104.16.2.16 Threat Intelligence and Host Information

Jun 22, 2025 ipinfopage

General

This page contains threat intelligence information for the IPv4 address 104.16.2.16 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 55/100

Host and Network Information

Mitre ATT&CK IDs: T1005 - Data from Local System, T1010 - Application Window Discovery, T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1033 - System Owner/User Discovery, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1056 - Input Capture, T1057 - Process Discovery, T1060 - Registry Run Keys / Startup Folder, T1071.004 - DNS, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1105 - Ingress Tool Transfer, T1106 - Native API, T1114.002 - Remote Email Collection, T1114 - Email Collection, T1129 - Shared Modules, T1143 - Hidden Window, T1158 - Hidden Files and Directories, T1210 - Exploitation of Remote Services, T1213 - Data from Information Repositories, T1218 - Signed Binary Proxy Execution, T1408 - Disguise Root/Jailbreak Indicators, T1421 - System Network Connections Discovery, T1422 - System Network Configuration Discovery, T1427 - Attack PC via USB Connection, T1428 - Exploit Enterprise Resources, T1429 - Capture Audio, T1518 - Software Discovery, T1546 - Event Triggered Execution, TA0011 - Command and Control, TA0030 - Defense Evasion
Tags: aaaa, accept, address, admin country, a domains, algorithm, all octoseek, amadey, anti-detection, apple, apple id, appleid, april, as11042, as15169 google, as19527 google, as19905, as23724, as29580 a1, as35280 acorus, as4808 china, as4812 china, as54113, as7922 comcast, as8866, asnone united, assaulter, attack, august, awful, baaa, back, b body, benjamin c, bitcoin, black, body, body length, boolean, browse scan, bundled, c-67-181-73-197.hsd1.ca.comcast.net, caaa, caca, caca4baaa, cacf, caea, cellbrite, cellebrite, certificate, checkbox, china, chrome, cisco umbrella, ck id, ck matrix, click, close, cname, cobalt strike, code, comcast tmobile, communicating, connection, contact, contacted, contact email, contact made by mark brian sabey, contact made by o’dea, contact phone, cookie, copy, core, create new, creation date, critical, crypto, csc corporate, cus cnr3, data, date, date sat, debugger evasion, desktop, dns replication, dnssec, dock, domain, domain name, domain related, domains dropped, domain status, download, ec oid, elf wgetboat, emails, encrypt, endpoints all, entries, error, eternalblue, et exploit, evasive, execution, expiration, expiration date, exploit, factory, false, filehashmd5, filehashsha1, filehashsha256, files, files location, final, final url, first, forbidden, general, generic flags, getprocaddress, gmt content, google tag, green, group, headers, headers date, historical ssl, hostname, hr rtd, html info, http, http response, hybrid, iana id, icloud, id, import, infor, ingestion time, installation, iocs, ios, ip address, ipv4, ireland, january, kb body, key algorithm, key info, loader, localappdata, location dublin, login, love, major, malicious, malware, march, meta, metro, mitre att, model, moved, msf style, msie, msr jan, mtb jan, name servers, netlify, netlify edge, network, network ascii text, next, no expiration, november, null, number, nxdomain, october, olet, open, otx telemetry, override, passive dns, path, pattern match, payment, pdf report, pe32, pegasus, pe resource, persistence, phonenumber, playgame, popularity, privilege https, probe, probe ms17010, pulse pulses, pulse submit, pulse use, push, quasar, query, rank position, ransom, record type, record value, referrer, registrar abuse, related nids, remote cnc, reverse dns, russia unknown, rust, sa victim, scan endpoints, script urls, search, september, server, servers, service, serving ip, sha256, show, showing, show technique span, sign up, silly, smbds ipc, social engineering, ssl certificate, startpage, status, status code, stealthyness, subdomains, subject public, survivor, targets sa, tech email, threat roundup, title, trim, trojan, tsara brashears, ttl value, tulach, uaaa, united, unknown, url, url analysis, url http, url https, urls, urls url, ursnif, utc aw741566034, utc redirection, v3 serial, virgin islands, vt report, waaa, whois lookup, whois record, whois ssl, whois whois, who’s driving, widget, win32, win32mydoom jan, win64, worm, write, writes data to a remote process, xobo, x ua, yaaa
View other sources: Spamhaus VirusTotal

Country:
Network:
Noticed: 5 times
Protocols Attacked: Anonymous Proxy
Countries Attacked: Germany, Netherlands, United States of America, Virgin Islands British
Passive DNS Results: bgwlfw57.cn www.here-store.com cdn.cre0809.com here-store.com trakal.ltz.life cdn.cf.in.ykdlb.cn www.investegate.co.uk investegate.co.uk api.wattpad.com a.wattpad.com em.wattpad.com d.wattpad.com embed.wattpad.com mobile.wattpad.com m.wattpad.com 0.wattpad.com touch.wattpad.com blog.wattpad.com www.wattpad.com.akadns.net www.wattpad.com a.wattpad.com.cdn.cloudflare.net support.wattpad.com.cdn.cloudflare.net www.wattpad.com.cdn.cloudflare.net em.wattpad.com.cdn.cloudflare.net www.success.tid.gov.hk

Open Ports Detected

2082 2083 2086 2087 2096 443 80 8080 8443 8880

Map

Whois Information

NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET
NetHandle: NET-104-16-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS13335
Organization: Cloudflare, Inc. (CLOUD14)
RegDate: 2014-03-28
Updated: 2024-09-04
Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
Ref: https://rdap.arin.net/registry/ip/104.16.0.0
OrgName: Cloudflare, Inc.
OrgId: CLOUD14
Address: 101 Townsend Street
City: San Francisco
StateProv: CA
PostalCode: 94107
Country: US
RegDate: 2010-07-09
Updated: 2024-11-25
Ref: https://rdap.arin.net/registry/entity/CLOUD14
OrgTechHandle: ADMIN2521-ARIN
OrgTechName: Admin
OrgTechPhone: +1-650-319-8930
OrgTechEmail: rir@cloudflare.com
OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
OrgAbuseHandle: ABUSE2916-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-650-319-8930
OrgAbuseEmail: abuse@cloudflare.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
OrgRoutingHandle: CLOUD146-ARIN
OrgRoutingName: Cloudflare-NOC
OrgRoutingPhone: +1-650-319-8930
OrgRoutingEmail: noc@cloudflare.com
OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
OrgNOCHandle: CLOUD146-ARIN
OrgNOCName: Cloudflare-NOC
OrgNOCPhone: +1-650-319-8930
OrgNOCEmail: noc@cloudflare.com
OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
RTechHandle: ADMIN2521-ARIN
RTechName: Admin
RTechPhone: +1-650-319-8930
RTechEmail: rir@cloudflare.com
RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
RAbuseHandle: ABUSE2916-ARIN
RAbuseName: Abuse
RAbusePhone: +1-650-319-8930
RAbuseEmail: abuse@cloudflare.com
RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
RNOCHandle: NOC11962-ARIN
RNOCName: NOC
RNOCPhone: +1-650-319-8930
RNOCEmail: noc@cloudflare.com
RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-21

Share on: