IP Address: 94.177.246.190Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
94.177.246.190​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Access Suspicious Domain Download File Inbound HTTP Request

Associated Attack Servers

aruba.it forpsi.net

52.170.211.178 52.173.128.163 13.82.180.115 40.68.86.94 52.166.59.19 40.71.213.194 13.73.160.230 40.85.190.216 40.71.227.128 52.174.53.10 52.170.101.192 13.93.93.21 52.168.89.139 168.63.96.139 52.170.223.233 52.232.107.2 40.71.192.234 13.94.156.189 52.166.72.240 13.82.182.9 52.174.154.38 52.166.20.128 13.92.185.152 40.114.13.12 40.76.38.75 40.117.44.182 40.112.61.187 137.135.92.186 40.76.78.149 13.81.59.79

Basic Information

IP Address

94.177.246.190

Domain

-

ISP

Aruba S.p.A.

Country

Germany

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-09-09

Last seen in Guardicore Centra

2018-10-05

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 80.211.203.234:80 3 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: forpsi.net 3 times

Access Suspicious Domain Outgoing Connection

/tmp/n was downloaded

Download File

The file /tmp/yeet was downloaded and executed 2 times

Download and Execute

The file /tmp/yeetw was downloaded and executed 3 times

Download and Execute

Process /tmp/yeetw generated outgoing network traffic to: 80.211.203.234:789

Outgoing Connection

Process /tmp/yeetw attempted to access suspicious domains: forpsi.net

Access Suspicious Domain Outgoing Connection

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

Connection was closed due to user inactivity

/tmp/yeetw was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

/tmp/yeet was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Associated Files

/tmp/yeet

SHA256: 2fed2d916714490a171ca514d783f2b9bc45bfe5869f04c34567df82cfd5598d

11678 bytes

/tmp/yeet

SHA256: bed8aab405b6f59ec88224899a2e511a1915d77f8b0d22fb2f44b514d5dadb6d

82750 bytes

/tmp/yeetw

SHA256: 1d73f98a382494b064f49de9f3e0b2564c25a88c0d9855130335eca4e2f097d8

72363 bytes

/var/tmp/Nikita.x86

SHA256: b7d19b3f90f9e54da2181b27b8a70bc0e468cc2e537ab4fcdff1a403666a520b

121657 bytes

/var/tmp/Nikita.x86

SHA256: 7aed3acb3c41623e1fc43597905936c1d6b81e2d110abc7e423c6804733c096c

82750 bytes

/tmp/bins.sh

SHA256: c2d8e69f811cea36f3401a584490543a939032a58aec7005e0e35efed6768e4c

2134 bytes

/tmp/Nikita.mips

SHA256: 218907866ca2fe2629ba87cc6a0240b6c9d8d38157582ef69ea4431d22998fcd

71437 bytes

/tmp/Nikita.mips

SHA256: fc83d3f81e4008ab9304a93a0dbed92db0d7975f086c720fb950ee655dd58f9c

96669 bytes

/tmp/Nikita.mips

SHA256: 92ed85cf0fe00f93a598152c22abfabf8e44e8c30963782c02d8eb2c293b7467

108767 bytes

/tmp/Nikita.mpsl

SHA256: 66a4d534d95ba597e24210b51976ed782c7bd5c27c3d4598f7230fc7343c6e13

108767 bytes

/tmp/Nikita.mips

SHA256: b053af5b266cd98700f778732aad811fa1abc705e9b457c57a37053b47102ed2

31597 bytes

/tmp/yeet

SHA256: a794132ff617bfae727a9c1865be14634584e30cfbb83d37f3a590d84ef0cc69

82750 bytes

/tmp/yeetw

SHA256: 250d259fda638f1854d3f019e3a83b200cd8c3c9e0d767ff57d054a13e14b5ab

72363 bytes

/tmp/yeet

SHA256: 5d7516f1b3689507382d0090f842d34584bf3aea80e1b6e33aad88cf7e592fc5

62572 bytes

/tmp/yeet2

SHA256: a1fecf4c908baa28cdfb0e27e97606e430224276d3881d60bc425550d3c7523c

67480 bytes

/tmp/yeet

SHA256: d9d2113f5674150f1c8c3068ae913fbe1bf9011e939552a681356b80586b0aa8

62572 bytes

/tmp/yeet2

SHA256: d2fdc1a910071c22f08ac64f56518daa163457aa3217769077bdd934d52e6ebe

67490 bytes

/tmp/yeet

SHA256: a756b3ac76eb87b0719b05f169362583b0b6b4a0fd96f2f0b88f028a159c4bc1

28942 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 94.177.246.190​Previously Malicious