IP Address: 78.97.107.40Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
78.97.107.40​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

DNS Query Human Download and Allow Execution Download File Download Operation SSH Access Suspicious Domain Malicious File Bulk Files Tampering 20 Shell Commands Download and Execute Package Install HTTP Successful SSH Login Outgoing Connection Read Password Secrets

Associated Attack Servers

sbcglobal.net stosat-malt-01.sys.comcast.net canonical.com speed.celito.net vaynz.000webhostapp.com www.cpan.org duke.edu bigdaddy.wave2net.com sp1.winchesterwireless.net xmr.pool.minergate.com blazingfast.io sl-reverse.com archive.ubuntu.com rdu.speedtest.sbcglobal.net your-server.de edinburg.speedtest.shentel.net suddenlink.net privpool.mone.ro.lt arhivecodex.tk www.speedtest.net speedtest.oit.duke.edu vaynzzz.000webhostapp.com celito.net comcast.net nasapaul.com speedtest31.suddenlink.net rockymount.speedtest.centurylink.net shentel.net rdu.ookla.gfsvc.com stosat-rstn-01.sys.comcast.net

94.130.64.225 74.113.230.246 208.180.158.146 145.14.144.203 151.101.2.49 145.14.144.151 205.171.135.26 69.241.0.94 204.111.5.18 185.61.137.36 136.42.34.74 145.14.145.148 184.170.114.134 145.14.144.70 145.14.145.138 145.14.145.210 158.85.9.181 69.241.87.90 207.244.94.68 145.14.145.69 145.14.144.198 78.46.23.253 185.199.108.153 204.111.21.7 91.189.88.162 151.101.2.219 72.21.92.82 152.3.103.197 136.243.94.27 145.14.144.197

Basic Information

IP Address

78.97.107.40

Domain

-

ISP

UPC ROMANIA

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-02-10

Last seen in Guardicore Centra

2019-05-19

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget attempted to access domains: vaynz.000webhostapp.com

DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 145.14.144.151:80

Outgoing Connection

/root/vit.py was downloaded

Download File

Process /usr/bin/python2.7 attempted to access domains: www.speedtest.net, stosat-rstn-01.sys.comcast.net, s1.speedtest.wdc1.us.leaseweb.net, stosat-malt-01.sys.comcast.net and edinburg.speedtest.shentel.net

DNS Query

Process /usr/bin/python2.7 generated outgoing network traffic to: 151.101.2.219:80, 69.241.87.90:80, 204.111.21.7:80, 207.244.94.68:80, 69.241.0.94:80 and 204.111.5.18:80

Outgoing Connection

Process /usr/bin/python2.7 attempted to access suspicious domains: bigdaddy.wave2net.com

DNS Query Outgoing Connection Access Suspicious Domain

Process /usr/bin/wget attempted to access suspicious domains: nasapaul.com

DNS Query Outgoing Connection Access Suspicious Domain

Process /usr/bin/wget generated outgoing network traffic to: 185.61.137.36:80

Outgoing Connection

/root/xmr.zip was downloaded

Download File

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.162:80

Outgoing Connection

The file /usr/share/doc/nano was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/doc/nano/examples was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/nano was downloaded and granted execution privileges

Download and Allow Execution

The file /bin/nano was downloaded and executed 2 times

Download and Execute

The file /root/xmr/config.json was downloaded and granted execution privileges

Download and Allow Execution

The file /root/xmr/xmrig was downloaded and executed 14 times

Download and Execute

Process /root/xmr/xmrig attempted to access domains: xmr.pool.minergate.com 2 times

DNS Query

Process /root/xmr/xmrig generated outgoing network traffic to: 78.46.23.253:45700

Outgoing Connection

Process /root/xmr/xmrig generated outgoing network traffic to: 136.243.94.27:45700

Outgoing Connection

Connection was closed due to timeout

/root/xmr/xmrig was identified as malicious by YARA according to rules: Crypto Signatures

Malicious File

Process /usr/bin/dpkg performed bulk changes in {/} on 141 files

Bulk Files Tampering

Associated Files

/var/tmp/cola

SHA256: 5f6e6c2847d6eed0901f2e5a1897475d9ff2c04565b4a3d9c4aaad09b85b8939

1439980 bytes

/var/tmp/speed.py

SHA256: f98f21bc8d49fe2f9ad56cf0ea038ef47d68b74cf338d45c162caa3c50d497d6

49503 bytes

/var/tmp/vit.py

SHA256: 37110270a4b1407ede822943ab49e138dd9f0374eaf6ff414d78a4bc83dc2dac

26335 bytes

/var/tmp/start

SHA256: 8c3a65d3a5954d997fc2a0057cfe089c81ea6163a4e76a2cdff1bb4718cd5475

91 bytes

/root/vit.py

SHA256: 4f05f355389b36d64e4cf82b7c12dd40fefcf9eaa22a7bb792df440d8d8fd37c

25533 bytes

/tmp/.Neals/sysInit

SHA256: 232af0c5f3b1cdbc2d90b514873a764b434d5621d2790da67954b35c17e44fe3

1844640 bytes

/root/per

SHA256: 126c12aadf13b29347406109156e2e29a17df79c73472e2e0bbc8df48b566278

39017 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 78.97.107.40​Previously Malicious