popup
NetWork | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Network Analysis

Download pcap
Hosts 4 DNS 1 TCP 2 UDP 4 HTTP(S) 2 ICMP 0 IRC 0 Suricata Snort
IP Address Status Action
164.124.101.2 Active Moloch
172.67.188.196 Active Moloch
192.3.101.146 Active Moloch
216.9.224.185 Active Moloch
Name Response Post-Analysis Lookup
pastefy.app
A 104.21.49.12
A 172.67.188.196
104.21.49.12
GET 200 https://pastefy.app/SXZ0OaCN/raw
REQUEST
: GET /SXZ0OaCN/raw HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Host: pastefy.app
Connection: Keep-Alive
RESPONSE
: HTTP/1.1 200 OK
Date: Thu, 03 Apr 2025 00
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare
Access-Control-Allow-Origin: *
Cf-Cache-Status: DYNAMIC
Content-Encoding: gzip
CF-RAY: 92a482948f991258-SLC
alt-svc: h3="
BODY 

            

        


    



        
        
            

    
        GET
        
        200
        http://216.9.224.185/122/wecaninsertforgoodforeeturncheclkgood.hta
        
    
    


        

            

                
 REQUEST

                

                    
                    

	
			

				:
				GET /122/wecaninsertforgoodforeeturncheclkgood.hta HTTP/1.1
			

			

				Accept:
				 */*
			

			

				Accept-Encoding:
				 gzip, deflate
			

			

				User-Agent:
				 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
			

			

				Host:
				 216.9.224.185
			

			

				Connection:
				 Keep-Alive
			

	


                

            

            

                
 RESPONSE

                

                    
                    

	
			

				:
				HTTP/1.1 200 OK
			

			

				Date:
				 Thu, 03 Apr 2025 00
			

			

				Server:
				 Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
			

			

				Last-Modified:
				 Wed, 02 Apr 2025 05
			

			

				ETag:
				 "754-631c4dea5b1ad"
			

			

				Accept-Ranges:
				 bytes
			

			

				Content-Length:
				 1876
			

			

				Keep-Alive:
				 timeout=5, max=100
			

			

				Connection:
				 Keep-Alive
			

			

				Content-Type:
				 application/hta
			

	


                

            

        


        

            

                 BODY
                
            

            

                

            

        


    



        
	




                            
ICMP traffic



No ICMP traffic performed.



                            
IRC traffic



No IRC requests performed.



                            
Suricata Alerts


    

        

            Flow
            SID
            Signature
            Category
        

        
        

            
                TCP
                192.168.56.101:49165 ->
                172.67.188.196:443
            
            906200054
            SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
            undefined
        

        
        

            
                TCP
                192.168.56.101:49162 ->
                216.9.224.185:80
            
            2022520
            ET POLICY Possible HTA Application Download
            Potentially Bad Traffic
        

        
        

            
                TCP
                192.168.56.101:49162 ->
                216.9.224.185:80
            
            2027261
            ET INFO Dotted Quad Host HTA Request
            Potentially Bad Traffic
        

        
        

            
                TCP
                192.168.56.101:49162 ->
                216.9.224.185:80
            
            2024449
            ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
            Attempted User Privilege Gain
        

        
        

            
                TCP
                216.9.224.185:80 ->
                192.168.56.101:49162
            
            2024197
            ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
            A Network Trojan was detected
        

        
    




Suricata TLS


    

        

            Flow
            Issuer
            Subject
            Fingerprint
        

        
        

            
                TLSv1 

                192.168.56.101:49165 

                172.67.188.196:443
            		
            C=US, O=Google Trust Services, CN=WE1
            CN=pastefy.app
            b6:42:cb:7c:dc:26:c2:f9:e3:e9:9c:47:e7:84:60:7f:b5:bc:66:32
        

        
    





                            
Snort Alerts


    
No Snort Alerts