IP Address: 209.141.42.153Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
209.141.42.153​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Download File Inbound HTTP Request

Connect Back Servers

40.117.44.182 13.94.200.48 104.46.40.157 40.68.103.162 13.69.86.134 13.92.99.153 40.68.244.223 40.121.81.249 52.166.72.240 52.174.52.111 13.73.167.164 13.68.208.174 40.114.243.66 13.94.152.174 13.81.59.79 13.82.182.9 52.232.107.2 52.178.106.195 23.101.132.197 52.170.98.243 13.81.218.117 40.71.182.235 13.92.132.27 40.71.229.210 13.82.183.3 40.71.227.128 13.92.114.106 40.68.103.91 40.68.86.26 52.170.209.64

Basic Information

IP Address

209.141.42.153

Domain

-

ISP

FranTech Solutions

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-09-16

Last seen in Guardicore Centra

2018-10-04

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 209.97.159.10:80 14 times

Outgoing Connection

The file /tmp/flex was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Demon.mips was downloaded and granted execution privileges

Download and Allow Execution

/tmp/Demon.mips was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Demon.mpsl was downloaded and granted execution privileges

Download and Allow Execution

/tmp/Demon.mpsl was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/Demon.sh4 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/Demon.sh4 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Demon.x86 was downloaded and executed

Download and Execute

The file /tmp/Demon.arm6 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/Demon.arm6 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Demon.i686 was downloaded and executed 3 times

Download and Execute

Process /bin/bash generated outgoing network traffic to: 209.97.159.10:80

Outgoing Connection

Process /tmp/Demon.i686 generated outgoing network traffic to: 209.97.159.10:64

Outgoing Connection

The file /tmp/Demon.ppc was downloaded and granted execution privileges

Download and Allow Execution

/tmp/Demon.ppc was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Demon.i586 was downloaded and executed 3 times

Download and Execute

Process /tmp/Demon.i586 generated outgoing network traffic to: 209.97.159.10:64

Outgoing Connection

The file /tmp/Demon.m68k was downloaded and granted execution privileges

Download and Allow Execution

/tmp/Demon.m68k was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Demon.sparc was downloaded and granted execution privileges

Download and Allow Execution

/tmp/Demon.sparc was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Demon.arm4 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/Demon.arm4 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Demon.arm5 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/Demon.arm5 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Demon.arm7 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/Demon.arm7 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/Demon.i586 was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

Connection was closed due to timeout

/tmp/Demon.x86 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/Demon.i686 was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

Associated Files

/tmp/flex

SHA256: 83ef2f903e16253f6dec9b6a61c3d8a4e354561c5ad5f7a623c79fa7bf5dc8bc

11678 bytes

/tmp/hy67j

SHA256: 7b5b7e4e25572e1b5c2df6f26136b731ab684adf99f5250b186085bef0e36f92

25052 bytes

/tmp/hy67j

SHA256: 8b7cc939c4ea26a38e1f4589ebf931f5623ed8addac78db333be3627ff04b973

25076 bytes

/tmp/jackmymipsel

SHA256: 1e7ed6dfb5de25aeb7cd693bff36a7a41fd703e1a3e36c1952d07b29b10d32a5

234108 bytes

/tmp/jackmymips

SHA256: 2cc10b6c43269b53a94f9a0a1b5b6cd800a2da933cc2d91f3d934ebbd5b29014

11677 bytes

/tmp/jackmymipsel

SHA256: 2a9d825cd170976fda447c4f7ebb49b22bd5732b42d29f54954f5f228dc4dc13

24957 bytes

/tmp/jackmymipsel

SHA256: 03c15f3e4baa977f8983f372e3bc431601e9375450284af4bea06cecdeb3320f

107293 bytes

/tmp/jackmymipsel

SHA256: c977b1b7b25b76f25fd1840bd765a44daf7757dfba43a34302caf2d987ec9823

51517 bytes

/tmp/jackmymipsel

SHA256: 770e453053cc9bd95723be50a4eb6fdc712876aa785a505987b1c6fa2a3514c7

11677 bytes

/tmp/flex

SHA256: 144d23ee1ab129c9e459411017034f794303ac5046e19cddbb236d82d955c1cc

115466 bytes

/tmp/flex

SHA256: b5c2bcc106efd616449f785c9eafcc3b568e855025c888986c1e8ce481a5190c

2064 bytes

/tmp/Lucy.mips

SHA256: c983131e6954e202ec2a0aad92d67bf73c0d055bddafbca255375d7adaed69c0

108770 bytes

/tmp/Lucy.mpsl

SHA256: 4ae3741900427d9d5bcec47f3bbb5349f0305dcbff3b121612f4bc737ac6f39a

108770 bytes

/tmp/Lucy.sh4

SHA256: efbb556598b0514a26734831f1fdd51d0075f1d771d4444f8178345d36f8fcf1

76131 bytes

/tmp/Lucy.x86

SHA256: a24651c96eb87767c0da6217550a8b2b93b9adc2f9b2742849cb3e0da7b67ad8

82753 bytes

/tmp/Lucy.arm6

SHA256: 0116dc48509f9effbb3544d2a4addacb314380cc33a6ea51da68643e2903c562

107995 bytes

/tmp/Lucy.i686

SHA256: 073215c75cda9c886d07e4b40c78afd131a855f215a6259c3ea88d5211a54542

72366 bytes

/tmp/Lucy.ppc

SHA256: 7dc33debc5233149815457493b95a8d7f21da12d083b6d51c47720df2c61a56c

81463 bytes

/tmp/Lucy.i586

SHA256: 72a08e9ec5deba46115de0ba955ba70705d022dc53473a0802db13b634226d05

72366 bytes

/tmp/Lucy.m68k

SHA256: 125747daf5c553574031939cc41f6516cfbd3be6f73a3eabe8fb56f48921a855

88465 bytes

/tmp/Lucy.sparc

SHA256: dfee788b5d3656786fba0b3f11af4ef8dda7cb3f9b30e9e321974c462243d1de

92253 bytes

/tmp/Lucy.arm4

SHA256: 914fbd18cb184d82275c0645ef9ce944e4d6a8aba5ff616372f6da8f9baafff0

95549 bytes

/tmp/Lucy.arm5

SHA256: 9f3bce2855f80a6a04b5bfec3a9151bd17c1d4a70a78ac1591704fbca856e7d6

88003 bytes

/tmp/Lucy.arm7

SHA256: 62038ef18528c1adfa46ebe9e903a243b5f6d7ea2d9fb059dc8b0ca949b87336

146876 bytes

/tmp/Demon.i686

SHA256: 68fb7a0873e335b05eb8e5f0cb4bb3b15ecf533f94fd7e8d93421b37004f3dcd

36910 bytes

/tmp/Demon.i586

SHA256: c2a336a1210b06adb5014c6242e1e7c9371049584b8046d11e07eaa72da19559

38238 bytes

/tmp/Demon.mips

SHA256: 6637304b8f1120d5379023912bdbfd44e52c221262fe6d684fa4355dcc25fe24

76749 bytes

/tmp/Demon.x86

SHA256: 011cba98e2330e4322dbbe6db3a8a539bab0bc971a7284d63668789343888779

23630 bytes

/tmp/Demon.mips

SHA256: 205b0347ca5241dc8e261a1209b79c58dcfc3b856896dda4903c0641a8fc1b21

23629 bytes

/tmp/Demon.mips

SHA256: 1c949fd2f74440497e9e77315f1d60f3adb9a208fd7429e441bbefc9eb594381

28941 bytes

/tmp/Demon.mips

SHA256: e1423f6c21d3f229fccee4a43c768a0de02f70ce06fdc0682d27a70c4af0398f

26285 bytes

/tmp/ntpd

SHA256: fee955a84390f738df81b1f1a6ac36004256df5df23f2370520d3ea6c0473169

11677 bytes

/tmp/Demon.mips

SHA256: 1b61f39065f313ba83b58f97a6a2d62d0fc8fe38f384ddb9142ade34811f7650

13005 bytes

/tmp/Demon.mpsl

SHA256: 528c5d600482682132431f4a486581dd72cec134949d62018f543273ab51be9c

86045 bytes

/tmp/nvitpj

SHA256: 845864f1304cbb4a6fbeee539bfb72ab5f341af921a72ac74e26744e773c665a

11677 bytes

/tmp/Demon.i686

SHA256: e37f4cb82c006ef3711195f9387518d2d11acca91bd29af5929aae4f470f38a0

14334 bytes

/tmp/Demon.i686

SHA256: 9eaa81f964d1708b0c04111909c7c94ac4146175ac2f1d52abc617dbfe4ac07a

11678 bytes

/tmp/Demon.arm6

SHA256: 2818f0edd781ab224406b974e7df54ad30354e8362d02d7f8981126636df99e2

68781 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 209.141.42.153​Previously Malicious