Cardinal RAT Analysis

IOB - Indicator of Behavior (276)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en210
fr42
it22
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us156
cr88
ru16
ar14
gb2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Cardinal RAT4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined116
Content Management System20
Image Processing Software10
Multimedia Player Software10
Document Reader Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined102
Adobe14
IBM10
Google10
Dahuasecurity6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Adobe Flash Player8
Google Android8
MantisBT6
Dahuasecurity Dvr54086
LibTIFF6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.040.04187CVE-2007-1192
2MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.340.02800CVE-2007-0354
3Foxit PhantomPDF fxhtml2pdf memory corruption7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.040.01384CVE-2018-17706
4Qualcomm Snapdragon Mobile WLAN memory corruption6.86.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.010.00885CVE-2018-11875
5Qualcomm Snapdragon Mobile WLAN input validation6.86.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00885CVE-2018-11873
6Qualcomm Snapdragon Mobile/Snapdragon Wear Modem Segment access control6.86.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00885CVE-2017-18308
7Yammer Desktop App input validation7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.030.12826CVE-2018-8569
8Moxa ThingsPro command injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.010.01156CVE-2018-18396
9elfutils libdw dwarf_getaranges.c dwarf_getaranges memory corruption6.46.2$0-$5k$0-$5kNot DefinedOfficial Fix0.010.01319CVE-2018-16062
10Kraftway 24F2XG Web Interface memory corruption8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.100.01156CVE-2018-15353
11Google Android Qualcomm Crypto Driver access control9.39.3$25k-$100k$25k-$100kNot DefinedNot Defined0.000.05785CVE-2016-8418
12Google Android libjpeg access control7.87.6$25k-$100k$0-$5kNot DefinedOfficial Fix0.040.01996CVE-2016-6702
13phpBB XS bb_usage_stats.php file inclusion7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.000.01408CVE-2006-4893
14PHPUnit HTTP POST eval-stdin.php code injection8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.030.88682CVE-2017-9841
15Intelliants Subrion CMS Members Administrator cross-site request forgery4.34.2$0-$5k$0-$5kNot DefinedNot Defined0.010.07376CVE-2020-18326
16InviteBox Plugin for Viral Refer-a-Friend Promotions Plugin Parameter admin.php cross site scripting5.25.1$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00885CVE-2021-38359
17ABB Base Software for SoftControl data authenticity9.89.8$0-$5k$0-$5kNot DefinedNot Defined0.060.00885CVE-2020-24672
18Cisco Adaptive Security Device Manager Signature Verification code injection7.57.2$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.030.46456CVE-2021-1585
19Cisco Expressway/TelePresence Video Communication Server Administrative Web Interface signature verification4.74.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.01156CVE-2021-34715
20Google Chrome V8 type confusion6.36.0$25k-$100k$5k-$25kNot DefinedOfficial Fix0.020.01319CVE-2021-30551

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Cardinal RAT

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
1127.194.73.243Cardinal RATCardinal RATverifiedHigh
2127.194.87.192Cardinal RATCardinal RATverifiedHigh
3XXX.XX.XXX.Xxxx.xx.xxx.x.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx XxxverifiedHigh
4XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx XxxverifiedHigh
5XXX.XX.X.XXXxxxxxxxxxxxxx.xxxXxxxxxxx XxxXxxxxxxx XxxverifiedHigh
6XXX.XX.XX.XXxxx.xx.xx.xx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx XxxverifiedHigh
7XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx XxxverifiedHigh
8XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx XxxverifiedHigh

TTP - Tactics, Techniques, Procedures (13)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Pathname TraversalpredictiveHigh
2T1059CWE-94Cross Site ScriptingpredictiveHigh
3T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
4TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx Xx Xxxxxxxxx Xxxxxxxxxxxxxx XxxxxxxxpredictiveHigh
6TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
8TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
10TXXXXCWE-XXXXxxxxxxxxxxxxpredictiveHigh
11TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
12TXXXXCWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (92)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/?/plugin/comment/settingspredictiveHigh
2File/filemanager/upload.phppredictiveHigh
3File/forum/away.phppredictiveHigh
4File/inc/parser/xhtml.phppredictiveHigh
5File/uncpath/predictiveMedium
6File/webconsole/APIControllerpredictiveHigh
7File/webmail/predictiveMedium
8Fileadclick.phppredictiveMedium
9Fileadmin.php?s=/Admin/doeditpredictiveHigh
10Fileadmin/web_config.phppredictiveHigh
11Fileadmincp.phppredictiveMedium
12Filexxxxx.xpredictiveLow
13Filexx_xxxxx_xxxxx.xxxpredictiveHigh
14Filexxx_xxxxxxxxxxx_xxx_xxxx.xxxpredictiveHigh
15Filexxx_xxxxxx_xxxx.xxxpredictiveHigh
16Filexxxxxxxx.xxxpredictiveMedium
17Filexxxx/xxxxxxxx.xpredictiveHigh
18Filexxxxxx_xxxxxxxx_xxx.xxxpredictiveHigh
19Filexxxxx\xxxx\xxx_xxxx\xxxx_xxxx.xxxpredictiveHigh
20Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
21Filexxxxx_xxxxxxxxxx.xpredictiveHigh
22Filexxx/xxx/xxxxxpredictiveHigh
23Filexxxxx.xxxpredictiveMedium
24Filexxxxxx_xxx.xxxpredictiveHigh
25Filexxxx/xxxx.xpredictiveMedium
26Filexxxxxxxx.xpredictiveMedium
27Filexxx.xpredictiveLow
28Filexxxxx.xxxpredictiveMedium
29Filexxxxxx.xpredictiveMedium
30Filexxxxxxx.xxxpredictiveMedium
31Filexxxxxxxx.xpredictiveMedium
32Filexxxxxx/xxxxxxx.xxxpredictiveHigh
33Filexxxxxxx/xxx_xxxxxx/xxxxxx.xpredictiveHigh
34Filexxxxxxxx/xxxx/xxxx.xxxpredictiveHigh
35Filexxxxx.xxxpredictiveMedium
36Filexxxxxxxxxx.xxxpredictiveHigh
37Filexxxxxx_xxxxxx.xxpredictiveHigh
38Filexxxxxxxxxx.xxxxpredictiveHigh
39Filexxxx_xxxxxxx.xpredictiveHigh
40Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveHigh
41Filexxxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
42Filexxx-xxxxxxx.xpredictiveHigh
43Filexxx_xxxxxx.xpredictiveMedium
44Filexxxxxx/xxxxxxx/xxxxxx/xxxxxxxx.xxxpredictiveHigh
45Filexxxxxxxx.xpredictiveMedium
46Filexxxxx/xxxxxxxx.xpredictiveHigh
47Filexxxxx/xxxxxxx.xpredictiveHigh
48Filexxxxxx\xxxxxxx\xxx\xxxxxxx.xxxpredictiveHigh
49Filexxxx/xxxx_xxxx.xpredictiveHigh
50Filexxxx/xxx/xxxx-xxxxx.xxxpredictiveHigh
51Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
52Filexxx_xxxxx.xpredictiveMedium
53Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
54Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
55File_xxxx_xxxx.xxxpredictiveHigh
56File~/xxxxx/xxxxx.xxxpredictiveHigh
57Libraryxxx/xxxx/xxx/xxx.xxxpredictiveHigh
58Libraryxxx/xxxxx.xpredictiveMedium
59LibraryxxxxxxxpredictiveLow
60Libraryxxxxxxxxx.xxxpredictiveHigh
61Argument${xxx}predictiveLow
62ArgumentxxxxxxpredictiveLow
63Argumentxxxxxxxxxx_xxpredictiveHigh
64ArgumentxxxxxxxxxxxxxpredictiveHigh
65Argumentxxxx_xxxxxpredictiveMedium
66Argumentxxxx_xxxpredictiveMedium
67ArgumentxxpredictiveLow
68ArgumentxxxxxxpredictiveLow
69ArgumentxxxxxxxxpredictiveMedium
70ArgumentxxxxxxxxpredictiveMedium
71ArgumentxxxxxxxpredictiveLow
72Argumentx_xxpredictiveLow
73ArgumentxxxxpredictiveLow
74Argumentxxxxxx[xxxxxxx_xxxxxxxx]predictiveHigh
75ArgumentxxxxxxxxpredictiveMedium
76ArgumentxxxxxxxxpredictiveMedium
77Argumentxxxxx_xxxx_xxxxpredictiveHigh
78Argumentxxxx_xxxxxxpredictiveMedium
79ArgumentxxxxxxxxpredictiveMedium
80Argumentxxxxxxx_xxpredictiveMedium
81Argumentxxxxxxx_xxxxpredictiveMedium
82ArgumentxxxxxxxxxxxxxxpredictiveHigh
83ArgumentxxxxxxxpredictiveLow
84ArgumentxxxxxpredictiveLow
85ArgumentxxxpredictiveLow
86ArgumentxxxpredictiveLow
87ArgumentxxxxxxxxpredictiveMedium
88ArgumentxxxxxxxxxxxxxxxxxpredictiveHigh
89Argumentx-xxxxxxxxx-xxxpredictiveHigh
90Argument_xxxxpredictiveLow
91Input Value-<xxxxxx>predictiveMedium
92Network Portxxx/xxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!