IP Address: 84.117.152.80Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
84.117.152.80​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

HTTP DNS Query Networking Operation Human Download and Allow Execution 50 Shell Commands Superuser Operation Download File Download Operation Access Suspicious Domain Bulk Files Tampering Malicious File SFTP Download and Execute Package Install SSH Successful SSH Login Outgoing Connection

Connect Back Servers

_http._tcp.archive.ubuntu.com www.speedtest.net stosat-rstn-01.sys.comcast.net shentel.net sp1.winchesterwireless.net achieving-success.co.uk 101medianode.app stosat-malt-01.sys.comcast.net edinburg.speedtest.shentel.net bigdaddy.wave2net.com blazingfast.io archive.ubuntu.com comcast.net nasapaul.com

69.241.0.94 178.62.0.7 204.111.5.18 178.62.0.5 151.101.2.219 178.62.0.2 178.62.0.3 69.241.87.90 178.62.0.6 178.62.0.4 184.170.114.134 204.111.21.7 178.62.0.1 185.61.137.36

Basic Information

IP Address

84.117.152.80

Domain

-

ISP

UPC Romania SRL

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-07-15

Last seen in Guardicore Centra

2018-07-25

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 3 times

Networking Operation Package Install Download Operation Superuser Operation

Process /usr/bin/wget attempted to access suspicious domains: nasapaul.com 3 times

DNS Query Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: blazingfast.io:80

Outgoing Connection

/root/v.py was downloaded

Download File

Process /usr/bin/python2.7 generated outgoing network traffic to: 184.170.114.134:80, 151.101.2.219:80, shentel.net:80, 204.111.21.7:80 and comcast.net:80

Outgoing Connection

Process /usr/bin/python2.7 attempted to access domains: stosat-rstn-01.sys.comcast.net, www.speedtest.net, stosat-malt-01.sys.comcast.net and edinburg.speedtest.shentel.net

DNS Query

Process /usr/bin/python2.7 attempted to access suspicious domains: sp1.winchesterwireless.net and bigdaddy.wave2net.com

DNS Query Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 185.61.137.36:80

Outgoing Connection

/root/Nasa.zip was downloaded

Download File

The file /root/Nasa/1 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/Nasa/n was downloaded and granted execution privileges

Download and Allow Execution

The file /root/Nasa/nhdd was downloaded and granted execution privileges

Download and Allow Execution

The file /root/Nasa/port was downloaded and granted execution privileges

Download and Allow Execution

The file /root/Nasa/screen was downloaded and granted execution privileges

Download and Allow Execution

A possibly malicious Superuser Operation was detected

Networking Operation Package Install Download Operation Superuser Operation

A user logged in using SSH with the following credentials: root / ************** - Authentication policy: Correct Password 3 times

Successful SSH Login

Process /root/Nasa/pscan2 generated outgoing network traffic to: 178.62.0.4:22, 178.62.0.5:22, 178.62.0.2:22, 178.62.0.6:22, 178.62.0.3:22, 178.62.0.7:22 and 178.62.0.1:22

Outgoing Connection

The file /root/Nasa/pscan2 was downloaded and executed 2 times

Download and Execute

Process /root/Nasa/pscan2 attempted to access suspicious domains: 101medianode.app and achieving-success.co.uk

Access Suspicious Domain Outgoing Connection

A possibly malicious Package Install was detected 3 times

Networking Operation Package Install Download Operation Superuser Operation

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com

DNS Query

A possibly malicious Networking Operation was detected 2 times

Networking Operation Package Install Download Operation Superuser Operation

/root/IRC/unrealircd.conf was downloaded 2 times

Download File

Connection was closed due to timeout

/root/IRC/doc/example.hu.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/help.fr.conf was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/root/IRC/src/socket.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/configure was identified as malicious by YARA according to rules: Malw Miscelanea Linux and Suspicious Strings

Malicious File

/root/IRC/doc/example.de.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/s_bsd.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/technical/serverprotocol.html was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation and Antidebug Antivm

Malicious File

/root/IRC/doc/example.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/example.ru.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/example.tr.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/packet.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/modules/m_cap.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/dccallow.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/modules/m_pingpong.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/win32/debug.c was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

/root/IRC/doc/help.ru.conf was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/root/IRC/spamfilter.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/Nasa/nhdd was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Maldoc Somerules, Crypto Signatures and 000 Common Rules

Malicious File

/root/IRC/src/s_misc.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/unreal32docs.tr.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/unreal32docs.hu.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/modules/m_message.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/unreal32docs.fr.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/modules/m_nick.c was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/root/IRC/src/modules/m_tkl.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/modules/m_join.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/Changes.old was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/modules.c was identified as malicious by YARA according to rules: Malw Miscelanea Linux

Malicious File

/root/IRC/src/parse.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/help.tr.conf was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/root/IRC/include/struct.h was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/root/IRC/doc/unreal32docs.de.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/help.de.conf was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/root/IRC/autoconf/m4/unreal.m4 was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/help.conf was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/root/IRC/src/modules/m_quit.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/technical/token.txt was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

/root/IRC/src/support.c was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation and Crypto Signatures

Malicious File

/root/IRC/unrealircd.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/include/msg.h was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

/root/Nasa/screen was identified as malicious by YARA according to rules: Maldoc Somerules, Toolkit Thor Hacktools and 000 Common Rules

Malicious File

/root/IRC/include/dynconf.h was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/Nasa/pscan2 was identified as malicious by YARA according to rules: Toolkit Thor Hacktools and 000 Common Rules

Malicious File

/root/IRC/src/s_conf.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/unreal32docs.ru.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/include/ircsprintf.h was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/configure.ac was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/modules/m_stats.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/example.es.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/unreal32docs.es.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/include/threads.h was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

/root/IRC/src/modules/m_mode.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/example.nl.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/s_serv.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/extras/malloc.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/doc/example.fr.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/ircd.c was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/root/IRC/Changes.older was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/root/IRC/doc/unreal32docs.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/IRC/src/win32/unrealinst.iss was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

/root/IRC/src/modules/m_admin.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

Process /usr/bin/unzip performed bulk changes in {/} on 352 files

Bulk Files Tampering

Associated Files

/v.py

SHA256: 00e430b733cf199747c9c6e0f2e2fae6a045bbed9c0f0f993112b301fcdf5dbc

25470 bytes

/var/tmp/zone/screen.filepart

SHA256: 2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80

249980 bytes

/var/tmp/.x/Nasa/n

SHA256: 046a09f66630f581d6eaeb734f775f41f1e46238ffe369f6905464fed1531afd

1959 bytes

/var/tmp/.x/Nasa/nhdd

SHA256: 43333adf6ba7d876d5574543278616dad40376b1024a01d0f48c04b0ca5f7534

1485768 bytes

/var/tmp/.x/Nasa/pscan2

SHA256: 291cf164abfff4269e84209fe0763bb3295f7fad9d265c6354b8d4494ac5410f

14012 bytes

/var/tmp/.x/Nasa.zip

SHA256: dbf70633cde2587ec3cc8c3379c9f4e9af3664ca61cb0fcd58b40288643b304f

821131 bytes

/var/tmp/IRC/conftest

SHA256: c3a79017107d26dab919768b08cd13cc1a74d9163d1809b1ac242f4089ed6914

8560 bytes

/root/IRC/conftest

SHA256: 60db568be0897077ab5d0a0ba20b1d8dae7af1d17cdf77a5c310e9da4dcde621

8712 bytes

/var/tmp/IRC.zip

SHA256: 6e48bd874010229a23b82c860d670f35c26b114534abd7969ed2c540e145f6f1

3738217 bytes

/usr/bin/nload.dpkg-new

SHA256: 8c1b3b62f150b92ee0317cb094660eff31774ec33f0a044ba17996cd5f85e996

138480 bytes

/root/IRC/unrealircd.conf

SHA256: b161dfc92d2cfb37a66f64da521992dda9c061789a53e82c77e7900d94f608da

8639 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 84.117.152.80​Previously Malicious