IP Address: 102.165.51.80Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
102.165.51.80​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

MSSQL

Tags

MSSQL Driver Start Successful MSSQL Login DNS Query Persistency - Logon IDS - Successful Administrator Privilege Gain Download and Execute Access Suspicious Domain Driver Creation Execute MsSql Shell Command Outgoing Connection Service Creation CMD File Operation By CMD

Associated Attack Servers

lokiturtle.herominers.com trtl.pool.mine2gether.com mine2gether.com pool.minexmr.com pool.supportxmr.com mine.dego.c3pool.com your-server.de

185.38.150.6 78.46.106.203

Basic Information

IP Address

102.165.51.80

Domain

-

ISP

volumedrive.com

Country

South Africa

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-03-06

Last seen in Guardicore Centra

2019-05-06

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using MSSQL with the following credentials: sa / ******* - Authentication policy: White List

Successful MSSQL Login

MSSQL executed 8 shell commands

Execute MsSql Shell Command

IDS detected Successful Administrator Privilege Gain : Microsoft CScript Banner Outbound

IDS - Successful Administrator Privilege Gain

The file C:\ProgramData\apexp.exe was downloaded and executed

Download and Execute

The file C:\ProgramData\lt.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started \\c:\users\admini~1\appdata\local\temp\ebnqfp1.sys as a service named SA6482 under service group None

Driver Start Service Creation

c:\programdata\lt.exe installed a Persistency - Logon backdoor by modifying Windows Registry

Persistency - Logon

Process c:\windows\system32\attrib.exe attempted to access domains: lokiturtle.herominers.com, pool.minexmr.com and pool.supportxmr.com

DNS Query

Process c:\windows\system32\attrib.exe generated outgoing network traffic to: 78.46.106.203:10521

Outgoing Connection

Process c:\windows\system32\attrib.exe attempted to access suspicious domains: mine.dego.c3pool.com

Access Suspicious Domain Outgoing Connection DNS Query

Connection was closed due to timeout

Associated Files

C:\ProgramData\can.exe

SHA256: 2b1c1c6d82837dbbccd171a0413c1d761b1f7c3668a21c63ca06143e731f030e

55808 bytes

C:\ProgramData\avast.exe

SHA256: 350381c64073da55023db2796de64da7e53997b4a0ef76587b9f65f151da9e39

5906432 bytes

C:\ProgramData\dllhot.exe

SHA256: 15e5b1bfcd972f1d2e6c4298ed955603890d6c77f83c19591ef558a3e9606f35

4774400 bytes

C:\ProgramData\avast.exe

SHA256: c9d8852745e81f3bfc09c0a3570d018ae8298af675e3c6ee81ba5b594ff6abb8

6084062 bytes

C:\ProgramData\lt.exe

SHA256: c49ff1e5b6151543346e1e9e23d3e034ffa568758f08a4dcd6bec41af9b3723e

6313432 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 102.165.51.80​Previously Malicious