Babuk Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (463)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en374
ru70
zh10
fr4
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA286
CN: China54
RU: Russia26
CA: Canada8
AU: Australia4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

NetSupportManager RAT13
Cobalt Strike12
Sliver9
SideWinder9
Raccoon8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined152
Content Management System42
Operating System32
Web Server22
WordPress Plugin18

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined146
Microsoft42
Joomla20
Apache10
GitLab8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Joomla CMS20
Microsoft Windows20
WordPress14
Microsoft IIS10
Microsoft Exchange Server10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Atmail Remote Code Execution9.89.4$0-$5k$0-$5kNot definedOfficial fix 0.003820.02CVE-2013-5033
2Microsoft Windows Active Directory Federation Services ls server-side request forgery7.97.9$25k-$100k$25k-$100kNot definedNot defined 0.003490.05CVE-2018-16794
3WordPress sql injection6.86.7$5k-$25k$0-$5kNot definedOfficial fix 0.075700.02CVE-2022-21664
4Palo Alto PAN-OS GlobalProtect Clientless VPN buffer overflow8.88.6$0-$5k$0-$5kNot definedOfficial fix 0.007510.00CVE-2021-3056
5Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial fix 0.155470.06CVE-2014-4078
6CKFinder File Name unrestricted upload7.47.4$0-$5k$0-$5kNot definedNot defined 0.003710.03CVE-2019-15862
7Joomla CMS com_actionslogs injection8.58.4$5k-$25k$0-$5kNot definedOfficial fix 0.020360.06CVE-2019-12765
8ZyXEL USG FLEX 50 CGI Program os command injection9.08.9$0-$5k$0-$5kAttackedOfficial fixverified0.944450.06CVE-2022-30525
9Joomla CMS Cache information disclosure6.46.1$5k-$25k$0-$5kNot definedOfficial fix 0.000450.05CVE-2017-9933
10Joomla CMS CSRF Token cross site scripting5.24.9$5k-$25k$0-$5kNot definedOfficial fix 0.003750.02CVE-2017-9934
11VeronaLabs wp-statistics Plugin API Endpoint Blind sql injection8.58.4$0-$5k$0-$5kNot definedOfficial fix 0.012560.00CVE-2019-13275
12Microsoft Exchange Server privilege escalation8.88.1$25k-$100k$5k-$25kUnprovenOfficial fixpossible0.530440.04CVE-2023-32031
13Cisco IOS/IOS XE Smart Install input validation8.58.4$5k-$25k$0-$5kAttackedOfficial fixverified0.912900.03CVE-2018-0171
14Avaya Aura Device Services Web Application unrestricted upload8.68.6$0-$5k$0-$5kNot definedNot definedpossible0.579130.03CVE-2023-3722
15Linksys WRT54GL Web Management Interface SysInfo1.htm information disclosure4.34.1$0-$5k$0-$5kProof-of-ConceptNot defined 0.000330.03CVE-2024-1406
16Microsoft Windows SNMP GET Remote Code Execution7.37.0$25k-$100k$0-$5kNot definedOfficial fixexpected0.923330.06CVE-1999-0517
17GitLab Community Edition/Enterprise Edition Password Reset password recovery8.88.7$0-$5k$0-$5kAttackedOfficial fixverified0.940040.09CVE-2023-7028
18Kyocera MFP Net View insufficiently protected credentials6.96.7$0-$5k$0-$5kProof-of-ConceptNot definedexpected0.867600.04CVE-2022-1026
19SAP Knowledge Warehouse KW cross site scripting3.53.4$0-$5k$0-$5kNot definedOfficial fixpossible0.426800.00CVE-2021-42063
20Teclib GLPI unlock_tasks.php sql injection8.58.5$0-$5k$0-$5kNot definedOfficial fixexpected0.858650.05CVE-2019-10232

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • CVE-2023-38831

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.252.176.47no-rdns.mivocloud.comBabukCVE-2023-3883109/06/2024verifiedHigh
245.11.27.232BabukCVE-2023-3883109/06/2024verifiedVery High
3XX.XX.XXX.XXXxxxxXxx-xxxx-xxxxx09/06/2024verifiedVery High
4XX.XX.XXX.XXXxxxx.xxxxx.xxXxxxxXxx-xxxx-xxxxx09/06/2024verifiedVery High
5XXX.XXX.XX.XXXxxxx.xxXxxxx02/22/2022verifiedLow
6XXX.XX.XX.XXXxxxxxx.xxxx.xxxxXxxxxXxx-xxxx-xxxxx09/06/2024verifiedVery High
7XXX.XXX.XXX.XXXxxxxx-xxxxxx.xxXxxxxXxx-xxxx-xxxxx09/06/2024verifiedVery High
8XXX.XXX.XXX.XXxxxxxxx.xxxxxx.xxxXxxxxXxx-xxxx-xxxxx09/06/2024verifiedVery High

TTP - Tactics, Techniques, Procedures (21)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23, CWE-37Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Basic Cross Site ScriptingpredictiveHigh
5T1068CAPEC-122CWE-264, CWE-269, CWE-284Execution with Unnecessary PrivilegespredictiveHigh
6TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXXXXxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxx Xxxxxxxx Xxxx Xx X Xxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-XCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-XXXCWE-XXXXXxxxxxxxxxx Xxxxxxx Xxxxxxxxxx XxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-XXXCWE-XXXXxxxxxxx Xx Xxxx Xxxxxxx Xxxxxxxxx XxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-XXCWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXXCAPEC-XXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
18TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
19TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
20TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
21TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (158)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/adfs/lspredictiveMedium
2File/admin/general/change-langpredictiveHigh
3File/api/RecordingList/DownloadRecord?file=predictiveHigh
4File/apply.cgipredictiveMedium
5File/cgi-bin/cstecgi.cgipredictiveHigh
6File/cimompredictiveLow
7File/etc/openstack-dashboard/local_settingspredictiveHigh
8File/MIME/INBOX-MM-1/predictiveHigh
9File/php/ping.phppredictiveHigh
10File/rapi/read_urlpredictiveHigh
11File/scripts/unlock_tasks.phppredictiveHigh
12File/sm/api/v1/firewall/zone/servicespredictiveHigh
13File/SysInfo1.htmpredictiveHigh
14File/sysinfo_json.cgipredictiveHigh
15File/system/dictData/loadDictItempredictiveHigh
16File/system/user/modules/mod_users/controller.phppredictiveHigh
17File/uncpath/predictiveMedium
18File/xxx/xxx/xxxxxxpredictiveHigh
19File/xxx/xxx/xxxxxxpredictiveHigh
20File/xxxx/xxx/xxxxxxx/xxx_xxxxxx.xxxpredictiveHigh
21File/xx-xxxxx/xxxxx-xxxx.xxx?xx_xxxx=x&xxxxxx_xxxxpredictiveHigh
22File/xx-xxxxxxx/xxxxxxx/xxxxx-xxxxxxx/predictiveHigh
23Filexxxxxxx.xxxpredictiveMedium
24Filexxxxxxx/xxxx.xxxpredictiveHigh
25Filexxxx/xxx/xxx/xxx/xxxxxx.xpredictiveHigh
26Filexxxx-xxxx.xpredictiveMedium
27Filexxxxxx.xxxpredictiveMedium
28Filexxxxxx/xxxxxxx/xxxx/xxxxx.xxxpredictiveHigh
29Filexxxxxx/xxxxxxxxx/xxxxxxxx/xxxxxxxxxx/xxxxxx/xxxx/xxxx_xxxxxxxx/xxxxxx.xxpredictiveHigh
30Filexxx-xxx/xxxxxxx.xxpredictiveHigh
31Filexxxxxx/xxx.xpredictiveMedium
32Filexxxxxxx=xxxxxxxxxx&xxxx=xxxx&xxxxxxxxxxxxx=/predictiveHigh
33Filexxxxxxxxx.xxx.xxxpredictiveHigh
34Filexxxxx/xxxxx.xxxpredictiveHigh
35Filexxxx_xxxxx.xxxpredictiveHigh
36Filexxxxx.xxxpredictiveMedium
37Filexxxxxxx/xxx/xxxxxxxx/xxx/xxxxx/xxx.xpredictiveHigh
38Filexxxxxxxxxxx/xxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
39Filexxxxxxxx.xxxxpredictiveHigh
40Filexxxxxxxxxx.xxxxpredictiveHigh
41Filexx/xx-xx.xpredictiveMedium
42Filexxx/xxxx_xxxx.xpredictiveHigh
43Filexxxxxx/xxxxxxxxxxxpredictiveHigh
44Filexxxx_xxxxxx.xpredictiveHigh
45Filexxxx/xxxxxxx.xpredictiveHigh
46Filexxxxxxx/xxxxxxx/xxxxxxxx.xxx.xxxpredictiveHigh
47Filexxxxxxxx/xxxxx-xxxxxx-xxxx-xxxxxxx.xxxpredictiveHigh
48Filexxxxxxxx/xxxxxxxx/xxxxx-xxxxxxxx-xxxxx.xxxpredictiveHigh
49Filexxxxx.xxx?xxx=xxxx&xxx=xxxxxxxxpredictiveHigh
50Filexxxxxxxx/xxx_xxxx_xxxx.xpredictiveHigh
51Filexxxxxxxxxx.xxxpredictiveHigh
52Filexx.xxxpredictiveLow
53Filexxxxxx_x.xx.xpredictiveHigh
54Filexxxxxx.xxpredictiveMedium
55Filexxxxx.xxxpredictiveMedium
56Filexxxx/xxxxxxxxx/xxxxxx/xxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
57Filexxx/xxx.xxxpredictiveMedium
58Filexxx/xxxx/xxx_xxxxxx.xpredictiveHigh
59Filexxx/xxxxxxxxx/x_xxxxxx.xpredictiveHigh
60Filexxxxxxxxxxxxxx.xxxxxpredictiveHigh
61Filexxxxxxxx/xxx/xxxx_xxxxxxxxx/xxxx_xxxxxx_xxxxxxx/xxxx_xxxxxx_xxxxxxx.xxxpredictiveHigh
62Filexxxx_xxxxx.xxxpredictiveHigh
63Filexxxxxx.xpredictiveMedium
64Filexxxx.xxxpredictiveMedium
65Filexxxxx.xxxpredictiveMedium
66Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
67Filexxxxxxxx.xxxpredictiveMedium
68Filexxxxxxxxxxx.xxxpredictiveHigh
69Filexxxxxxxx.xxxpredictiveMedium
70Filexxxxx.xxxpredictiveMedium
71Filexxxx.xxxpredictiveMedium
72Filexxx/xxxx.xxpredictiveMedium
73Filexxxxx/xxxxx.xxxpredictiveHigh
74Filexxxxxxxx.xxxpredictiveMedium
75Filexxxx.xxxxxxxx.xxxpredictiveHigh
76Filexxxxxxxxx.xxxpredictiveHigh
77Filexxx.xxxpredictiveLow
78Filexxxxxxxxx.xxxpredictiveHigh
79Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
80Filexx/xxxxxx/xxxxxpredictiveHigh
81FilexxxxxxxxxxpredictiveMedium
82Filexxxxxxx/xxxxx.xxxpredictiveHigh
83Filexx-xxxxx/xxxx.xxxpredictiveHigh
84Filexx-xxxxxxxx/xxxx.xxxpredictiveHigh
85Filexxxxxx.xxx?xxxxxx=xxxxxxxxx.xxxx&xxxxxxxxxxx=xpredictiveHigh
86Libraryxxxx.xxxpredictiveMedium
87Libraryxxxxxxxxxxx.xxxpredictiveHigh
88ArgumentxxxxxxpredictiveLow
89ArgumentxxxxpredictiveLow
90Argumentxxxxxxx_xxxxpredictiveMedium
91ArgumentxxxxxxpredictiveLow
92Argumentxxxxxx_xxxxpredictiveMedium
93ArgumentxxxpredictiveLow
94ArgumentxxxxxxxpredictiveLow
95ArgumentxxxxxxpredictiveLow
96Argumentxxxxx$xxxxxxxxxxxxxx$xxxxxxxxxxxpredictiveHigh
97ArgumentxxxxxxxxxxxxxxxxxpredictiveHigh
98ArgumentxxxxxpredictiveLow
99Argumentxxxxxxxxxxx/xxxxxxxx/xxx/xxxxxpredictiveHigh
100Argumentxxxxxx_xxpredictiveMedium
101ArgumentxxxxxpredictiveLow
102Argumentxxxxxx-xxxxxxpredictiveHigh
103ArgumentxxxxpredictiveLow
104ArgumentxxxxxxpredictiveLow
105ArgumentxxxxxxpredictiveLow
106Argumentxxxxxxx_xx/xxx/xxxxx_xx/_xxpredictiveHigh
107ArgumentxxxxpredictiveLow
108ArgumentxxxxpredictiveLow
109ArgumentxxxxpredictiveLow
110ArgumentxxpredictiveLow
111Argumentxxxxxxx_xxxxpredictiveMedium
112Argumentxxxxxx/xxxxxxpredictiveHigh
113Argumentxxxxxxxx[xx]predictiveMedium
114ArgumentxxxpredictiveLow
115ArgumentxxxxxxxpredictiveLow
116Argumentxxx_xxxxpredictiveMedium
117Argumentxxxxxx_xxxxpredictiveMedium
118ArgumentxxxxxxxxpredictiveMedium
119ArgumentxxxxxxxxpredictiveMedium
120ArgumentxxxpredictiveLow
121Argumentxxx_xxxxxxxxpredictiveMedium
122ArgumentxxxxxxxpredictiveLow
123Argumentxxxx_xxxxxpredictiveMedium
124ArgumentxxpredictiveLow
125Argumentxxxxxxx/xxxxxpredictiveHigh
126Argumentxxxxxxxx_xxxpredictiveMedium
127Argumentxxxxxx_xxxpredictiveMedium
128Argumentxxxxxx_xxxxxxpredictiveHigh
129Argumentxxxx_xxpredictiveLow
130ArgumentxxxpredictiveLow
131Argumentxxxxxxxx_xxxxxxxxpredictiveHigh
132ArgumentxxxxxxxxxxxxxxxxxxxxxpredictiveHigh
133Argumentxxxx_xxpredictiveLow
134ArgumentxxxxxxxxxxxpredictiveMedium
135ArgumentxxxpredictiveLow
136ArgumentxxxxpredictiveLow
137ArgumentxxxxxxxxpredictiveMedium
138Argumentxxxxxxxx/xxxxpredictiveHigh
139Argumentxxxx/xx/xxxx/xxxpredictiveHigh
140ArgumentxxxxxpredictiveLow
141Input Value.%xx.../.%xx.../predictiveHigh
142Input Value../../../../../xxx/xxx/xxxxx/xxxx/xxxxxxxx/xxxxx/xxx.xxxpredictiveHigh
143Input Value::$xxxxx_xxxxxxxxxxpredictiveHigh
144Input Valuexxxxxxx -xxxpredictiveMedium
145Input Valuex!x@x#x$x%xpredictiveMedium
146Input ValuexxxxxxxxxxpredictiveMedium
147Input Value\xpredictiveLow
148Pattern|xx|xx|xx|predictiveMedium
149Pattern|xx xx xx xx|predictiveHigh
150Network PortxxxxpredictiveLow
151Network PortxxxxpredictiveLow
152Network Portxxxx/xxxxpredictiveMedium
153Network Portxxxx xxxxpredictiveMedium
154Network Portxxx/xx (xxxx)predictiveHigh
155Network Portxxx/xxxpredictiveLow
156Network Portxxx/xxxxpredictiveMedium
157Network Portxxx/xxxxpredictiveMedium
158Network Portxxx xxxxxx xxxxpredictiveHigh

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!