IP Address: 102.165.35.145Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
102.165.35.145​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

MSSQL

Tags

DNS Query Download and Execute Access Suspicious Domain SMB Execute MsSql Shell Command Successful MSSQL Login HTTP Create MsSql Table IDS - Attempted User Privilege Gain CMD User Created MSSQL Brute Force Service Start NetBIOS Service Stop Drop MsSql Table MSSQL User Removed Persistency - Mime Filter Download File Create MsSql Procedure Outgoing Connection File Operation By CMD

Associated Attack Servers

gusen.f3322.net 127.0.0.1 www.bbvdd.com cct119.com

Basic Information

IP Address

102.165.35.145

Domain

-

ISP

DET Africa (Pty) LTD

Country

South Africa

WHOIS

Created Date

2012-09-12

Updated Date

2019-08-13

Organization

peng yong

First seen in Guardicore Centra

2019-04-28

Last seen in Guardicore Centra

2019-08-19

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using MSSQL with the following username: sa - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following username: sa - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 9 times

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: KHB / ********* - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: KHB / ********* - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 3 times

Successful MSSQL Login MSSQL Brute Force

MSSQL procedures were created: sp_addextendedproc and sp_dropextendedproc

Create MsSql Procedure

Process c:\windows\system32\ftp.exe attempted to access suspicious domains: cct119.com 2 times

Access Suspicious Domain DNS Query

Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 102.165.35.145:21 10 times

Outgoing Connection

c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 63 times

Persistency - Mime Filter

Service CryptSvc was stopped

Service Stop

The file C:\Windows\System32\60hack.exe was downloaded and executed 18 times

Download and Execute

MSSQL tables were dropped: #A2DC6DCF and #A4C4B641

Drop MsSql Table

MSSQL tables were created: #temp_jobs_to_delete________________________________________________________________________________________________000000000002

Create MsSql Table

User huazhongdiguo was created with the password **************

User Created

IDS detected Attempted User Privilege Gain : MS-SQL SQL Injection closing string plus line comment

IDS - Attempted User Privilege Gain

MSSQL executed 2 shell commands

Execute MsSql Shell Command

The file C:\Windows\System32\hex1.exe was downloaded and executed 2 times

Download and Execute

C:\1.JPG was downloaded 4 times

Download File

Service CryptSvc was started

Service Start

The file C:\hex1.exe was downloaded and executed 2 times

Download and Execute

Process c:\windows\system32\hex1.exe attempted to access suspicious domains: www.bbvdd.com

Access Suspicious Domain DNS Query

Process NetworkService Service Group attempted to access suspicious domains: www.bbvdd.com

Access Suspicious Domain DNS Query

Process c:\hex1.exe attempted to access suspicious domains: www.bbvdd.com

Access Suspicious Domain DNS Query

Process c:\windows\system32\hex1.exe attempted to access suspicious domains: 127.0.0.1, gusen.f3322.net and www.bbvdd.com

Access Suspicious Domain DNS Query

Process c:\hex1.exe attempted to access suspicious domains: www.bbvdd.com

Access Suspicious Domain DNS Query

Connection was closed due to user inactivity

Associated Files

C:\Windows\System32\hex1.exe

SHA256: 985f9622bed8e56160a7810e2fab22c1c8e3aba1989bf209ebf0dfc5de47fee1

222720 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 102.165.35.145​Previously Malicious