IP Address: 104.244.77.210Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
104.244.77.210​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

SSH 1 Shell Commands HTTP Download and Execute Download File Download and Allow Execution Access Suspicious Domain Successful SSH Login Outgoing Connection Download Operation

Associated Attack Servers

havingeducation.com hostingfuze.net

89.42.133.13 104.244.77.163 89.42.133.10 89.42.133.103 45.129.2.127 89.42.133.29

Basic Information

IP Address

104.244.77.210

Domain

-

ISP

FranTech Solutions

Country

Luxembourg

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-10-28

Last seen in Guardicore Centra

2020-03-22

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 2 times

Download Operation

Process /bin/bash generated outgoing network traffic to: 104.244.77.163:80

Outgoing Connection

Process /bin/bash attempted to access suspicious domains: Guard

Access Suspicious Domain Outgoing Connection

The file /tmp/bins.sh was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 104.244.77.163:80 2 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: Guard 2 times

Access Suspicious Domain Outgoing Connection

/tmp/Thotty.mips was downloaded

Download File

The file /tmp/Thotty.mips was downloaded and granted execution privileges

/tmp/Thotty.mpsl was downloaded

Download File

The file /tmp/Thotty.mpsl was downloaded and granted execution privileges

Process /usr/local/bin/dash generated outgoing network traffic to: 104.244.77.163:80 2 times

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: Guard 2 times

Access Suspicious Domain Outgoing Connection

/tmp/Thotty.sh4 was downloaded

Download File

The file /tmp/Thotty.sh4 was downloaded and granted execution privileges

The file /tmp/Thotty.x86 was downloaded and executed 9 times

Download and Execute

Process /usr/bin/wget generated outgoing network traffic to: 104.244.77.163:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: Guard

Access Suspicious Domain Outgoing Connection

/tmp/Thotty.arm6 was downloaded

Download File

Process /usr/bin/wget generated outgoing network traffic to: 104.244.77.163:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: Guard

Access Suspicious Domain Outgoing Connection

The file /tmp/Thotty.arm6 was downloaded and granted execution privileges

The file /tmp/Thotty.i686 was downloaded and executed 161 times

Download and Execute

Process /usr/local/bin/dash generated outgoing network traffic to: 104.244.77.163:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: Guard

Access Suspicious Domain Outgoing Connection

Process /usr/local/bin/dash generated outgoing network traffic to: 104.244.77.163:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: Guard

Access Suspicious Domain Outgoing Connection

The file /tmp/Thotty.ppc was downloaded and granted execution privileges

The file /tmp/Thotty.i586 was downloaded and granted execution privileges

The file /usr/local/bin/dash was downloaded and executed

Download and Execute

Connection was closed due to timeout

Associated Files

/tmp/eagle.mpsl

SHA256: e9ad32ee2ec5bc425b255a2e79b60bc1cc5596ffcb890a8a0b4f67c4043fc880

150762 bytes

/tmp/eagle.sh4

SHA256: 66411da2c7ae573d5f5eca3c956d7e6aa870fde494c72fdb7ba28ec09ea94ea7

106618 bytes

/tmp/Arbiter.mips

SHA256: 9abf4e81886d196c0c1fb662933778eca1480120b90d6ca7253f613ddeaa6a1b

150650 bytes

/tmp/Thotty.mips

SHA256: 5211ef3095c21d6731e620ecbe9172152683f0d5f3dae2952755db464a039314

153082 bytes

/tmp/Thotty.mpsl

SHA256: 8007cf29293124d47215cf9ca8d04d0585feb954306068b80e02ddd4cce9606d

153082 bytes

/tmp/Thotty.sh4

SHA256: 96c123ea7d578f103d2bd43485880cbe1489731d6bb71ebddd3e8b7ed869ffde

103260 bytes

/tmp/Netflix.mips

SHA256: c1551b008233e38407d22137c2df6779181144265b55ed00ab1fb880fd38a055

150650 bytes

/tmp/Netflix.mpsl

SHA256: 57f1eb2e40367ca6335f0737a20c93b0466c445a8d92965c8a8ec7b027897d23

150762 bytes

/tmp/Netflix.sh4

SHA256: 9639407249f183bb806092a56e98863cf391c704c35693bc8a562d3d25925ad7

106618 bytes

/tmp/njs.sh

SHA256: 65e11ffdbbbf68b5aec3d1a763afeecb2a95960255f3374f6321f7938fd34cf3

1993 bytes

/tmp/Netflix.x86

SHA256: 8fc16ed8c78a134a238bbbf4c3c7e318c251deffc2671a5d882fb5bd0915e814

114049 bytes

/tmp/bins.sh

SHA256: b8bf1eb503dd4c2a3599be3e34b0cb39270e01383d726ea554ce983d7910c0fe

2114 bytes

/tmp/Thotty.x86

SHA256: 4e5ccea975dcd342fb13734e1294c6e2b3f62dbe5e019deff194568d56f62312

108646 bytes

/tmp/Thotty.arm6

SHA256: fc3c20ec40da2de181bc1dae647731213dd2ba5917f566a7adc1cee90b7021b2

138656 bytes

/tmp/Thotty.i686

SHA256: 8ca7cc97c4ac2b6d9820860e44626fc0ccf071b2a1d365fb2eda84dd3555ecb1

96035 bytes

/tmp/Thotty.ppc

SHA256: 808274922cf0904503609bef5056da7af338138d8ea169dd7bc91781785063bd

113019 bytes

/tmp/Thotty.i586

SHA256: 7b0ec7029c103561cf17840a497ea8ec1a9f9efa033251e2f2a334915c8fae71

52298 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 104.244.77.210​Previously Malicious