Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 185.34.33.2Malicious

IP Address: 185.34.33.2Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SCP

Tags

Listening Successful SSH Login SCP 42 Shell Commands Download and Execute SSH Service Configuration IDS - A Network Trojan was detected System File Modification Outgoing Connection Scheduled Task Creation Download File Access Suspicious Domain

Associated Attack Servers

ip-139-99-68.net ip-147-135-37.us minexmr.com

37.59.43.131 51.68.21.188 51.79.226.3 51.81.195.38 51.222.149.40 51.222.193.76 88.99.193.240 94.130.164.163 94.130.165.85 94.130.165.87 123.16.80.3 139.99.48.226 139.99.68.128 147.135.37.31 158.69.25.62 158.69.25.71 178.32.120.127

Basic Information

IP Address

185.34.33.2

Domain

-

ISP

Octopuce s.a.r.l.

Country

France

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2018-02-25

Last seen in Akamai Guardicore Segmentation

2023-06-28

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

/bin/qpuf4jqn8vehax7hyeh6maqkux was downloaded

Download File

IDS detected A Network Trojan was detected : DNS request for Monero mining pool

IDS - A Network Trojan was detected

The file /bin/dhpcd was downloaded and executed 17 times

Download and Execute

Process /bin/dhpcd generated outgoing network traffic to: 139.99.68.128:4444, 147.135.37.31:4444, 158.69.25.62:4444, 37.59.43.131:4444, 94.130.164.163:4444 and 94.130.165.85:4444

Outgoing Connection

Process /bin/dhpcd attempted to access suspicious domains: ip-139-99-68.net, ip-147-135-37.us, ip-158-69-25.net and ip-37-59-43.eu

Access Suspicious Domain Outgoing Connection

System file /etc/shadow was modified 9 times

System File Modification

/dev/shm/qpuf4jqn8vehax7hyeh6maqkux was downloaded

Download File

/dev/shm/knrm was downloaded

Download File

/dev/shm/r was downloaded

Download File

Process /bin/dhpcd generated outgoing network traffic to: 158.69.25.71:4444

Outgoing Connection

Process /bin/dhpcd attempted to access suspicious domains: ip-158-69-25.net

Access Suspicious Domain Outgoing Connection

/etc/rc.d/rc.local was downloaded

Download File

System file /etc/rc.local was modified 4 times

System File Modification

/etc/rc.local was downloaded

Download File

Process /usr/sbin/sshd started listening on ports: 22

Listening

Connection was closed due to timeout

Associated Files

/bin/dhpcd

SHA256: 76005592ad7d8901c64a5cfbcdde589a960ba35c9672da6182d131cd67ae0c97

3458848 bytes

/bin/dhpcd

SHA256: 2cca764d24212f8fc58780b9135740929f38b45bcd5fc82c4a2ff47e90890d06

379416 bytes