IP Address: 80.211.203.234Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
80.211.203.234​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Access Suspicious Domain Download File Inbound HTTP Request

Connect Back Servers

aruba.it forpsi.net

194.182.73.177 13.90.98.228 40.68.244.223 13.93.93.21 52.173.128.163 40.71.84.60 52.233.179.93 52.233.143.163 40.71.214.242 52.174.17.41 40.76.38.75 40.69.187.176 52.173.242.119 194.182.80.200 94.177.214.23 13.81.59.79 40.71.182.235 52.178.106.195 13.82.50.132 40.87.71.177 52.173.74.71 40.71.227.128 52.173.191.44 13.95.80.40 52.174.179.113 13.67.213.103 52.166.58.57 52.173.132.230 52.166.20.128 52.173.74.251

Basic Information

IP Address

80.211.203.234

Domain

-

ISP

Aruba S.p.A.

Country

Czechia

WHOIS

Created Date

2004-10-25

Updated Date

2019-09-25

Organization

REDACTED FOR PRIVACY

First seen in Guardicore Centra

2018-09-21

Last seen in Guardicore Centra

2018-10-01

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 80.211.203.234:80 11 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: forpsi.net 11 times

Access Suspicious Domain Outgoing Connection

The file /tmp/bins.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/hakai.mips was downloaded and granted execution privileges

Download and Allow Execution

/tmp/hakai.mips was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/hakai.mpsl was downloaded and granted execution privileges

Download and Allow Execution

/tmp/hakai.mpsl was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/hakai.sh4 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/hakai.sh4 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/hakai.x86 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/hakai.x86 was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/hakai.arm6 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/hakai.arm6 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/hakai.x86_64 was downloaded and executed 9 times

Download and Execute

The file /tmp/hakai.ppc was downloaded and granted execution privileges

Download and Allow Execution

/tmp/hakai.ppc was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/hakai.m68k was downloaded and granted execution privileges

Download and Allow Execution

/tmp/hakai.m68k was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/hakai.arm4 was downloaded

Download File

Connection was closed due to user inactivity

/tmp/hakai.x86_64 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/hakai.arm4 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Associated Files

/tmp/yeet

SHA256: bed8aab405b6f59ec88224899a2e511a1915d77f8b0d22fb2f44b514d5dadb6d

82750 bytes

/tmp/yeetw

SHA256: 1d73f98a382494b064f49de9f3e0b2564c25a88c0d9855130335eca4e2f097d8

72363 bytes

/tmp/n

SHA256: d0029333b807f9189cddfcf8285c300f7d723ab51f213c77f3965f328b52fe17

301 bytes

/var/tmp/Nikita.x86

SHA256: b7d19b3f90f9e54da2181b27b8a70bc0e468cc2e537ab4fcdff1a403666a520b

121657 bytes

/tmp/n

SHA256: c4d9fc2042b692b64bec9a133f32fbc780410a740c46730ac4578fcb30b8e2bc

301 bytes

/var/tmp/Nikita.x86

SHA256: 7aed3acb3c41623e1fc43597905936c1d6b81e2d110abc7e423c6804733c096c

82750 bytes

/tmp/Nikita.mips

SHA256: 5ea00a5db35b6bf19f255f877d7c498979b4f198a2bda5039cc705cebc16ecb0

65136 bytes

/tmp/Nikita.mpsl

SHA256: 5af2c084a57466c30ce940711013ce5130bc17a3ca11c0ae2bdcbe2638d0722d

65248 bytes

/tmp/Nikita.sh4

SHA256: 91caa7aaed758cecfe3cf4280ef96db0c15a82088409f63aeb8afe4f9292e969

46380 bytes

/tmp/Nikita.arm6

SHA256: e104c9ee10ec67e31f0f3b0ef94a58f8e7ad2193e24f7532e57be88697e6405d

63464 bytes

/tmp/bins.sh

SHA256: ca3984a9c9c119bb4014ff2c488ec8832ba2c31cfc8f7e74cec583fae76f605d

1918 bytes

/tmp/bins.sh

SHA256: c3bc2556b6df052ffc069bf5c03fc0d2a81385aa5abe63154481e7b49314913e

1918 bytes

/tmp/hakai.mips

SHA256: 02715cdf6e1abc03fcd35c5fdfcaf86cecc93aa2a6e9a6dd087ff5f2709deabf

75704 bytes

/tmp/hakai.mpsl

SHA256: bd3c61534b3a90ee0be7ea69fade87c96008d5636e4f9f9d5a247c566370120a

76072 bytes

/tmp/hakai.sh4

SHA256: 23580f20f110c0c0366263101934db0b9fd9e50eb931a072c62decab7204ddf9

60696 bytes

/tmp/hakai.x86

SHA256: 31c4c38e70c143bbd6fe4788ce3f512c4e0d8ec8eaaafebf50f84fd8ae45a39f

56920 bytes

/tmp/hakai.arm6

SHA256: 1f7f6a202ff60ca25dea3a128b0202c323eb10230b38cf4eaee2f310b22ad3a0

60860 bytes

/tmp/hakai.x86_64

SHA256: 1d28ca40593b89375650a8c1dc5d941c2b1a03b38e12bc41e127cb8a02f3ddea

151403 bytes

/tmp/hakai.ppc

SHA256: d1205dbd54abdbce5eceaf0fae04ebd76533e2686b291e9f70b84306730066ed

58748 bytes

/tmp/hakai.m68k

SHA256: 93cddd87236cbcebab9d8810afc1fb748539db70df198eff7369dbe0c608b49d

56208 bytes

/tmp/hakai.arm4

SHA256: 7f0f6715fc7ecaaa592695828d1826afe0c1ee8b55ce3f9678222e0babe21f8b

31599 bytes

/tmp/yeet

SHA256: a794132ff617bfae727a9c1865be14634584e30cfbb83d37f3a590d84ef0cc69

82750 bytes

/tmp/yeetw

SHA256: 250d259fda638f1854d3f019e3a83b200cd8c3c9e0d767ff57d054a13e14b5ab

72363 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 80.211.203.234​Previously Malicious