IP Address: 205.185.122.121Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
205.185.122.121​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Service Creation Download and Allow Execution Download File Inbound HTTP Request

Associated Attack Servers

52.168.173.204 52.168.135.83 13.81.11.198 13.94.211.122 104.40.157.159 52.173.197.52 52.233.158.183 52.173.80.33 52.176.53.237 13.68.208.174 52.174.17.41 13.82.52.9 13.82.50.225 40.85.190.216 13.95.8.223 52.176.57.55 52.232.109.105 52.173.128.177 52.174.33.11 13.81.218.89 52.165.27.98 52.173.143.203 52.173.75.8 52.173.76.208 209.141.40.213 52.173.21.149 13.81.59.79 52.176.48.82 40.68.103.91 40.114.54.125

Basic Information

IP Address

205.185.122.121

Domain

-

ISP

FranTech Solutions

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-09-25

Last seen in Guardicore Centra

2020-07-25

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 205.185.122.121:80 4 times

Outgoing Connection

Service miner was created

Service Creation

The file /tmp/miner was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/carl was downloaded and granted execution privileges

Download and Allow Execution

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/yarl was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/marl was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/bin/wget generated outgoing network traffic to: 209.141.40.213:80

Outgoing Connection

Connection was closed due to user inactivity

/tmp/carl was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/miner was identified as malicious by YARA according to rules: Malw Xmrig Miner

Malicious File

/etc/init.d/miner was identified as malicious by YARA according to rules: Malw Xmrig Miner

Malicious File

/tmp/marl was identified as malicious by YARA according to rules: Malw Xmrig Miner, Crypto Signatures and 000 Common Rules

Malicious File

/tmp/yarl was identified as malicious by YARA according to rules: Malw Pe Sections and 000 Common Rules

Malicious File

Associated Files

/var/tmp/.z/Duck

SHA256: 5da9c364062f8848d940fe98fc70800e1906f92788204551150e7097a0dffcf4

745544 bytes

/tmp/yarl

SHA256: ee7ba15bae03a8095e0bf432a2f2674f2e78085258f64c137d2ad22bd96815a7

730698 bytes

/tmp/marl

SHA256: b8687ab465c280847193d36a67c390616933032db31932d8ac191041343b68f6

723672 bytes

/tmp/carl

SHA256: 9a7f01b47f0c421c39c07b935df02c255ce386f85de8650d528b70ec42f529b7

13013 bytes

/tmp/carl

SHA256: 2fa97491ccd330554d1cadbe8ef6a8221d35ba88c9bf81f185fdfdddd11c8af9

39573 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 205.185.122.121​Previously Malicious