IP Address: 205.185.127.239Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
205.185.127.239​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Download File Inbound HTTP Request

Connect Back Servers

104.46.40.157 52.168.173.204 13.90.98.228 40.121.81.249 13.92.131.99 52.166.72.240 13.92.238.45 52.232.27.116 13.82.52.9 40.114.243.66 159.89.239.212 68.183.20.123 159.65.227.17 13.73.166.169 142.93.53.251 52.232.107.2 40.68.167.82 13.81.109.23 52.174.154.38 13.93.116.182 13.92.185.152 13.82.180.115 40.68.103.91 13.81.210.34 52.232.27.167 40.68.123.235 104.248.14.118 52.178.117.81 13.93.108.6 52.178.115.28

Basic Information

IP Address

205.185.127.239

Domain

-

ISP

FranTech Solutions

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-10-14

Last seen in Guardicore Centra

2018-10-28

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 159.89.239.212:80 14 times

Outgoing Connection

The file /tmp/flex was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/garcia.mips was downloaded and granted execution privileges

Download and Allow Execution

/tmp/garcia.mips was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/garcia.mpsl was downloaded and granted execution privileges

Download and Allow Execution

/tmp/garcia.mpsl was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/garcia.sh4 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/garcia.sh4 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/garcia.x86 was downloaded and executed 3 times

Download and Execute

Process /tmp/garcia.x86 generated outgoing network traffic to: 159.89.239.212:54

Outgoing Connection

The file /tmp/garcia.arm6 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/garcia.arm6 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/garcia.i686 was downloaded and executed 2 times

Download and Execute

The file /tmp/garcia.ppc was downloaded and granted execution privileges

Download and Allow Execution

/tmp/garcia.ppc was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/garcia.i586 was downloaded and executed 2 times

Download and Execute

The file /tmp/garcia.m68k was downloaded and granted execution privileges

Download and Allow Execution

/tmp/garcia.m68k was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/garcia.sparc was downloaded and granted execution privileges

Download and Allow Execution

/tmp/garcia.sparc was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/garcia.arm4 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/garcia.arm4 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/garcia.arm5 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/garcia.arm5 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Process /bin/bash generated outgoing network traffic to: 159.89.239.212:80

Outgoing Connection

The file /tmp/garcia.arm7 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/garcia.arm7 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Connection was closed due to timeout

/tmp/garcia.i586 was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

/tmp/garcia.x86 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/garcia.i686 was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

Associated Files

/tmp/Lucy.mips

SHA256: e0cb18c961f307f30aa2c0a9948d2401198e4e41ca40fa7978665c506c9113ed

30268 bytes

/tmp/flex

SHA256: e74dc48c0a05c6b0b1acf2c48d4bc142212e006f63f886821ca40e2765d6a18b

2134 bytes

/tmp/garcia.mips

SHA256: 99bcce64b5b5a292a650bb3d4224ba546320d11be1dfeee21d762ecb4f60865e

108770 bytes

/tmp/garcia.mpsl

SHA256: d82bfbbdf77403d12920f81598a20d6b6529f9a51f6ac19973f5de57d78fd7f6

108770 bytes

/tmp/garcia.sh4

SHA256: b1330168cb9373f79850a122317757da45ccc79de04dc114d898f0341166f078

76131 bytes

/tmp/garcia.x86

SHA256: aa0d93b51dd4c219cad64b6557b75692dacb2b101d971701e1c28559e14224da

82753 bytes

/tmp/garcia.arm6

SHA256: 853a3a28ba64e8aa0d272d033ca0554ee533eae50dfc3a692caa2730cee8a7dd

107995 bytes

/tmp/garcia.i686

SHA256: 2a0d9783bf40f0b2a50a51f7413ef8665d2b484a37533713b347fb9273a994a0

72366 bytes

/tmp/garcia.ppc

SHA256: 71c994557f94ab003b5ec8683ffaecb16732c72724bb3285e26d9b331ac4a04d

81463 bytes

/tmp/garcia.i586

SHA256: 6e995da61e091406109eef73c45ce1b24a0df4d944d35fb92c0931581cb27c26

72366 bytes

/tmp/garcia.m68k

SHA256: e8b13234f8831cff0b4b13833a8c37fbe5e93f20adad550052c0484a573f3a0f

88465 bytes

/tmp/garcia.sparc

SHA256: 2fb26ac410ff95bb4ffab2421366d611a2c63d333770dab042cd2af05e104ab6

92253 bytes

/tmp/garcia.arm4

SHA256: cfc6ae27d12549ff5905a8f0aafed63bf501cc4f5b99100032263047a468384b

95549 bytes

/tmp/garcia.arm5

SHA256: c670cbf1ff08184025827817e43533cb4e6bfc563ecf4db067436f71a4c7893a

88003 bytes

/tmp/garcia.arm7

SHA256: 0275fae31c3d6b17758db392f52c64b05569670fd8b0e8ff9519d114e6d39d99

146876 bytes

/tmp/garcia.mips

SHA256: 860ed616e817d887480d612395ac5221a6d72703d7e8b83dd8ee0bab5994447c

52844 bytes

/tmp/bins.sh

SHA256: 98e5407c13be4929e1926fc3303884d0bbeb40a29d82b7722f4541bebf60881e

2176 bytes

/tmp/lanisha.mips

SHA256: b6fe8273209dd7d37de6ab18548c9595bec2420f8263258f9a2634ca0754001b

108770 bytes

/tmp/lanisha.mpsl

SHA256: 84f55dd9efd7d186ed0efe81c83100e32fc987cb25b230b6493b42166c8305dc

108770 bytes

/tmp/lanisha.sh4

SHA256: eac64de58841a56d8287ca4ad1bf124535f129ef81d7ad414e3cf02e646a2c2c

76131 bytes

/tmp/lanisha.x86

SHA256: 4cefa31e660b1d9efd87a417b7734ec9a2b2b393e82a96b39b69995808f9eb65

82753 bytes

/tmp/lanisha.arm6

SHA256: 2d12bf909bd611a72aefc0826d978bc792b469e34c6e17551850dd957e7cd95e

107995 bytes

/tmp/lanisha.i686

SHA256: 80c30b5ac6428a306b6ce812388c010a3d95c0591f99a55c48c8188fe943a8cf

72366 bytes

/tmp/lanisha.ppc

SHA256: cdb5db0f194b5129833c5a1435d86c26de3ac2067a54928f4cd542008c03ad30

81463 bytes

/tmp/lanisha.i586

SHA256: 3290f3195612726b52c3c076630629ac0def0c28bf59329a22c9abf1a7e7c814

72366 bytes

/tmp/lanisha.m68k

SHA256: 0b4e4f806baffcef7c5e10f97bc49cea103b09007e5ceb2be258d2d6f2a2fe3f

88465 bytes

/tmp/lanisha.sparc

SHA256: 597881eb72c887486f1c09bd3dbe9717e3a160de2ba908347bc8541b5f69290c

92253 bytes

/tmp/lanisha.arm4

SHA256: dbba2df5b76d7693a0fdcc36c473c54814576e7ce6ae707cec8e4fa2d03017ce

95549 bytes

/tmp/lanisha.arm5

SHA256: 2834ef309c9f6d0240fadbacdd3edc11b6e225aab726afc9092053a182d464cf

88003 bytes

/tmp/lanisha.arm7

SHA256: d34e1a045db5ebe342188f922fffefb751bbf0409c7f2480316ea4ed71f9f823

146876 bytes

/tmp/Lucy.sh

SHA256: afbfd3e09aad61cf03402d634e9d38ee18aaa5cf3984913fed36fbd2d927504c

2120 bytes

/tmp/Legion.mips

SHA256: 8e8a1331ab122468f1e7d19b3f35ec3445cc1b3ae3aaf4991d2d0017a7749d5d

165658 bytes

/tmp/Legion.mpsl

SHA256: 669bd618a436c2911eb2ff0c56c255005e4dfdfba47c8c24b0c133c4cea6b7e4

165658 bytes

/tmp/Legion.sh4

SHA256: c9e15969d7857f758c0e1bb964b0a036956ff098539b919564ad1fec3f2b46a4

123572 bytes

/tmp/Legion.x86

SHA256: 83935f9be1a48ed4535cd258770cc8aafaf3203d7e33bceabc2f7448b0afeeb0

137464 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 205.185.127.239​Previously Malicious