IP Address: 107.160.240.218Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
107.160.240.218​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

MSSQL

Tags

Download and Execute MSSQL Brute Force Create MsSql Procedure MSSQL Persistency - Image Hijack Service Start WMI Method Execute MsSql Shell Command Access Suspicious Domain Drop MsSql Table Service Stop Outgoing Connection User Created DNS Query Service Creation Create MsSql Table Malicious File Persistency - Mime Filter File Operation By CMD Service Configuration IDS - Attempted User Privilege Gain CMD Successful MSSQL Login

Associated Attack Servers

ma.owwwv.com m.owwwv.com ma.gslm.co

107.160.240.138 43.229.113.12

Basic Information

IP Address

107.160.240.218

Domain

-

ISP

Psychz Networks

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-05-05

Last seen in Guardicore Centra

2018-05-06

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using MSSQL with the following username: sa - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: sa / *** - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 4 times

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following username: sa - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 12 times

Successful MSSQL Login MSSQL Brute Force

MSSQL procedures were created: sp_addextendedproc and sp_dropextendedproc

Create MsSql Procedure

MSSQL tables were dropped: #A2DCB9B1 , #A8959307 , #A4C50223 and #AA7DDB79

Drop MsSql Table

c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line taskkill.exe to run using Persistency - Image Hijack 50 times

Persistency - Image Hijack

Process c:\windows\system32\ftp.exe attempted to access suspicious domains: m.owwwv.com 11 times

Access Suspicious Domain Outgoing Connection DNS Query

Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 43.229.113.12:21 11 times

Outgoing Connection

MSSQL tables were created: #temp_jobs_to_delete________________________________________________________________________________________________000000000002

Create MsSql Table

c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 63 times

Persistency - Mime Filter

Service CryptSvc was stopped

Service Stop

The file c:\windows\system32\60hack.exe was downloaded and executed 17 times

Download and Execute

C:\Windows\System32\hexXmrServer.exe was identified as malicious by YARA according to rules: Antidebug Antivm, Peid and Packer Compiler Signatures

Malicious File

IDS detected Attempted User Privilege Gain : MS-SQL SQL Injection closing string plus line comment

IDS - Attempted User Privilege Gain

The file C:\Windows\System32\hexXmrServer.exe was downloaded and executed 3 times

Download and Execute

The file C:\hexXmrServer.exe was downloaded and executed 3 times

Download and Execute

c:\windows\system32\services.exe installed and started c:\program as a service named Wscgou iaimgsig under service group None

Service Start Service Creation

The file C:\Program Files (x86)\Microsoft Eysqia\Nyaxajk.exe was downloaded and executed

Download and Execute

Process c:\program files (x86)\microsoft eysqia\nyaxajk.exe attempted to access suspicious domains: ma.gslm.co

Access Suspicious Domain Outgoing Connection DNS Query

Process c:\program files (x86)\microsoft eysqia\nyaxajk.exe generated outgoing network traffic to: 107.160.240.138:2228

Outgoing Connection

C:\hexXmrServer.exe was identified as malicious by YARA according to rules: Antidebug Antivm, Peid and Packer Compiler Signatures

Malicious File

C:\Windows\System32\3389.txt was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

User IUER_SERVER was created with the password ********* 2 times

User Created

C:\Windows\System32\sb.bat was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

MSSQL executed 1 shell commands

Execute MsSql Shell Command

Process c:\windows\system32\wscript.exe attempted to access suspicious domains: m.owwwv.com 3 times

Access Suspicious Domain DNS Query

The file C:\XmrServer.exe was downloaded and executed 5 times

Download and Execute

c:\windows\system32\services.exe installed and started c:\program as a service named Wsdpcp cxwpytpm under service group None

Service Start Service Creation

The file C:\Program Files (x86)\Microsoft Clvwgx\Moysjfu.exe was downloaded and executed

Download and Execute

Process c:\program files (x86)\microsoft clvwgx\moysjfu.exe attempted to access suspicious domains: ma.owwwv.com

Access Suspicious Domain Outgoing Connection DNS Query

Process c:\program files (x86)\microsoft clvwgx\moysjfu.exe generated outgoing network traffic to: 43.229.113.12:2228

Outgoing Connection

Connection was closed due to timeout

Associated Files

C:\Windows\System32\hexXmrServer.exe

SHA256: e49f85ca2fd2939c407a541c0a17c5fe4daef016961de8eb5c103db6da873374

49311 bytes

C:\Program Files (x86)\Microsoft Eysqia\Nyaxajk.exe

SHA256: ef25d8e62c241d5edb805320499d7ddadb11ec7d285d95b9afb9f7f65d210982

153141760 bytes

C:\XmrServer.exe

SHA256: 41b8aef24c21abf17cf935ffee6922c7bab9de0b4aba26771bcabb6e7f84acfb

848189 bytes

C:\Program Files (x86)\Microsoft Eysqia\Nyaxajk.exe

SHA256: ddaafdb9b173bc6150ce0269525602ff2f7ac92632a7a55c5341230ed78108dd

144752799 bytes

C:\Program Files (x86)\Microsoft Clvwgx\Moysjfu.exe

SHA256: d211793660387d94452768221164d8bcb6a97a3a32a02eda4db620308306e607

60866719 bytes

C:\XmrServer.exe

SHA256: 8cbf784d524d14d91e38bbc4833b463fcd2e4d3343cf67d291ff8ec02ff61e92

49311 bytes

C:\Program Files (x86)\Microsoft Eysqia\Nyaxajk.exe

SHA256: 1a04620956edbb0ed5aa92691dddccc8e16afb91a5c32e3a91fd83a7ff7064f3

170944512 bytes

C:\Program Files (x86)\Microsoft Clvwgx\Moysjfu.exe

SHA256: ddfc47436eb0b2526d1e2120c0bc0eeac8c46b972934c111cc8ec599e73d5adb

69255680 bytes

C:\Program Files (x86)\Microsoft Eysqia\Nyaxajk.exe

SHA256: ad8be553d930ebbc36dd2703c79c812b7988a24c04d66d92da263d5089473e4c

169918976 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 107.160.240.218​Previously Malicious