NetWork | ZeroBOX

Network Analysis

IP Address Status Action
121.254.136.18 Active Moloch
13.225.110.102 Active Moloch
164.124.101.2 Active Moloch
172.67.165.254 Active Moloch
172.67.176.247 Active Moloch
54.230.169.11 Active Moloch
GET 200 https://d2lvl7wmj7b91p.cloudfront.net/load/load.php?c=1001
REQUEST
RESPONSE
GET 200 https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1001
REQUEST
RESPONSE
GET 302 https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1001
REQUEST
RESPONSE
GET 200 https://cdn-edge-node.com/online_security_mkl.exe
REQUEST
RESPONSE
GET 200 http://apps.identrust.com/roots/dstrootcax3.p7c
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49172 -> 13.225.110.102:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49163 -> 54.230.169.11:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49168 -> 13.225.110.102:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49173 -> 172.67.165.254:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49183 -> 172.67.176.247:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49172
13.225.110.102:443
C=US, O=Amazon, CN=Amazon RSA 2048 M01 CN=*.cloudfront.net fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52
TLSv1
192.168.56.101:49168
13.225.110.102:443
C=US, O=Amazon, CN=Amazon RSA 2048 M01 CN=*.cloudfront.net fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52
TLSv1
192.168.56.101:49163
54.230.169.11:443
C=US, O=Amazon, CN=Amazon RSA 2048 M01 CN=*.cloudfront.net fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52
TLSv1
192.168.56.101:49173
172.67.165.254:443
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=cdn-edge-node.com a9:8d:72:17:ad:81:a1:43:81:37:a3:7e:bd:5d:9c:03:b8:8b:07:ff
TLSv1
192.168.56.101:49183
172.67.176.247:443
C=US, O=Let's Encrypt, CN=E1 CN=adblock2024.shop f6:53:16:b6:98:89:7a:ae:57:00:89:be:e1:b6:81:59:8e:db:ed:ab

Snort Alerts

No Snort Alerts