NetWork | ZeroBOX

IP Address	Status	Action
103.4.92.235	Active	Moloch
105.111.97.94	Active	Moloch
134.35.181.192	Active	Moloch
151.233.182.35	Active	Moloch
151.247.86.184	Active	Moloch
164.124.101.2	Active	Moloch
175.107.56.212	Active	Moloch
178.130.73.157	Active	Moloch
185.203.237.213	Active	Moloch
185.215.113.66	Active	Moloch
188.208.58.14	Active	Moloch
188.209.24.211	Active	Moloch
188.215.185.154	Active	Moloch
189.222.32.81	Active	Moloch
2.180.32.222	Active	Moloch
2.182.101.42	Active	Moloch
2.183.172.29	Active	Moloch
2.185.241.24	Active	Moloch
20.72.235.82	Active	Moloch
213.230.90.13	Active	Moloch
213.230.99.184	Active	Moloch
216.107.138.162	Active	Moloch
45.150.25.234	Active	Moloch
45.244.97.228	Active	Moloch
46.167.138.154	Active	Moloch
5.190.247.209	Active	Moloch
5.232.129.90	Active	Moloch
5.42.96.117	Active	Moloch
77.221.27.6	Active	Moloch
78.137.80.115	Active	Moloch
78.39.232.233	Active	Moloch
82.194.13.101	Active	Moloch
82.194.13.95	Active	Moloch
89.165.5.25	Active	Moloch
89.236.205.171	Active	Moloch
89.236.208.174	Active	Moloch
89.236.219.80	Active	Moloch
89.38.90.198	Active	Moloch
91.202.233.141	Active	Moloch
93.118.99.152	Active	Moloch
95.59.4.234	Active	Moloch

Name	Response	Post-Analysis Lookup
twizt.net	A 185.215.113.66	185.215.113.66
www.update.microsoft.com	A 20.72.235.82 CNAME redir.update.msft.com.trafficmanager.net	20.109.209.108

TCP Requests

UDP Requests

GET 200 http://185.215.113.66/1

GET 200 http://185.215.113.66/2

GET 200 http://185.215.113.66/1

GET 200 http://185.215.113.66/3

GET 200 http://185.215.113.66/_1

GET 200 http://185.215.113.66/2

GET 200 http://185.215.113.66/4

GET 200 http://185.215.113.66/2

GET 200 http://185.215.113.66/newpinf.exe

GET 200 http://185.215.113.66/4

GET 200 http://185.215.113.66/_2

GET 200 http://185.215.113.66/nxmr.exe

GET 200 http://185.215.113.66/3

GET 200 http://185.215.113.66/5

GET 200 http://185.215.113.66/3

GET 200 http://185.215.113.66/5

GET 200 http://185.215.113.66/_3

GET 404 http://twizt.net/ALLSTATA

GET 200 http://185.215.113.66/4

GET 200 http://185.215.113.66/6

GET 200 http://185.215.113.66/4

GET 200 http://185.215.113.66/6

GET 200 http://185.215.113.66/5

GET 200 http://185.215.113.66/6

ICMP traffic

Source	Destination	ICMP Type
213.230.90.13	192.168.56.101	3
45.150.25.234	192.168.56.101	3
45.150.25.234	192.168.56.101	3
45.150.25.234	192.168.56.101	3
78.137.80.115	192.168.56.101	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.66:80 -> 192.168.56.101:49172	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 192.168.56.101:49179 -> 185.215.113.66:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.66:80 -> 192.168.56.101:49179	2014819	ET INFO Packed Executable Download	Misc activity
UDP 192.168.56.101:59004 -> 151.247.86.184:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
TCP 192.168.56.101:49188 -> 185.215.113.66:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.66:80 -> 192.168.56.101:49188	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.66:80 -> 192.168.56.101:49188	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.66:80 -> 192.168.56.101:49188	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:59004 -> 2.182.101.42:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:59004 -> 105.111.97.94:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
TCP 5.42.96.117:80 -> 192.168.56.101:49208	2400000	ET DROP Spamhaus DROP Listed Traffic Inbound group 1	Misc Attack
TCP 185.215.113.66:80 -> 192.168.56.101:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.66:80 -> 192.168.56.101:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:59004 -> 93.118.99.152:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:54150 -> 5.232.129.90:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:54150 -> 89.165.5.25:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:59004 -> 77.221.27.6:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:59004 -> 213.230.90.13:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
TCP 91.202.233.141:80 -> 192.168.56.101:49228	2400012	ET DROP Spamhaus DROP Listed Traffic Inbound group 13	Misc Attack
UDP 192.168.56.101:59004 -> 188.215.185.154:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:59004 -> 5.190.247.209:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:59004 -> 103.4.92.235:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:54150 -> 46.167.138.154:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:54150 -> 134.35.181.192:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.66:5151	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49220 -> 185.215.113.66:5151	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts