We don't know the following Ip address is malicious or not: 103.224.212(.)222
How to proceed our analysis?
Possible approach: try the search in Virus Total.
We got no one flagged it.
VT link: https://www.virustotal.com/en/url/8982272eaf4d679b32716bcbef0d86183e251e4abd49b16547d800d93e42d7c7/analysis/1487660842/
Detection: 0/65.
Additional info:
Quttera- https://quttera.com/sitescan/103.224.212.222
Sucuri- https://sitecheck.sucuri.net/results/103.224.212.222
Possible approach: try it in IPvoid or urlvoid.
In this case, IPvoid is our option since we are dealing with the Ip address. We got three results as black listed.
Possible approach: try the search in threat crowd
Now, we found plenty and which marks to two malicious files.
Threat crowd link: https://www.threatcrowd.org/ip.php?ip=103.224.212.222
First file: https://www.threatcrowd.org/malware.php?md5=c98dc3be0c7fa850ad1a3161c3f8014a
MD5: c98dc3be0c7fa850ad1a3161c3f8014a
Filename: _b4c61441.tmp
VT link: https://www.virustotal.com/en/file/f42542c789a3d02513b0b031ab6ed1c7e5d0a476ea3e8c0b58e3a5c947a8867d/analysis/
Detection as Potentially unwanted application/ Adware.
Second file: https://www.threatcrowd.org/malware.php?md5=e8e956637f36a97f251746016be22c30
MD5: e8e956637f36a97f251746016be22c30
Filename diaiomjykaxu.exe
VT link: https://www.virustotal.com/en/file/56f64a3d7bb651b2f70b690e06be05ceab2a74eb147a12e13641b82eb0b5a5c3/analysis/
Detection as Ransomware locky/ Teslacrypt filedecoder.
Another possible approach is simple google search:
We found the following url-
It says that Ip belongs to locky ransomware.
Recommendation
It is advised to block this Ip address in the firewall, also need to add this Ip address in blacklist for future verification. If you found this Ip address in your network logs (any connection established with this Ip address), is having more chances of ransomware infection in the network. Advised to follow the general recommendation for ransomware infection.
We will see the analysis of those two files in the future post.
Post created by
newWorld
How to proceed our analysis?
Possible approach: try the search in Virus Total.
We got no one flagged it.
VT link: https://www.virustotal.com/en/url/8982272eaf4d679b32716bcbef0d86183e251e4abd49b16547d800d93e42d7c7/analysis/1487660842/
Detection: 0/65.
Additional info:
Quttera- https://quttera.com/sitescan/103.224.212.222
Sucuri- https://sitecheck.sucuri.net/results/103.224.212.222
Possible approach: try it in IPvoid or urlvoid.
In this case, IPvoid is our option since we are dealing with the Ip address. We got three results as black listed.
IP Address Information
| Analysis Date | 2017-02-21 03:53:30 |
| Blacklist Status | BLACKLISTED 3/83 |
| IP Address | 103.224.212.222 (Find Websites) |
| Reverse DNS | lb-212-222.above.com |
| ASN | AS133618 |
| ASN Owner | Trellian Pty. Limited |
| ISP | Trellian Pty. Limited |
| Continent | Oceania |
| Country Code |  (AU) Australia |
| Latitude / Longitude | -33.494 / 143.2104 |
| City | Unknown |
| Region | Unknown |
Possible approach: try the search in threat crowd
Now, we found plenty and which marks to two malicious files.
Threat crowd link: https://www.threatcrowd.org/ip.php?ip=103.224.212.222
First file: https://www.threatcrowd.org/malware.php?md5=c98dc3be0c7fa850ad1a3161c3f8014a
MD5: c98dc3be0c7fa850ad1a3161c3f8014a
Filename: _b4c61441.tmp
VT link: https://www.virustotal.com/en/file/f42542c789a3d02513b0b031ab6ed1c7e5d0a476ea3e8c0b58e3a5c947a8867d/analysis/
Detection as Potentially unwanted application/ Adware.
Second file: https://www.threatcrowd.org/malware.php?md5=e8e956637f36a97f251746016be22c30
MD5: e8e956637f36a97f251746016be22c30
Filename diaiomjykaxu.exe
VT link: https://www.virustotal.com/en/file/56f64a3d7bb651b2f70b690e06be05ceab2a74eb147a12e13641b82eb0b5a5c3/analysis/
Detection as Ransomware locky/ Teslacrypt filedecoder.
Another possible approach is simple google search:
We found the following url-
It says that Ip belongs to locky ransomware.
Recommendation
It is advised to block this Ip address in the firewall, also need to add this Ip address in blacklist for future verification. If you found this Ip address in your network logs (any connection established with this Ip address), is having more chances of ransomware infection in the network. Advised to follow the general recommendation for ransomware infection.
We will see the analysis of those two files in the future post.
Post created by
newWorld
No comments:
Post a Comment