IP Address: 194.182.80.200Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
194.182.80.200​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Access Suspicious Domain Download File Inbound HTTP Request

Associated Attack Servers

forpsi.net arubacloud.de aruba.it

52.168.169.156 40.76.38.75 13.81.220.89 40.76.78.149 86.105.48.69 104.45.159.91 40.71.214.242 104.40.157.159 40.114.243.66 52.174.179.113 13.89.235.217 80.211.203.234 13.73.160.230 13.82.180.115 137.135.92.186 52.168.89.181 13.93.93.21 40.71.210.201 52.178.113.206 52.233.143.163 52.166.206.33 40.114.13.12 40.71.229.210 40.121.136.37 40.68.86.94 86.105.49.217 13.90.253.5 40.71.227.128 94.177.245.132 52.233.181.5

Basic Information

IP Address

194.182.80.200

Domain

-

ISP

Aruba S.p.A.

Country

Czechia

WHOIS

Created Date

1999-12-07

Updated Date

2020-04-11

Organization

aruba Spa

First seen in Guardicore Centra

2018-09-21

Last seen in Guardicore Centra

2018-10-01

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 86.105.48.69:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: arubacloud.de

Outgoing Connection Access Suspicious Domain

/tmp/n was downloaded

Download File

Process /usr/bin/wget generated outgoing network traffic to: 194.182.80.200:80

Outgoing Connection

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /var/tmp/Nikita.x86 was downloaded and executed 5 times

Download and Execute

Process /var/tmp/Nikita.x86 generated outgoing network traffic to: 194.182.80.200:1

Outgoing Connection

Connection was closed due to user inactivity

/var/tmp/Nikita.x86 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Associated Files

/tmp/n

SHA256: d0029333b807f9189cddfcf8285c300f7d723ab51f213c77f3965f328b52fe17

301 bytes

/var/tmp/Nikita.x86

SHA256: b7d19b3f90f9e54da2181b27b8a70bc0e468cc2e537ab4fcdff1a403666a520b

121657 bytes

/tmp/n

SHA256: c4d9fc2042b692b64bec9a133f32fbc780410a740c46730ac4578fcb30b8e2bc

301 bytes

/var/tmp/Nikita.x86

SHA256: 7aed3acb3c41623e1fc43597905936c1d6b81e2d110abc7e423c6804733c096c

82750 bytes

/tmp/bins.sh

SHA256: ca3984a9c9c119bb4014ff2c488ec8832ba2c31cfc8f7e74cec583fae76f605d

1918 bytes

/tmp/bins.sh

SHA256: c2d8e69f811cea36f3401a584490543a939032a58aec7005e0e35efed6768e4c

2134 bytes

/tmp/Nikita.mips

SHA256: 218907866ca2fe2629ba87cc6a0240b6c9d8d38157582ef69ea4431d22998fcd

71437 bytes

/tmp/Nikita.mips

SHA256: 92ed85cf0fe00f93a598152c22abfabf8e44e8c30963782c02d8eb2c293b7467

108767 bytes

/tmp/Nikita.mpsl

SHA256: 66a4d534d95ba597e24210b51976ed782c7bd5c27c3d4598f7230fc7343c6e13

108767 bytes

/tmp/Nikita.mips

SHA256: b053af5b266cd98700f778732aad811fa1abc705e9b457c57a37053b47102ed2

31597 bytes

/tmp/Nikita.x86

SHA256: 2ce8b1bfaa885b38521bf90dacd8c0241848330eb84294cc2a7c7eab119adbf5

78078 bytes

/tmp/Nikita.x86

SHA256: 29e7863fd6ec711133ba3d251ca56220c715099ff30508c66879ed2cedff1151

52846 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 194.182.80.200​Previously Malicious