IP Address: 123.249.71.138Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
123.249.71.138​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

MSSQL

Tags

Successful MSSQL Login MSSQL Outgoing Connection Malicious File Create MsSql Table Persistency - Image Hijack Download and Execute File Operation By CMD MSSQL Brute Force RDP IDS - Attempted User Privilege Gain CMD Drop MsSql Table Create MsSql Procedure

Associated Attack Servers

xiaohan1314.f3322.org 127.0.0.1

Basic Information

IP Address

123.249.71.138

Domain

-

ISP

Wonten Network

Country

China

WHOIS

Created Date

2012-09-12

Updated Date

2019-08-01

Organization

Jiangsu NetEngine Information Tech Ltd.

First seen in Guardicore Centra

2018-06-10

Last seen in Guardicore Centra

2018-10-21

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using MSSQL with the following username: sa - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following username: sa - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 3 times

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: Chred1433 / *************** - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: kisadmin / *************** - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: Chred1433 / *************** - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 2 times

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: kisadmin / *************** - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 2 times

Successful MSSQL Login MSSQL Brute Force

MSSQL procedures were created: sp_addextendedproc and sp_dropextendedproc

Create MsSql Procedure

c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line taskkill.exe to run using Persistency - Image Hijack 75 times

Persistency - Image Hijack

C:\Windows\System32\fuckgothin.inf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

C:\Windows\security\logs\scesrv.log was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 123.249.71.138:21 6 times

Outgoing Connection

MSSQL tables were created: #temp_jobs_to_delete________________________________________________________________________________________________000000000003 and #retval_____________________________________________________________________________________________________________000000000002

Create MsSql Table

MSSQL tables were dropped: #A3D0CAB2 and #A1E88240

Drop MsSql Table

C:\Windows\System32\hexsvchost.exe was identified as malicious by YARA according to rules: Rat Ratdecoders, Packer, Peid, Antidebug Antivm and Packer Compiler Signatures

Malicious File

IDS detected Attempted User Privilege Gain : MS-SQL SQL Injection closing string plus line comment

IDS - Attempted User Privilege Gain

C:\hexsvchost.exe was identified as malicious by YARA according to rules: Rat Ratdecoders, Packer, Peid, Antidebug Antivm and Packer Compiler Signatures

Malicious File

The file C:\Windows\System32\hexsvchost.exe was downloaded and executed 3 times

Download and Execute

The file C:\hexsvchost.exe was downloaded and executed 3 times

Download and Execute

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hexsvchost.exe_78971bcc836cec3796c4f95b369b4c8f0915a34_5ef45074_cab_0a87636e\WER6370.tmp.WERInternalMetadata.xml was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hexsvchost.exe_78971bcc836cec3796c4f95b369b4c8f0915a34_5ef45074_cab_0a87636e\memory.hdmp was identified as malicious by YARA according to rules: Suspicious Strings and Maldoc Powerpointmouse

Malicious File

Connection was closed due to user inactivity

Associated Files

C:\Windows\System32\hexsvchost.exe

SHA256: c10b2fc6fb5688f7b7adda2de6f609e60ff6ddfab56b3a834a1ed19d3a65c8af

115712 bytes

C:\Windows\System32\hexsvchost.exe

SHA256: ff06fc8c1cb5b97590363055bc4271b4841bc6873651bd3f9f3d9690bd1fe793

50688 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 123.249.71.138​Previously Malicious