Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 124.107.111.247Malicious

IP Address: 124.107.111.247Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB

Tags

SMB Access Share Successful SMB Login SMB Share Connect Service Start Service Stop IDS - A Network Trojan was detected SMB Null Session Login Execute from Share Download File Service Creation CMD Service Deletion

Associated Attack Servers

-

Basic Information

IP Address

124.107.111.247

Domain

-

ISP

Philippine Long Distance Telephone

Country

Philippines

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2019-09-04

Last seen in Akamai Guardicore Segmentation

2024-03-21

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: Administrator - Authentication policy: Correct Password

Successful SMB Login

rmhofuof.exe was executed from the remote share \\server-backup\c$

Execute from Share

c:\windows\system32\services.exe installed and started \\server-backup\c$\rmhofuof.exe as a service named jfkq under service group None

Service Start Service Creation

Service jfkq was stopped

Service Stop

IDS detected A Network Trojan was detected : Possible ETERNALBLUE Probe MS17-010 (MSF style)

IDS - A Network Trojan was detected

IDS detected A Network Trojan was detected : Possible ETERNALBLUE Probe MS17-010 (Generic Flags)

IDS - A Network Trojan was detected

IDS detected A Network Trojan was detected : ETERNALBLUE Probe Vulnerable System Response MS17-010

IDS - A Network Trojan was detected

c:\windows\system32\services.exe installed and started cmd as a service named xvCs under service group None

Service Start Service Creation

IDS detected A Network Trojan was detected : WMIC WMI Request Over SMB - Likely Lateral Movement

IDS - A Network Trojan was detected

A user logged in using SMB with the following username: Administrator - Authentication policy: Previously Approved User

Successful SMB Login

C:\UpCMqzit.exe was downloaded

Download File

c:\windows\system32\services.exe installed and started \\server-backup\c$\upcmqzit.exe as a service named cilE under service group None

Service Start Service Creation

upcmqzit.exe was executed from the remote share \\server-backup\c$

Execute from Share

Service cilE was stopped

Service Stop

Connection was closed due to user inactivity

Associated Files

C:\AarCYGxX.exe

SHA256: 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

56320 bytes