APT17 Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (245)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en196
ja22
zh20
es4
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

DE: Germany100
US: USA78
CN: China32
JP: Japan28
GB: Great Britain2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

APT178
Cobalt Strike3
FunnySwitch2
Brute Ratel C41
IRGC1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined36
Content Management System12
Programming Language Software4
Network Attached Storage Software4
Database Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined42
Microsoft6
DZCP4
QNAP4
Oracle4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

WordPress4
DZCP deV!L`z Clanportal4
QNAP QTS4
Oracle MySQL Server4
GD Rating System Plugin4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1DZCP deV!L`z Clanportal config.php code injection7.36.6$2k-$5k$0-$1kProof-of-ConceptOfficial Fix0.009431.31CVE-2010-0966
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$10k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
3jforum User input validation5.35.3$1k-$2k$0-$1kNot DefinedNot Defined0.002890.09CVE-2019-7550
4ESET Server Security for Linux privileges management7.57.4$1k-$2k$0-$1kNot DefinedOfficial Fix0.000420.04CVE-2023-2847
5CrowdStrike Falcon Uninstallation authorization3.53.5$1k-$2k$0-$1kFunctionalOfficial Fix0.012630.15CVE-2022-2841
6Postfix Admin functions.inc.php sql injection7.37.0$10k-$25k$0-$1kHighOfficial Fix0.002530.04CVE-2014-2655
7WP-Members Membership Plugin Setting authorization6.36.1$1k-$2k$0-$1kNot DefinedNot Defined0.000730.04CVE-2023-2869
8SourceCodester Complaint Management System Lodge Complaint Section register-complaint.php unrestricted upload6.36.0$1k-$2k$0-$1kProof-of-ConceptNot Defined0.000450.15CVE-2024-1875
9OPNsense command injection7.67.5$1k-$2k$0-$1kNot DefinedOfficial Fix0.001340.04CVE-2023-39008
10Fortinet FortiOS/FortiProxy HA Request privileges management8.88.6$2k-$5k$0-$1kNot DefinedOfficial Fix0.000500.05CVE-2023-44250
11jQuery Cookie Prototype cross site scripting3.53.5$0-$1k$0-$1kNot DefinedNot Defined0.000680.00CVE-2022-23395
12Flexera FlexNet Publisher Command lmadmin.exe unusual condition6.46.4$0-$1k$0-$1kNot DefinedNot Defined0.001030.03CVE-2019-8960
13ESET NOD32 Antivirus File permission7.87.6$1k-$2k$0-$1kNot DefinedOfficial Fix0.000460.00CVE-2023-3160
14Citrix StoreFront SAML Authentication cross site scripting3.53.4$2k-$5k$0-$1kNot DefinedOfficial Fix0.000720.04CVE-2022-27503
15QNAP QTS/QuTS hero/QuTScloud os command injection9.89.6$2k-$5k$0-$1kNot DefinedOfficial Fix0.000680.00CVE-2023-23368
16cURL SOCKS5 Proxy heap-based overflow7.27.1$1k-$2k$0-$1kNot DefinedOfficial Fix0.003190.00CVE-2023-38545
17Fortinet FortiOS prof-admin Profile improper authorization7.77.6$1k-$2k$0-$1kNot DefinedOfficial Fix0.000500.04CVE-2023-41841
18Juniper Junos OS J-Web external variable7.57.4$10k-$25k$2k-$5kHighOfficial Fix0.963940.04CVE-2023-36845
19QNAP QTS/QuTS Hero cleartext transmission4.64.5$1k-$2k$0-$1kNot DefinedOfficial Fix0.000520.00CVE-2023-34972
20Hitachi Energy TXpert Hub CoreTec 4 os command injection8.38.2$1k-$2k$0-$1kNot DefinedOfficial Fix0.000430.00CVE-2023-2625

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • CCleaner

IOC - Indicator of Compromise (21)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
11.234.52.111APT1712/15/2020verifiedLow
28.9.11.1308.9.11.130.vultr.comAPT1703/05/2022verifiedLow
345.76.6.14945.76.6.149.vultr.comAPT1703/05/2022verifiedLow
445.76.31.15945.76.31.159.vultr.comAPT1703/05/2022verifiedLow
569.80.72.165APT1712/15/2020verifiedLow
6XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxx.xxxxxxxx.xxxXxxxx03/05/2022verifiedMedium
7XXX.XXX.XX.XXxxxxxxxxxx.xxxxx.xxXxxxx12/15/2020verifiedLow
8XXX.XXX.XX.XXXxxxxxxxxxxxxxx.xxxxx.xxXxxxx12/15/2020verifiedLow
9XXX.XXX.XX.XXXxxx-xxx-xx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxx03/05/2022verifiedMedium
10XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxx.xxxXxxxx03/05/2022verifiedLow
11XXX.XX.XXX.XXXxxxx12/15/2020verifiedLow
12XXX.XXX.XX.XXXxxxxxxx.xxxxxxxx.xx.xx-xxx.xx.xxXxxxx12/15/2020verifiedLow
13XXX.XXX.XXX.XXXXxxxx03/05/2022verifiedMedium
14XXX.XXX.XXX.XXXxxxx12/15/2020verifiedLow
15XXX.XXX.XX.XXxxxxxxx.xxxx.xxXxxxx12/15/2020verifiedLow
16XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxx.xxxXxxxx03/05/2022verifiedLow
17XXX.XX.XX.XXxxx.xx.xx.xx.xxxxx.xxxXxxxx03/05/2022verifiedLow
18XXX.XXX.XXX.XXXXxxxx12/15/2020verifiedLow
19XXX.XX.XX.XXXXxxxx12/15/2020verifiedLow
20XXX.XXX.XXX.XXXXxxxxXxxxxxxx12/23/2020verifiedLow
21XXX.XXX.XXX.XXXxxxx12/15/2020verifiedLow

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-122CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-CWE-XXXXxx-xxx Xxxx Xxxxxxx XxxxpredictiveHigh
8TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-50CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXX.XXXCAPEC-459CWE-XXX, CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
18TXXXXCAPEC-116CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
19TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (56)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/api/cron/settings/setJob/predictiveHigh
3File/api/DownloadUrlResponse.ashxpredictiveHigh
4File/wbg/core/_includes/authorization.inc.phppredictiveHigh
5Fileaddentry.phppredictiveMedium
6Filedata/gbconfiguration.datpredictiveHigh
7Filedetail.phppredictiveMedium
8Filexxxxxxxxx.xxx.xxxpredictiveHigh
9Filexxxxxx/xxxxxxxxxxxxpredictiveHigh
10Filexxxx.xxxpredictiveMedium
11Filexxxxxxxxx.xxxpredictiveHigh
12Filexxx/xxxxxx.xxxpredictiveHigh
13Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
14Filexxxxxxxxxx/xxxxxxx.xpredictiveHigh
15Filexxxxxxx.xxxpredictiveMedium
16Filexxxxxxx.xxxpredictiveMedium
17Filexxx_xx_xx_xxxxxxxx.xxxpredictiveHigh
18Filexxxxx.xxxpredictiveMedium
19Filexxxxx-xxxx/xxxxx-xxxxx-xxxx.xxxpredictiveHigh
20Filexxxxxxxx.xxxpredictiveMedium
21Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
22Filexxxx.xpredictiveLow
23Filexxx/xxxxxxxxx/xxxxxxxxxxxxx/xxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
24Filexxxxxxx.xxx.xx.xxxxxxxxxxx.xxxpredictiveHigh
25Filexxxxxxxx.xxxxx.xxxpredictiveHigh
26Filexxxxx.xxxpredictiveMedium
27Filexxxxxxx/xxxxxxxx.xxxpredictiveHigh
28Filexxxxx/xxxxxxxx-xxxxxxxxx.xxxpredictiveHigh
29Filexxxxx.xxxpredictiveMedium
30Filexx-xxxxx/xxxxx.xxxpredictiveHigh
31Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
32Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
33Filexx-xxxxxxxx/xxxx-xxx/xxxxxxxxx/xxxxx-xx-xxxx-xxxxx-xxxxxxxxxx.xxxpredictiveHigh
34Filexx-xxxxx.xxxpredictiveMedium
35Libraryxxxxxxxx.xxxpredictiveMedium
36Argumentxx_xxxxx_xxx_xxxxpredictiveHigh
37ArgumentxxxxxxxxpredictiveMedium
38ArgumentxxxxxxxxxxpredictiveMedium
39ArgumentxxxxxxxpredictiveLow
40ArgumentxxxxpredictiveLow
41ArgumentxxxxpredictiveLow
42ArgumentxxxxpredictiveLow
43ArgumentxxxxpredictiveLow
44ArgumentxxxxpredictiveLow
45Argumentxxxx/xxxxxxxxxxxpredictiveHigh
46ArgumentxxxxxpredictiveLow
47ArgumentxxxxxxxxxxpredictiveMedium
48Argumentxxxx_xxxxxpredictiveMedium
49ArgumentxxxxxxxpredictiveLow
50Argumentxxxx_xxpredictiveLow
51ArgumentxxxpredictiveLow
52Argumentxxx_xxxxxpredictiveMedium
53Argumentx_xxxxpredictiveLow
54Argument\xxxxxx\predictiveMedium
55Argument_xxx_xxxxxxxxxxx_predictiveHigh
56Input Value../../../../../xxx/xxx/xxxxx/xxxx/xxxxxxxx/xxxxx/xxx.xxxpredictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!