CapraRAT Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (50)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en38
zh10
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA28
CN: China18
TR: Turkey2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

CapraRAT3

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined12
Content Management System6
Web Server6
Forum Software2
Database Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined18
Zoom2
Apache2
GitLab2
Ikuai2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

lighttpd4
OxWall2
Pligg2
YaBB2
Zoom On-Premise Meeting Connector Controller2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1SPIP spip.php cross site scripting3.53.4$0-$5k$0-$5kNot definedOfficial fix 0.023050.39CVE-2022-28959
2TikiWiki tiki-register.php input validation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.042770.52CVE-2006-6168
3h5ai unrestricted upload7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.112750.03CVE-2015-3203
4D-Link DNS-320L/DNS-325/DNS-327L/DNS-340L HTTP GET Request nas_sharing.cgi hard-coded credentials9.89.7$5k-$25k$0-$5kAttackedWorkaroundverified0.941920.11CVE-2024-3272
5Advanced Guestbook index.php path traversal3.33.3$0-$5k$0-$5kNot definedNot defined 0.000000.06
6DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.009700.18CVE-2010-0966
7Login with Phone Number Plugin Setting cross site scripting2.42.4$0-$5k$0-$5kNot definedNot defined 0.001570.00CVE-2022-0598
8Microsoft Windows Remote Desktop Protocol information disclosure3.53.1$5k-$25k$0-$5kUnprovenOfficial fix 0.003320.00CVE-2021-38631
9WCMS AnonymousController.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.000400.00CVE-2025-3799
10Ikuai Router OS webman.lua ActionLogin command injection7.67.5$0-$5k$0-$5kNot definedNot defined 0.013220.02CVE-2023-34849
11lighttpd Log File http_auth.c injection7.57.1$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.360600.00CVE-2015-3200
12lighttpd mod_evhost/mod_simple_vhost path traversal5.34.6$0-$5k$0-$5kProof-of-ConceptOfficial fixpossible0.647280.02CVE-2013-2324
13phpBB album_portal.php file inclusion7.36.6$0-$5k$0-$5kProof-of-ConceptNot defined 0.016760.08CVE-2004-1943
14Advisto Peel SHOPPING caddie_ajout.php cross-site request forgery6.56.5$0-$5k$0-$5kNot definedNot defined 0.001390.07CVE-2018-20848
15Joomla CMS com_easyblog sql injection6.36.1$5k-$25k$5k-$25kNot definedNot defined 0.000000.22
16OxWall cross site scripting4.34.3$0-$5k$0-$5kNot definedNot defined 0.005150.02CVE-2012-0872
17Keenetic KN-1010/KN-1410/KN-1711/KN-1810/KN-1910 Configuration Setting ndmComponents.js information disclosure5.35.1$0-$5k$0-$5kProof-of-ConceptWorkaround 0.000940.09CVE-2024-4021
18D-Link DIR-865L register_send.php improper authentication7.57.1$5k-$25k$0-$5kProof-of-ConceptNot defined 0.003540.00CVE-2013-3096
19Pligg cloud.php sql injection6.36.3$0-$5k$0-$5kNot definedNot defined 0.000000.39
20PuneethReddyHC Event Management register.php sql injection6.66.4$0-$5k$0-$5kProof-of-ConceptNot defined 0.000350.03CVE-2024-3432

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
134.102.136.180180.136.102.34.bc.googleusercontent.comCapraRAT03/17/2023verifiedMedium
2XX.XXX.XXX.XXXxxxxxxx03/17/2023verifiedMedium
3XX.XXX.XXX.XXxx-xx-xxx-xxx-xx.xxxxxx.xxxxxxx.xxxXxxxxxxx04/20/2025verifiedVery High
4XXX.XXX.XX.XXxxxxxxxxxx.xxxxxxxxxxxxx.xxxXxxxxxxx03/17/2023verifiedMedium
5XXX.XX.XXX.XXXxxxxxxxxx.xxxxxxx.xxxXxxxxxxx03/17/2023verifiedMedium

TTP - Tactics, Techniques, Procedures (10)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3TXXXXCAPEC-XXXCWE-XXXxxxxxxx XxxxxxxxxpredictiveHigh
4TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (36)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/backend/register.phppredictiveHigh
2File/cgi-bin/nas_sharing.cgipredictiveHigh
3File/edit-db.phppredictiveMedium
4File/ndmComponents.jspredictiveHigh
5File/phppath/phppredictiveMedium
6File/xxxx.xxxpredictiveMedium
7Filexxxxx/xxxxxxx/xxxxxxxxxxpredictiveHigh
8Filexxxxx_xxxxxx.xxxpredictiveHigh
9Filexxx/xxxxxxxxxxx/xxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
10Filexxxxx.xxxpredictiveMedium
11Filexx/xxxxx/xxxxxx_xxxxx.xxxpredictiveHigh
12Filexxxx_xxxx.xpredictiveMedium
13Filexxx/xxxxxx.xxxpredictiveHigh
14Filexxxxx.xxxpredictiveMedium
15Filexxxxxxxx.xxxpredictiveMedium
16Filexxxxxxxx_xxxx.xxxpredictiveHigh
17Filexxxx-xxxxx.xxxpredictiveHigh
18Filexxxx-xxxxxxxx.xxxpredictiveHigh
19Filexxxxxx.xxxpredictiveMedium
20Filexxxx.xxpredictiveLow
21ArgumentxxxxxxxxpredictiveMedium
22ArgumentxxxxxpredictiveLow
23ArgumentxxxxxxxxxxpredictiveMedium
24Argumentxxxxxxxxx[x]predictiveMedium
25Argumentxxxxx/xxxxxxxxpredictiveHigh
26Argumentxxxxx_xx/xxxx_xxxx/xxxxx/xxxxxx/xxxxxxx/xxxxxxpredictiveHigh
27ArgumentxxxxxxxxpredictiveMedium
28ArgumentxxxxpredictiveLow
29ArgumentxxpredictiveLow
30ArgumentxxxxpredictiveLow
31Argumentxxxxx_xxxx_xxxxpredictiveHigh
32ArgumentxxxpredictiveLow
33ArgumentxxxxpredictiveLow
34Input Value../predictiveLow
35Input Valuexxxx.xxx::$xxxxpredictiveHigh
36Input ValuexxxxxxxxxxpredictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!