IP Address: 54.36.26.13Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
54.36.26.13​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

17 Shell Commands DNS Query Human Download and Allow Execution Download File Download Operation SSH Access Suspicious Domain Download and Execute Malicious File HTTP Successful SSH Login Outgoing Connection

Associated Attack Servers

www.speedtest.net blazingfast.io comcast.net nasapaul.com shentel.net ip-192-99-1.net edinburg.speedtest.shentel.net stosat-malt-01.sys.comcast.net stosat-rstn-01.sys.comcast.net werwolf.ga s1.speedtest.wdc1.us.leaseweb.net bigdaddy.wave2net.com leonida.000webhostapp.com

207.244.94.68 151.101.2.219 192.99.1.16 145.14.145.227 69.241.0.94 204.111.5.18 185.61.137.36 204.111.21.7 69.241.87.90

Basic Information

IP Address

54.36.26.13

Domain

-

ISP

OVH Hosting

Country

France

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-06-10

Last seen in Guardicore Centra

2018-07-06

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 2 times

Download Operation

Process /usr/bin/wget attempted to access suspicious domains: nasapaul.com

DNS Query Outgoing Connection Access Suspicious Domain

Process /usr/bin/wget generated outgoing network traffic to: 185.61.137.36:80

Outgoing Connection

/var/tmp/ninfo was downloaded

Download File

Process /usr/bin/wget generated outgoing network traffic to: 145.14.145.227:80

Outgoing Connection

Process /usr/bin/wget attempted to access domains: leonida.000webhostapp.com

DNS Query

/var/tmp/gosh.zip was downloaded

Download File

The file /var/tmp/gosh/1 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/2 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/3 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/4 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/5 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/a was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/common was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/gen-pass.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/go.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/pass_file was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/pscan2 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/pscan3 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/scam was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/secure was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/ssh-scan was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/vuln.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/gosh/ss was downloaded and executed 2 times

Download and Execute

Process /usr/bin/perl attempted to access suspicious domains: werwolf.ga and ip-192-99-1.net

DNS Query Outgoing Connection Access Suspicious Domain

Process /usr/bin/perl generated outgoing network traffic to: 192.99.1.16:9981

Outgoing Connection

/var/tmp/gosh/ss was identified as malicious by YARA according to rules: Maldoc Somerules and Suspicious Strings

Malicious File

/var/tmp/gosh/common was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/gosh/3 was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/gosh/ssh-scan was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Maldoc Somerules, Crypto Signatures and 000 Common Rules

Malicious File

/var/tmp/gosh/pscan2 was identified as malicious by YARA according to rules: Maldoc Somerules, Toolkit Thor Hacktools and 000 Common Rules

Malicious File

/var/tmp/gosh/pscan3 was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/var/tmp/gosh/5 was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/gosh/2 was identified as malicious by YARA according to rules: Apt Apt1 and Suspicious Strings

Malicious File

/var/tmp/gosh/4 was identified as malicious by YARA according to rules: Apt Apt1 and Suspicious Strings

Malicious File

Associated Files

/var/tmp/ /.zlib/fever

SHA256: 97093a1ef729cb954b2a63d7ccc304b18d0243e2a77d87bbbb94741a0290d762

453972 bytes

/var/tmp/sudo/gen-pass.sh

SHA256: e7031aaa218f814ec442f7fc5cc545980a537d777db491c425d60f0be3366074

265 bytes

/var/tmp/sudo/pscan2

SHA256: cc3f6c535787c71bed14ec8ac3b6feb59fe3b09fc53c69f1fe592103f2632764

21407 bytes

/var/tmp/gosh/secure

SHA256: b7bfce3e886608199e7dd31bcd4af0d84eaa90267e45273278e8826dfa993133

197 bytes

/var/tmp/sudo/ssh-scan

SHA256: 93df64cc0ff902ad1e80ada56023610ec2c44c3ecde2d36d37a3a748c7fd42bd

842736 bytes

/var/tmp/sudo/pscan3

SHA256: 858f1741be9be6aab0b8a19dd1b21af22c05064cd8f8d739079ad0764aa42b37

43538 bytes

/var/tmp/gosh/scam

SHA256: 3cf65b5ffbe4c614148d650b0f4100d73e1175fe9491b09feea2ba53d4178889

5976 bytes

/var/tmp/gosh.zip

SHA256: b51dfe39c2125534d7e8fa0acbc1881047b4a1194922270794af8e7860c49aff

1974667 bytes

/var/tmp/ninfo

SHA256: 0eaa11e51d3188cb66e0db4b977001979973d81628af0f7187b79971dc533713

2940 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 54.36.26.13​Previously Malicious