IP Address: 117.40.107.112Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
117.40.107.112​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

MSSQL

Tags

DNS Query Download File Service Configuration Create MsSql Table Drop MsSql Table Malicious File Service Creation Service Start HTTP MSSQL MSSQL Brute Force IDS - Attempted User Privilege Gain Download and Execute Successful MSSQL Login Outgoing Connection

Connect Back Servers

dns.msftncsi.com lwyh20090727.f3322.net

0.0.0.0 203.189.234.149 123.249.57.21

Basic Information

IP Address

117.40.107.112

Domain

-

ISP

China Telecom Jiangxi

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-08-09

Last seen in Guardicore Centra

2017-08-10

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using MSSQL with the following credentials: sa / ***** - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

MSSQL Brute Force Successful MSSQL Login

A user logged in using MSSQL with the following username: sa - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 3 times

MSSQL Brute Force Successful MSSQL Login

A user logged in using MSSQL with the following credentials: sa / ***** - Authentication policy: Previously Approved User (Part of a Brute Force Attempt)

MSSQL Brute Force Successful MSSQL Login

Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 123.249.57.21:21 and 0.0.0.0:57438

Outgoing Connection

Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 0.0.0.0:57440 and 123.249.57.21:21

Outgoing Connection

Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 123.249.57.21:21 and 0.0.0.0:57442

Outgoing Connection

Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 123.249.57.21:21 and 0.0.0.0:57444

Outgoing Connection

Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 123.249.57.21:21 and 0.0.0.0:57446

Outgoing Connection

Process c:\windows\system32\wbem\wmiprvse.exe generated outgoing network traffic to: 0.0.0.0:57448 and 123.249.57.21:21

Outgoing Connection

Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 0.0.0.0:57450 and 123.249.57.21:21

Outgoing Connection

Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 0.0.0.0:57452 and 123.249.57.21:21

Outgoing Connection

MSSQL tables were dropped: #A3D0DDEA and #A1E89578

Drop MsSql Table

MSSQL tables were created: #temp_jobs_to_delete________________________________________________________________________________________________000000000002 and #temp_jobs_to_delete________________________________________________________________________________________________000000000003

Create MsSql Table

IDS detected Attempted User Privilege Gain : MS-SQL SQL Injection closing string plus line comment

IDS - Attempted User Privilege Gain

C:\Windows\System32\wshom.exe was identified as malicious by YARA according to rules: Antidebug Antivm, Peid, Packer Compiler Signatures, Crypto Signatures and Malw Miancha

Malicious File

C:\Windows\System32\config\wshom.exe was identified as malicious by YARA according to rules: Antidebug Antivm, Peid, Packer Compiler Signatures, Crypto Signatures and Malw Miancha

Malicious File

C:\wshom.exe was identified as malicious by YARA according to rules: Antidebug Antivm, Peid, Packer Compiler Signatures, Crypto Signatures and Malw Miancha

Malicious File

The file C:\Windows\System32\config\wshom.exe was downloaded and executed 7 times

Download and Execute

c:\windows\system32\services.exe installed and started c:\program as a service named Defghi Klmnopqr Tuv under service group None

Service Start Service Creation

Process c:\windows\system32\config\wshom.exe attempted to access domains: lwyh20090727.f3322.net

DNS Query

Process c:\windows\system32\config\wshom.exe generated outgoing network traffic to: 203.189.234.149:11111

Outgoing Connection

Associated Files

C:\Program Files\Internet Explorer\uURLDownloadToFileA

SHA256: fa3f8d0bc11aab5b375f07d7923c0b2c699c7d133ae91ee98fd7245541164af5

148992 bytes

C:\Windows\System32\config\wshom.exe

SHA256: 2463d5444aa0ee6664d4e1fc880ba7623f5406d3d1bc8ee06e8696c8dcf81cb2

119831 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 117.40.107.112​Previously Malicious