104.16.120.127 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.16.120.127 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 54/100

Host and Network Information

• Mitre ATT&CK IDs: T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1036 - Masquerading, T1041 - Exfiltration Over C2 Channel, T1045 - Software Packing, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1057 - Process Discovery, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1105 - Ingress Tool Transfer, T1106 - Native API, T1112 - Modify Registry, T1114 - Email Collection, T1119 - Automated Collection, T1123 - Audio Capture, T1129 - Shared Modules, T1132 - Data Encoding, T1140 - Deobfuscate/Decode Files or Information, T1143 - Hidden Window, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1546 - Event Triggered Execution, T1583.005 - Botnet, T1588 - Obtain Capabilities, TA0037 - Command and Control

• Tags: aaaa, abuse contact, address, a div, algorithm, alienvault name, all scoreblue, already, android, apple ios, as15169 google, as16276, as43350 nforce, as44273 host, as55286, asnone bulgaria, august, authority, bazaarloader, b body, behav, bios, body, body length, botnet, certificate, ck id, ck matrix, class, click, cname, cngo daddy, code, comspec, contact, contacted, contacted hosts, contact phone, cookie, copy, corrupt, created, creation date, crypter, cryptor, cuckoo, cus starizona, cyber, data, date, date hash, default, de indicators, delete c, div div, dns replication, dnssec, dock, domain, domain address, domain name, domains, domains ii, download, dynamic, dynamicloader, ebury, email, emails, endpoints all, enigmaprotector, entries, et tor, execution, exit, exit node, expiration date, factory, falcon sandbox, file, filehash, filehashsha1, filehashsha256, file samples, files domain, files location, files matching, final url, first, flag, flag united, formbook, for privacy, france unknown, fraud, g2 validity, general, getprocaddress, hackers, hacktool, hashes, headers nel, high, highly targeted, historical ssl, hostname, hstr, http, http response, hybrid, identifier, indicator, installer, intel, iocs, ioc search, ip address, ipv4, jsauto25 jun, key algorithm, key identifier, key info, known tor, link, lockbit, locky, lowfitrojan, malicious, malware, maxage5184000, media center, meta, misc attack, mitre att, model, modified, module load, monitoring, months ago, msie, msms33388520, ms windows, name servers, name verdict, new ioc, next, n∅ ip, node traffic, number, overview ip, passive dns, paste, patch, path, pattern match, pe32, persistence, pm lowfitrojan, pragma, prefetch8, process32nextw, process details, pulse pulses, quasar, ragnar locker, ransom, ransomware, read c, record type, redacted for, redcap, registrar abuse, registrar iana, related nids, related pulses, relayrouter, relic, sales, scan endpoints, script script, script urls, search, september, server, servers, serving ip, set cookie, sha256, shadowpad, show, showing, show technique, slcc2, song culture, span, span a, span span, ssl certificate, status, status code, strings, subject key, subject public, suricata, suspicious, swipper, t1129, target, teams api, template, threat, threat analyzer, tofsee, traffic group, trojan, trojan features, tsara brashears, ttl value, tulach, twitter, unique, united, united kingdom, unknown, url http, urls, urls https, v3 serial, virustotal, white cve, whois lookups, whois record, whois whois, win32, win64, windows nt, wow64, write, write c, x509v3 key, xamzexpires300, xor ddos, xorddos, xrat, xtrat, yapaxi, yara detections, yaxpax, zp6axi0

• View other sources: Spamhaus VirusTotal

• Country:
• Network:
• Noticed: 2 times
• Protocols Attacked: Anonymous Proxy
• Passive DNS Results: arinewman.org www.medium.com ns4.ns4.ns3.ns3.ns1.jomton.ru ns3.ns3.ns3.ns2.jomton.ru medium.com

Malware Detected on Host

Count: 158 15e3b924724aca339d4f601545858f51b4d9f3977e5f2ebb36aa20b4f2b1dda2 d72d4fc7a1b3259642cbbb5ecf6bce7369e03e26cc792f6552d62a87511b242b 410092a2107a98909c2e9f923e91895dc92384debbcbd0c076ce214297d65b14 66f23a54468b5b3d52de243b7b0c23f8a292f31070c6c145e71be476ee16468c 15fe6b44d2bd641f640f80c16edc7f52a624729e8466a44bed0b6df72e9d109f db6ee6db8a0091ddfa25c5e7ea8210d4be7352f65ba6326126e4ba04d2558b0f 4cbba78a0defe8abe9824e89bd4f87b0951354021d284aa4cc04c78ee5109cf9 92da7eecf5b441cdd38ded891edaadb0715c21e85ab876e3f65500b00bf55034 e88c98dd1587588735b4cd201affa16e08daada145a5c0cb951adb980593b225 392e9962c9547c075948023e010cf47adfd73f091aad06495972de873ed1a84a

Open Ports Detected

2052 2053 2082 2083 2086 2087 443 80 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-22