Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 112.206.66.109Previously Malicious

IP Address: 112.206.66.109Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB

Tags

Service Creation IDS - A Network Trojan was detected Access Suspicious Domain SMB Service Start Execute from Share CMD Access Violation SMB Null Session Login Service Stop SMB Share Connect Service Deletion Listening Successful SMB Login DNS Query

Associated Attack Servers

-

Basic Information

IP Address

112.206.66.109

Domain

-

ISP

Philippine Long Distance Telephone

Country

Philippines

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2020-07-10

Last seen in Akamai Guardicore Segmentation

2020-07-10

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: Administrator - Authentication policy: Reached Max Attempts

Successful SMB Login

Service fHbX was created and started

Service Start Service Creation

avydqvfi.exe was executed from the remote share \\server-backup\c$

Execute from Share

Service fHbX was stopped

Service Stop

IDS detected A Network Trojan was detected : Possible ETERNALBLUE Probe MS17-010 (MSF style)

IDS - A Network Trojan was detected

IDS detected A Network Trojan was detected : Possible ETERNALBLUE Probe MS17-010 (Generic Flags)

IDS - A Network Trojan was detected

IDS detected A Network Trojan was detected : ETERNALBLUE Probe Vulnerable System Response MS17-010

IDS - A Network Trojan was detected

Service vsEp was created and started

Service Start Service Creation

IDS detected A Network Trojan was detected : WMIC WMI Request Over SMB - Likely Lateral Movement

IDS - A Network Trojan was detected

Service nJAv was created and started

Service Start Service Creation

Process c:\windows\system32\userinit.exe started listening on ports: 65533

Service nJAv was stopped

Service Stop

Process c:\installed2.exe started listening on ports: 65533

Listening

Process c:\windows\temp\svchost.exe started listening on ports: 60124

Listening

Process c:\installed2.exe attempted to access suspicious domains: i.haqo.net

DNS Query Access Suspicious Domain

A user logged in using SMB with the following username: Administrator - Authentication policy: Previously Approved User

Successful SMB Login

Connection was closed due to timeout