IP Address: 72.143.1.198Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
72.143.1.198​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

RDP

Tags

RDP Human DNS Query Download File Access Suspicious Domain Scheduled Task Run HTTP Successful RDP Login

Connect Back Servers

sync.graph.bluecava.com d.adroll.com assets.adobedtm.com zillowstatic.com www.googleadservices.com ocsp.msocsp.com pr-bh.ybp.yahoo.com aktrack.pubmatic.com gv.symcd.com pca-g3-ocsp.geotrust.com ssl.trustwave.com as-sec.casalemedia.com sync.adaptv.advertising.com www.bing.com ocsp.sca1b.amazontrust.com www.google-analytics.com o.ss2.us pagead2.googlesyndication.com ocsp.verisign.com pub.pxl.ace.advertising.com pixel.adsafeprotected.com static.trulia-cdn.com ads.pubmatic.com trulia.com ctldl.windowsupdate.com js-sec.indexww.com sync.1rx.io gj.symcd.com c1.adform.net pixel.quantserve.com

Basic Information

IP Address

72.143.1.198

Domain

-

ISP

Rogers Cable

Country

Canada

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-07-16

Last seen in Guardicore Centra

2017-07-16

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using RDP with the following credentials: administrator / ***** - Authentication policy: White List

Successful RDP Login

Process LocalServiceNetworkRestricted Service Group attempted to access suspicious domains: SEFMPC

DNS Query Access Suspicious Domain

Process c:\program files\internet explorer\iexplore.exe attempted to access domains: post.craigslist.org, iecvlist.microsoft.com, go.microsoft.com, ctldl.windowsupdate.com, www.bing.com and ieonline.microsoft.com

DNS Query

Process NetworkService Service Group attempted to access domains: www.bing.com

DNS Query

Process c:\program files (x86)\internet explorer\iexplore.exe attempted to access domains: winchester.craigslist.org, craigslist.org, post.craigslist.org, pca-g3-ocsp.geotrust.com, geo.craigslist.org, www.craigslist.org and crl.geotrust.com

DNS Query

Process c:\program files (x86)\internet explorer\iexplore.exe attempted to access suspicious domains: craiglist.org, gj.symcd.com and gk.symcd.com

DNS Query Access Suspicious Domain

Process c:\program files\internet explorer\iexplore.exe attempted to access suspicious domains: ocsp.omniroot.com and ocsp.msocsp.com

DNS Query Access Suspicious Domain

Process c:\program files (x86)\internet explorer\iexplore.exe attempted to access domains: www.googleadservices.com, smetric.trulia.com, thumbs.trulia-cdn.com, static.trulia-cdn.com, assets.adobedtm.com, connect.facebook.net, ocsp.comodoca.com, crl.geotrust.com, origin-tracking.trulia.com, maps.gstatic.com, bid.g.doubleclick.net, rtax.criteo.com, ocsp.digicert.com, fonts.googleapis.com, csi.gstatic.com, trulia.com, clients1.google.com, sb.scorecardresearch.com, googleads.g.doubleclick.net, www.trulia.com, maps.googleapis.com, bat.bing.com, fonts.gstatic.com, www.facebook.com, sync.graph.bluecava.com, www.google.com, maps.google.com and www.google-analytics.com

DNS Query

Process c:\program files (x86)\internet explorer\iexplore.exe attempted to access suspicious domains: g.symcd.com, ocsp.usertrust.com, s2.symcb.com, ss.symcd.com, gv.symcd.com and g2.symcb.com

DNS Query Access Suspicious Domain

Process c:\program files (x86)\internet explorer\iexplore.exe attempted to access domains: pub.pxl.ace.advertising.com, bat.bing.com, ocsp.globalsign.com, ocsp.ws.symantec.com, securepubads.g.doubleclick.net, rtb.gumgum.com, thumbs.trulia-cdn.com, static.trulia-cdn.com, assets.adobedtm.com, connect.facebook.net, ocsp.comodoca.com, tpc.googlesyndication.com, ads.pubmatic.com, idsync.rlcdn.com, zillowstatic.com, origin-tracking.trulia.com, ssl.trustwave.com, rtax.criteo.com, ocsp.digicert.com, pixel.quantserve.com, fonts.googleapis.com, csi.gstatic.com, pagead2.googlesyndication.com, stags.bluekai.com, clients1.google.com, cm.g.doubleclick.net, smetric.trulia.com, googleads.g.doubleclick.net, image2.pubmatic.com, sync.1rx.io, image4.pubmatic.com, pixel.adsafeprotected.com, www.trulia.com, crt.comodoca.com, secure.adnxs.com, sb.scorecardresearch.com, sshowads.pubmatic.com, p.rfihub.com, d1mi9vc5jn62ch.cloudfront.net, maps.googleapis.com, www.googletagservices.com, image6.pubmatic.com, bid.contextweb.com, simage4.pubmatic.com, www.googleadservices.com, adserver.adtechus.com, ocsp.verisign.com, c1.adform.net, gads.pubmatic.com, ocsp.entrust.net, geo-um.btrll.com, sync.adaptv.advertising.com, simage2.pubmatic.com, www.facebook.com, gum.criteo.com, sync.graph.bluecava.com, www.google.com, sync.mathtag.com, ad.doubleclick.net, maps.google.com, as-sec.casalemedia.com, match.adsrvr.org, pubmatic-match.dotomi.com, ocsp.godaddy.com, static.adsafeprotected.com, www.google-analytics.com, code.jquery.com, secure-gl.imrworldwide.com, pr-bh.ybp.yahoo.com, aktrack.pubmatic.com and adserver-us.adtech.advertising.com

DNS Query

Process c:\program files (x86)\internet explorer\iexplore.exe attempted to access suspicious domains: gn.symcd.com, gn.symcb.com, gp.symcd.com, tags.bkrtx.com, sg.symcd.com, p.adsymptotic.com, ss.symcd.com, ocsp.rootg2.amazontrust.com, gv.symcd.com, o.ss2.us, js-sec.indexww.com, x.ss2.us and g2.symcb.com

DNS Query Access Suspicious Domain

An attempt was made to access suspicious domain tags.bkrtx.com

Access Suspicious Domain

An attempt was made to access suspicious domain ocsp.rootg2.amazontrust.com 2 times

Access Suspicious Domain

An attempt was made to access suspicious domain ad.afy11.net

Access Suspicious Domain

An attempt was made to access suspicious domain crl.sca1b.amazontrust.com

Access Suspicious Domain

An attempt was made to access suspicious domain ocsp.sca1b.amazontrust.com

Access Suspicious Domain

An attempt was made to access suspicious domain crl.rootca1.amazontrust.com

Access Suspicious Domain

An attempt was made to access suspicious domain magnetic.t.domdex.com

Access Suspicious Domain

Associated Files

C:\Users\ADMINI~1\AppData\Local\Temp\1\KnoDC1F.tmp

SHA256: 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

90518 bytes

c:\users\administrator\appdata\local\microsoft\internet explorer\tiles\pin21140017450\msapplication.xml

SHA256: 2bb0268c2e2a7c85498a9fe1ff2d9868cb471ee0199c81bd8f7ff0496086e21e

372 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 72.143.1.198​Previously Malicious