[Top Page view in: Github Code or Github Page]
IoT Intrusion Payload Infrastructure Abuse Report for July 2020
This report is compiled from the data recorded in July 2020.
The global heatmap of the recorded data can be viewed below, following by the report’s detail.
1. The most abused ASN/Hosters/Countries
| No | ASN | Hoster name | Amount of abuse |
|---|---|---|---|
| 1 | AS24961 | MYLOC-AS | 4 |
| 2 | AS14061 | DIGITALOCEAN | 2 |
| 3 | AS8075 | MICROSOFT-CORP-MSN-A | 2 |
| 4 | AS201133 | VERDINA | 2 |
| 5 | (Other ASN/ISP) | 12 |
| No | Country | Amount of abuse |
|---|---|---|
| 1 | USA | 3 |
| 2 | Netherlands | 3 |
| 3 | Germany | 2 |
| 4 | Canada | 2 |
| 5 | BG | 2 |
| 5 | RU | 2 |
| 6 | (others) |
2. The most abused broadband by P2P payloads (404)
P2P infection sources in GeoIP map:
| No | Country | P2P-IP Total |
|---|---|---|
| 1 | Taiwan | 137 |
| 2 | USA | 100 |
| 3 | Korea | 95 |
| 4 | China | 79 |
| 5 | Brazil | 62 |
| 6 | Israel | 42 |
| 7 | Turkey | 34 |
| 8 | Vietnam | 27 |
| 9 | Mexico | 27 |
| 10 | Italy | 24 |
| 11 | Iran | 22 |
| 12 | Spain | 15 |
| 13 | Malaysia | 14 |
| 14 | Russia | 12 |
| 15 | Indonesia | 12 |
| 16 | Romania | 11 |
| 17 | Egypt | 11 |
| 18 | Hungary | 11 |
| 19 | France | 9 |
| 20 | Thailand | 8 |
3. The record of payload names per infection source IP
| No | Payload IP | loader script name |
|---|---|---|
| 1 | 104.244.78.107 | infectedn.sh |
| 2 | 13.85.152.27 | SnOoPy.sh |
| 3 | 134.122.97.93 | GhOul.sh |
| 4 | 142.93.12.237 | EkSgbins.sh |
| 5 | 158.69.32.40 | GoOgle.sh |
| 6 | 164.155.231.251 | bins.sh |
| 7 | 185.172.111.189 | infn.sh |
| 8 | 185.206.93.87 | GhOul.sh |
| 9 | 192.236.193.29 | 8UsA.sh |
| 10 | 194.15.36.115 | axisbins.sh |
| 11 | 194.15.36.172 | axisbins.sh |
| 12 | 194.15.36.242 | 8UsA.sh |
| 13 | 194.87.139.108 | GhOul.sh |
| 14 | 194.87.139.108 | bins.sh |
| 15 | 45.132.242.232 | SnOoPy.sh |
| 16 | 45.156.185.218 | skid.sh |
| 17 | 5.206.227.228 | bot.arm4 |
| 18 | 50.3.177.110 | AkSgbins.sh |
| 19 | 51.103.34.254 | negrobins.sh |
| 20 | 79.124.78.143 | infnx.sh |
| 21 | 79.124.78.43 | fuze.sh |
| 22 | 85.239.35.124 | SnOoPy.sh |
| 23 | 88.99.123.146 | BSBDbins.sh |
| 24 | 94.100.28.201 | GhOul.sh |
| No | Loader uniq filename |
|---|---|
| 1 | AkSgbins.sh |
| 2 | BSBDbins.sh |
| 3 | EkSgbins.sh |
| 4 | GhOul.sh |
| 5 | GoOgle.sh |
| 6 | SnOoPy.sh |
| 7 | axisbins.sh |
| 8 | bins.sh |
| 9 | bot.arm4 |
| 10 | fuze.sh |
| 11 | infectedn.sh |
| 12 | infn.sh |
| 13 | infnx.sh |
| 14 | negrobins.sh |
| 15 | skid.sh |
4. The ISP networks where the attacks are coming from (abused ISP)
| No | Payload C2 IP | FQDN | ASN | Network prefix | ASN-ID | Country | ISP Name |
|---|---|---|---|---|---|---|---|
| 1 | 104.244.78.107 | by.jeejk.nl. | 53667 | 104.244.78.0/24 | PONYNET | US | PONYNET |
| 2 | 13.85.152.27 | 8075 | 13.64.0.0/11 | MICROSOFT-CORP-MSN-A | US | MICROSOFT-CORP-MSN-A | |
| 3 | 134.122.97.93 | 14061 | 134.122.96.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 4 | 142.93.12.237 | 14061 | 142.93.0.0/20 | DIGITALOCEAN-ASN | US | DIGITALOCEAN-ASN | |
| 5 | 158.69.32.40 | 16276 | 158.69.0.0/16 | OVH | FR | OVH | |
| 6 | 164.155.231.251 | 137951 | 164.155.231.0/24 | CLAYERLIMITED-AS-AP | HK | Clayer Limited | |
| 7 | 185.172.111.189 | 206898 | 185.172.110.0/23 | BLADESERVERS | NL | BLADESERVERS | |
| 8 | 185.206.93.87 | 202468 | 185.206.92.0/22 | ABRARVAN-AS | IR | AbrArvan CDN and IaaS | |
| 9 | 192.236.193.29 | box.adegbenga.com. | 54290 | 192.236.192.0/22 | HOSTWINDS | US | HOSTWINDS |
| 10 | 194.15.36.115 | slot0.comcupidon.com. | 24961 | 194.15.36.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG |
| 11 | 194.15.36.172 | 24961 | 194.15.36.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 12 | 194.15.36.242 | malvantos.org.uk. | 24961 | 194.15.36.0/24 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG |
| 13 | 194.87.139.108 | 24961 | 194.87.138.0/23 | MYLOC-AS | DE | IP Backbone of myLoc managed IT AG | |
| 14 | 45.132.242.232 | 47583 | 45.132.240.0/22 | AS-HOSTINGER | LT | AS-HOSTINGER | |
| 15 | 45.156.185.218 | hosted-by.parsvds.com. | 208161 | 45.156.185.0/24 | PARSVDS | IR | PARSVDS |
| 16 | 5.206.227.228 | account-update.com. | 49349 | 5.206.227.0/24 | DOTSI | PT | DOTSI |
| 17 | 50.3.177.110 | 62904 | 50.3.176.0/22 | EONIX-COMMUNICATIONS | US | EONIX-COMMUNICATIONS | |
| 18 | 51.103.34.254 | 8075 | 51.103.0.0/16 | MICROSOFT-CORP-MSN-A | US | MICROSOFT-CORP-MSN-A | |
| 19 | 79.124.78.143 | 201133 | 79.124.78.0/24 | VERDINA | BZ | VERDINA | |
| 20 | 79.124.78.43 | 201133 | 79.124.78.0/24 | VERDINA | BZ | VERDINA | |
| 21 | 85.239.35.124 | 50673 | 85.239.35.0/24 | SERVERIUS-AS | NL | SERVERIUS-AS | |
| 22 | 88.99.123.146 | static.146.123.99.88.clients.your-server.de. | 24940 | 88.99.0.0/16 | HETZNER-AS | DE | HETZNER-AS |
(please re-check the network details above due to a possible geodb or network database difference)
Thu Aug 20 21:54:41 JST 2020 @unixfreaxjp
MalwareMustDie,NPO (malwaremustdie.org)