IP Address: 205.185.124.247Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
205.185.124.247​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

HadoopYARN

Tags

HTTP Log Tampering HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Access Suspicious Domain Download File Inbound HTTP Request Service Stop

Connect Back Servers

ugjb2021.info 9ninewest.com

104.46.40.157 52.174.52.111 52.174.36.73 52.174.40.206 104.248.238.90 89.34.237.210 104.248.225.252 52.165.39.199 23.101.128.211 168.63.110.250 52.232.27.167 52.173.79.135 52.170.211.178 52.186.125.0 40.71.224.222 13.94.211.122 40.68.97.216 52.173.132.230 40.71.195.175 52.178.117.234 40.121.142.231 52.176.51.246 52.173.131.64 52.165.237.129 52.166.121.133 52.232.33.74 52.173.243.215 137.116.195.72 52.166.72.240 13.73.167.164

Basic Information

IP Address

205.185.124.247

Domain

-

ISP

FranTech Solutions

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-09-23

Last seen in Guardicore Centra

2018-11-04

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

Process /usr/bin/wget generated outgoing network traffic to: 9ninewest.com:80 2 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: 9ninewest.com 2 times

Access Suspicious Domain Outgoing Connection

The file /tmp/Execution.x86.1 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.x86 was downloaded and executed 221 times

Download and Execute

Process /tmp/Execution.x86 generated outgoing network traffic to: 9ninewest.com:23 and 209.141.55.104:23

Outgoing Connection

Process /tmp/Execution.x86 attempted to access suspicious domains: 9ninewest.com

Access Suspicious Domain Outgoing Connection

/tmp/Execution.x86.1 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Service iptables was stopped 18 times

Service Stop

Log File Tampering detected from /bin/rm on the following logs: /var/log/lastlog and /var/log/dpkg.log

Log Tampering

Service firewalld was stopped 18 times

Service Stop

The file /bin/rm was downloaded and executed 2 times

Download and Execute

The file /sbin/xtables-multi was downloaded and executed

Download and Execute

The file /usr/bin/pgrep was downloaded and executed

Download and Execute

The file /usr/local/bin/dash was downloaded and executed

Download and Execute

Connection was closed due to timeout

/tmp/Execution.x86 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Associated Files

/tmp/Trio.x86

SHA256: fa50ae9fd97a8254ded0f083256201d996795de774915e815d6bcdccfcd42647

11677 bytes

/tmp/Execution.x86.2

SHA256: 49e534c90859ea9422322dc1705dfd45b0938ec9bf2a828ff3cb2947cbcf8b2c

26285 bytes

/tmp/flex

SHA256: 51a748da749e5619d147394251bae983c8cf51b10a816960f4fa02a23305e194

150595 bytes

/tmp/flex

SHA256: 9f8bd4f2a7e1fe5b8c7a1590c525c5a3caa069e2c4741339d90af84304450e89

111115 bytes

/tmp/feds

SHA256: e4dbeac3690df3f2f51af8413d52d4964193297051544ba8f4fc9ad04ffdfa16

111115 bytes

/tmp/feds

SHA256: 558dfdb93a11e63b651758428dfa7984921c6f25b02a19681213cb6cbd65e55c

62141 bytes

/tmp/Execution.x86

SHA256: 634e923932eb1074b7e036a90eb8244d174baa4547146e733064e6a0c2f84845

108774 bytes

/tmp/Execution.x86

SHA256: 689b4f036e6082eda2acdc7c3ce024f99e4b98f0ad41cc5a0230eb8ddcd29a37

56829 bytes

/tmp/Execution.x86

SHA256: 7c5e2e53313047f390e7c62de12b6791e6e24d7cc22414e7f6cdacb83eb0ac7f

11677 bytes

/tmp/Execution.x86.1

SHA256: 8d1cf42d6d9579015aaaa52a5e6a68b888ed55fef60326e0a6ca7789e44267bd

108742 bytes

/tmp/Execution.x86

SHA256: 11237c7df9755f52830a10e40b2f7bd9477b45e70a87af833982ceeb4ea09c98

30269 bytes

/tmp/Execution.x86

SHA256: 0fc65fe26617fa631a7d8433e4540c5a83c8110c9e78e8a40ea48358d222b7a2

31597 bytes

/tmp/Execution.x86

SHA256: f49013b0fba91f4356ae99ac222ca00872d001acd2f488c3539ffd5d33b3bdbe

55501 bytes

/tmp/Execution.x86

SHA256: c48061165909782cea053105dc0f40fe4f162306ee332f53bc330d143b1e62a3

44877 bytes

/tmp/Execution.x86

SHA256: 7be7b2e80ee9c5d3798ec5a3748957c9cccb0d0e5f3cd724fc81e98a2f7b755e

38237 bytes

/tmp/Execution.x86

SHA256: 3ac86d778f53248a4c517ce56c30a8657dabe4bd1f3680c0aeba60f27d0ee5f2

108742 bytes

/tmp/jiren.x86

SHA256: b41f89074612683219133d8d4c0d37451dace65062ce363853434aeb6192451f

102655 bytes

/tmp/jiren.x86

SHA256: d7dd924618fa962638cd2a544654f270524a5200d201fad955cb46bf603e2053

11677 bytes

/tmp/jiren.x86

SHA256: 194ad653c984b267c67b0c4917169cae60489fd532d2c39082cb6008d49699ac

1053 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 205.185.124.247​Previously Malicious