166	2033076	ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)	Potential Corporate Privacy Violation
TCP 185.246.220.85:80 -> 192.168.56.102:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.246.220.85:80 -> 192.168.56.102:49162	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 185.246.220.85:80 -> 192.168.56.102:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49166 144.76.136.153:443	C=US, O=Let's Encrypt, CN=R3	CN=transfer.sh	a7:89:64:18:ce:56:53:c8:db:2d:45:3c:9f:cf:98:1a:40:91:1c:e2

Snort Alerts

No Snort Alerts