On the finding type page here, it shows that this alert is generated from the DNS data source. Known findings, like Bitcoin mining domains, are detected via:

• Proofpoint
• Crowdstrike
• Custom threat lists (If you have any)

If you go into the GuardDuty Console, click the finding, then scroll down to the Evidence section, you should be able to see what threat list from above it pulled from. I do want to draw your attention to the section on the page I linked above the section that says "If this activity is unexpected, your instance is likely compromised, see Remediating a compromised EC2 instance." What this means is GuardDuty findings are high fidelity, so if it thinks this is a finding, it's likely a finding (unless this machine is supposed to be mining bitcoin) and you should take action ASAP.

I don't believe it shows you the exact IP/domain that your machine is reaching out to, but this is where general triage comes in. Like the page above says, your machine is likely compromised and you should take steps outlined in your organizations incident response. Amazon does have white papers on Incident Response and the AWS Marketplace has offerings you can use to get started on triaging your instance.

Here's a guide on building a cloud-specific incident response plan. Regardless if your server is on premise or the cloud the steps generally involve:

• 1. Preparation
• 2. Identification
• 3. Containment
• 4. Investigation
• 5. Eradication
• 6. Recovery
• 7. Follow-Up

Feel free to reach out to Support if you're running into issues.

You can also pivot from GuardDuty finding and use Amazon Detective to understand who created the EC2 instance and understand the full impact.

For details on pivoting, see here: https://docs.aws.amazon.com/detective/latest/userguide/profile-pivot-from-service.html