IP Address: 62.43.142.114Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
62.43.142.114​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Successful SSH Login Download and Allow Execution Download and Execute Malicious File 16 Shell Commands Outgoing Connection Access Suspicious Domain DNS Query SSH Brute Force SSH Download Operation HTTP Download File Log Tampering

Connect Back Servers

speedtest.oit.duke.edu shentel.net genevestigator.com sp1.winchesterwireless.net make.tv qwest.net celito.net duke.edu centurylink.net your-server.de tes2018.hi2.ro www.speedtest.net s1.speedtest.wdc1.us.leaseweb.net edinburg.speedtest.shentel.net blazingfast.io nasapaul.com rockymount.speedtest.centurylink.net h4eteam.16mb.com stosat-malt-01.sys.comcast.net rdu.ookla.gfsvc.com kabel-deutschland.de webssh.3x.ro speedtest31.suddenlink.net comcast.net telecomitalia.it 3x.ro stosat-rstn-01.sys.comcast.net speed.celito.net sbcglobal.net bigdaddy.wave2net.com

69.241.0.94 145.14.145.234 77.20.0.2 136.243.0.5 136.243.0.2 136.243.0.3 69.241.87.90 99.24.18.89 136.42.34.74 85.35.0.5 152.3.103.197 77.20.0.8 184.170.114.134 136.243.0.4 136.243.0.1 151.101.2.219 74.113.230.246 77.20.0.6 77.20.0.1 136.42.34.75 145.14.145.227 204.111.21.7 77.20.0.4 77.20.0.5 185.61.137.36 145.14.145.119 136.243.0.6 85.35.0.4 85.35.0.3 77.20.0.3

Basic Information

IP Address

62.43.142.114

Domain

-

ISP

Vodafone Spain

Country

Spain

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-04-25

Last seen in Guardicore Centra

2018-09-16

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: mysql / ****** - Authentication policy: White List (Part of a Brute Force Attempt)

SSH Brute Force Successful SSH Login

Process /usr/bin/wget attempted to access domains: cybernetik.000webhostapp.com

DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 145.14.145.119:80

Outgoing Connection

/home/mysql/cyberinfo was downloaded

Download File

Process /usr/bin/wget attempted to access suspicious domains: nasapaul.com

DNS Query Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 185.61.137.36:80

Outgoing Connection

/home/mysql/groot.zip was downloaded

Download File

The file /home/mysql/groot/1 was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/2 was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/3 was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/anti-blackdor.anti was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/bios.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/clean was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/cleanlist was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/dup.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/eof.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/go was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/mfu.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/motd was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/pass_file was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/random was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/screen was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/vuln.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/groot/vuln1.txt was downloaded and granted execution privileges

Download and Allow Execution

Log File Tampering detected from /bin/bash on the following logs: /var/log/apt/apt.log, /var/log/auth.log, /var/log/faillog, /var/log/fsck/checkfs, /var/log/syslog, /var/log/fsck, /var/log/dpkg.log, /var/log/ntpstats, /var/log/apt/term.log, /var/log/apt/history.log, /var/log/alternatives.log, /var/log/kern.log, /var/log/btmp, /var/log/fsck/checkroot, /var/log/lastlog, /var/log/wtmp, /var/log/bootstrap.log, /var/log/apt and /var/log/dmesg

Log Tampering

History File Tampering detected from /bin/bash on the following logs: /root/.bash_history

Log Tampering

The file /home/mysql/groot/class was downloaded and executed

Download and Execute

The file /home/mysql/groot/update was downloaded and executed

Download and Execute

A user logged in using SSH with the following credentials: mysql / ****** - Authentication policy: Correct Password (Part of a Brute Force Attempt) 2 times

SSH Brute Force Successful SSH Login

Process /usr/bin/wget attempted to access domains: tes2018.hi2.ro

DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 89.42.39.81:80

Outgoing Connection

/home/mysql/arhiva.zip was downloaded

Download File

The file /home/mysql/arhiva/a was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/arhiva/gasite.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/arhiva/haiduc was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/arhiva/pass was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/arhiva/scan.log was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/arhiva/screen was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/arhiva/screen.jpg was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/arhiva/start was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/arhiva/udp.pl was downloaded and granted execution privileges

Download and Allow Execution

Connection was closed due to timeout

/home/mysql/groot/screen was identified as malicious by YARA according to rules: Maldoc Somerules and Toolkit Thor Hacktools

Malicious File

/home/mysql/arhiva/start was identified as malicious by YARA according to rules: Toolkit Thor Hacktools

Malicious File

/home/mysql/arhiva/screen was identified as malicious by YARA according to rules: Maldoc Somerules and Toolkit Thor Hacktools

Malicious File

/home/mysql/groot/update was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Maldoc Somerules and Crypto Signatures

Malicious File

/home/mysql/arhiva/haiduc was identified as malicious by YARA according to rules: Crypto Signatures and Malw Pe Sections

Malicious File

/home/mysql/groot/class was identified as malicious by YARA according to rules: Maldoc Somerules and Suspicious Strings

Malicious File

Associated Files

/v.py

SHA256: 00e430b733cf199747c9c6e0f2e2fae6a045bbed9c0f0f993112b301fcdf5dbc

25470 bytes

/var/tmp/x/haiduc.filepart

SHA256: 6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4

1040592 bytes

/root/silecyber.zip.1

SHA256: 48b5e465295da9fcf3732d292962db5c3219ad6a1cae190f14c7da0e9f14db32

1180220 bytes

/var/tmp/zone/screen.filepart

SHA256: 2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80

249980 bytes

/var/tmp/ /.zlib/fever

SHA256: 97093a1ef729cb954b2a63d7ccc304b18d0243e2a77d87bbbb94741a0290d762

453972 bytes

/var/tmp/ninfo

SHA256: 19778a62055770a9e5f890e52227ccd39251bf23045c15383411638540ceabf7

2941 bytes

/var/tmp/.x/Nasa/n

SHA256: 046a09f66630f581d6eaeb734f775f41f1e46238ffe369f6905464fed1531afd

1959 bytes

/var/tmp/.x/Nasa/nhdd

SHA256: 43333adf6ba7d876d5574543278616dad40376b1024a01d0f48c04b0ca5f7534

1485768 bytes

/var/tmp/.x/Nasa/pscan2

SHA256: 291cf164abfff4269e84209fe0763bb3295f7fad9d265c6354b8d4494ac5410f

14012 bytes

/var/tmp/scan/pscan2.cfi

SHA256: 1a286986ebbe66abbedcc76ae4e2fd23c2668b076cd9dc79bf53c24961041ab8

6027 bytes

/var/tmp/zone/speedtestvps.py

SHA256: 02cd63a2e9d2cd538ca5230380ad3668b967955f193ec1090b275baa55315680

25312 bytes

/var/tmp/.x/Nasa.zip

SHA256: dbf70633cde2587ec3cc8c3379c9f4e9af3664ca61cb0fcd58b40288643b304f

821131 bytes

/var/tmp/groot.zip

SHA256: 575a17bac99ab4077e2c9bcd01fbc14953827377972e414f669bfa8dbc030bae

724193 bytes

/var/tmp/gosh/1

SHA256: 246fcc88606c73771e9ccfed22be1ee97636f65156b1076db2e506e16e732db3

189 bytes

/root/arhiva/a

SHA256: a9100f7e4e1cab442cb800c52462ea4353b2c931e455209281da655bf180dc47

711 bytes

/tmp/bins.sh

SHA256: e332040055ce7e38935e1eea7fb5ccdd6f6f7e41a6d9cdc7eb4d02aee576e206

3078 bytes

/tmp/ntpd

SHA256: 8c92c21ac2d21f9a924113d17aa5727594439625ddd85be2442cdfcc5e8d637b

119167 bytes

/tmp/sshd

SHA256: 6e5ff6dab882a85d25350a7ff84526210c10acebaeb35f261d7ef16d72677288

119167 bytes

/tmp/openssh

SHA256: 8052af4959aa6909373be403841ad98cb7ca6272a13eabc8f1dc02fea0e128b8

82844 bytes

/tmp/tftp

SHA256: f0700b9a50e4b8ce1610be4d545b9ddc0cf237c4a028268fb0370c986951f137

117425 bytes

/var/tmp/.sal/cyberinfo

SHA256: b600e5f6a9071463e8c698a13860d23c04e8716279dd06fc29ce58459d618709

2117 bytes

/var/tmp/.sal/ninfo

SHA256: 84eada15f75e523cb7da2e92a76eb0cfa595579f1248fb1bb2120138aa3dd979

4315 bytes

/var/tmp/gosh/random

SHA256: 6d8ffb2449a2e56d63c23e66aa367bd3a610adf96b288dfc8e52bffda15751af

184 bytes

/.sal/groot/go~

SHA256: 41c3ee93f8d79479d09ab1771be47ef4eac2a0829fc2d4f2d97320de509b9b84

815 bytes

/var/tmp/gosh/2

SHA256: 42237dd0eeacbddd1e07df21cd437cdf9c1b0282ac7b565d51589e57b39bffd1

119 bytes

/var/tmp/gosh/update.filepart

SHA256: 8dfe94a1b02d1330886ad4458b32db3da4b872f9c2116657840de499fee5438a

842736 bytes

/var/tmp/gosh/3

SHA256: c2c5e4a271f8af56df3c091397e9db498f48434001e3d8b7e63cadd902e5adc9

187 bytes

/var/tmp/gosh/anti-blackdor.anti

SHA256: ff2d1dfec0d7f40d0045942cceda733184cbaf57fcf3e251c2e52b231ec4cefe

12780 bytes

/root/xad.zip

SHA256: c50e0eac44c3333a685d98ab72055a11cd4cc9eb636fac0c271f841568a4f5f5

513521 bytes

/var/tmp/ninfo

SHA256: 0eaa11e51d3188cb66e0db4b977001979973d81628af0f7187b79971dc533713

2940 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 62.43.142.114​Previously Malicious