NetWork | ZeroBOX

IP Address	Status	Action
162.125.84.15	Active	Moloch
164.124.101.2	Active	Moloch
84.32.131.104	Active	Moloch

Name	Response	Post-Analysis Lookup
app.documentoffice.club	A 84.32.131.104	84.32.131.104
dl.dropboxusercontent.com	CNAME edge-block-www-env.dropbox-dns.com A 162.125.84.15	162.125.84.15

TCP Requests

UDP Requests

GET 200 http://app.documentoffice.club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49231 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49231 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49239 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49228 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49231 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49239 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49228 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49239 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49228 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49236 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49236 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49242 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49236 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49242 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49232 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49230 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49232 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49230 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49242 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49230 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49232 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49241 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49241 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49243 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49241 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49243 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49234 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49243 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49234 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49245 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49234 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49233 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49245 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49245 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49235 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49235 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49237 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49235 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49237 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49247 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49247 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49237 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49247 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49244 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49244 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49244 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49240 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49227 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49227 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49227 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49238 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49238 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49238 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49248 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49248 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49248 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49239 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49245 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49232 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49235 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49231 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49236 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49241 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49237 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49233 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49238 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49227 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49230 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49234 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49242 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49247 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49244 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49228 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49248 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49243 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49240 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts