NetWork | ZeroBOX

Network Analysis

IP Address Status Action
104.21.65.24 Active Moloch
164.124.101.2 Active Moloch
201.191.99.134 Active Moloch
93.118.137.82 Active Moloch
GET 200 https://api.2ip.ua/geo.json
REQUEST
RESPONSE
GET 200 https://api.2ip.ua/geo.json
REQUEST
RESPONSE
GET 200 http://cajgtus.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
REQUEST
RESPONSE
GET 200 http://defgyma.com/dl/build2.exe
REQUEST
RESPONSE
GET 200 http://cajgtus.com/files/1/build3.exe
REQUEST
RESPONSE

ICMP traffic

Source Destination ICMP Type Data
192.168.56.103 164.124.101.2 3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49172 -> 93.118.137.82:80 2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) A Network Trojan was detected
TCP 192.168.56.103:49172 -> 93.118.137.82:80 2036334 ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key A Network Trojan was detected
TCP 93.118.137.82:80 -> 192.168.56.103:49172 2036335 ET MALWARE Win32/Filecoder.STOP Variant Public Key Download A Network Trojan was detected
TCP 192.168.56.103:49173 -> 201.191.99.134:80 2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) A Network Trojan was detected
TCP 192.168.56.103:49173 -> 201.191.99.134:80 2020826 ET MALWARE Potential Dridex.Maldoc Minimal Executable Request A Network Trojan was detected
TCP 192.168.56.103:49173 -> 201.191.99.134:80 2036333 ET MALWARE Win32/Vodkagats Loader Requesting Payload A Network Trojan was detected
TCP 192.168.56.103:49171 -> 104.21.65.24:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 104.21.65.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 201.191.99.134:80 -> 192.168.56.103:49173 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.103:49174 -> 93.118.137.82:80 2020826 ET MALWARE Potential Dridex.Maldoc Minimal Executable Request A Network Trojan was detected
TCP 192.168.56.103:49174 -> 93.118.137.82:80 2036333 ET MALWARE Win32/Vodkagats Loader Requesting Payload A Network Trojan was detected
TCP 93.118.137.82:80 -> 192.168.56.103:49174 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2027026 ET POLICY External IP Address Lookup DNS Query (2ip .ua) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49165 -> 104.21.65.24:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 104.21.65.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49171
104.21.65.24:443
C=US, O=Google Trust Services, CN=WE1 CN=2ip.ua ff:79:da:c4:72:a8:32:8f:28:1d:c9:7f:3a:b0:c3:0e:3f:7e:7e:a1
TLSv1
192.168.56.103:49165
104.21.65.24:443
C=US, O=Google Trust Services, CN=WE1 CN=2ip.ua ff:79:da:c4:72:a8:32:8f:28:1d:c9:7f:3a:b0:c3:0e:3f:7e:7e:a1

Snort Alerts

No Snort Alerts