Cardinal RAT Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (278)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en214
fr38
it20
es2
sv2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA150
CR: Costa Rica82
RU: Russia20
AR: Argentina16
ID: Indonesia4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Cardinal RAT5
Ave Maria2
Silence1
Dharma1
DNSpionage1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined120
Multimedia Player Software14
Content Management System14
Document Reader Software12
Programming Language Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined98
Adobe14
Cisco12
IBM12
Google10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Adobe Flash Player10
Foxit Reader6
ZyXEL ZyNOS6
Dahuasecurity Dvr54086
Google Android6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.013021.67CVE-2007-0354
3Foxit PhantomPDF fxhtml2pdf memory corruption7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.008350.00CVE-2018-17706
4Qualcomm Snapdragon Mobile WLAN memory corruption6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.000440.00CVE-2018-11875
5Qualcomm Snapdragon Mobile WLAN input validation6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.000440.00CVE-2018-11873
6Qualcomm Snapdragon Mobile/Snapdragon Wear Modem Segment access control6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.000440.00CVE-2017-18308
7Yammer Desktop App input validation7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.043850.00CVE-2018-8569
8Moxa ThingsPro command injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.007360.00CVE-2018-18396
9elfutils libdw dwarf_getaranges.c dwarf_getaranges memory corruption6.46.3$0-$5k$0-$5kNot DefinedOfficial Fix0.006870.00CVE-2018-16062
10Kraftway 24F2XG Web Interface memory corruption8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.012400.00CVE-2018-15353
11Google Android Qualcomm Crypto Driver access control9.39.3$25k-$100k$25k-$100kNot DefinedNot Defined0.006230.00CVE-2016-8418
12Google Android libjpeg access control7.87.6$25k-$100k$0-$5kNot DefinedOfficial Fix0.004640.00CVE-2016-6702
13PHP Link Directory Administration Page index.html cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.003990.09CVE-2007-0529
14Phplinkdirectory PHP Link Directory conf_users_edit.php cross-site request forgery6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.005260.04CVE-2011-0643
15phpBB XS bb_usage_stats.php file inclusion7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.079550.00CVE-2006-4893
16PHPUnit HTTP POST eval-stdin.php code injection8.58.4$0-$5k$0-$5kHighOfficial Fix0.974790.17CVE-2017-9841
17Intelliants Subrion CMS Members Administrator cross-site request forgery4.34.2$0-$5k$0-$5kNot DefinedNot Defined0.001800.00CVE-2020-18326
18InviteBox Plugin for Viral Refer-a-Friend Promotions Plugin Parameter admin.php cross site scripting5.25.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000660.00CVE-2021-38359
19ABB Base Software for SoftControl data authenticity9.89.8$0-$5k$0-$5kNot DefinedNot Defined0.001870.00CVE-2020-24672
20Cisco Adaptive Security Device Manager Signature Verification code injection7.57.2$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.068200.00CVE-2021-1585

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Cardinal RAT

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1127.194.73.243Cardinal RATCardinal RAT12/22/2020verifiedLow
2127.194.87.192Cardinal RATCardinal RAT12/22/2020verifiedLow
3XXX.XX.XXX.Xxxx.xx.xxx.x.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow
4XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow
5XXX.XX.X.XXXxxxxxxxxxxxxx.xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow
6XXX.XX.XX.XXxxx.xx.xx.xx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow
7XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow
8XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow

TTP - Tactics, Techniques, Procedures (13)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
3T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
4TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
6TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
8TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
10TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-CWE-XXXxxxxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (94)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/?/plugin/comment/settingspredictiveHigh
2File/filemanager/upload.phppredictiveHigh
3File/forum/away.phppredictiveHigh
4File/inc/parser/xhtml.phppredictiveHigh
5File/uncpath/predictiveMedium
6File/webconsole/APIControllerpredictiveHigh
7File/webmail/predictiveMedium
8Fileadclick.phppredictiveMedium
9Fileadmin.php?s=/Admin/doeditpredictiveHigh
10Fileadmin/conf_users_edit.phppredictiveHigh
11Fileadmin/web_config.phppredictiveHigh
12Filexxxxxxx.xxxpredictiveMedium
13Filexxxxx.xpredictiveLow
14Filexx_xxxxx_xxxxx.xxxpredictiveHigh
15Filexxx_xxxxxxxxxxx_xxx_xxxx.xxxpredictiveHigh
16Filexxx_xxxxxx_xxxx.xxxpredictiveHigh
17Filexxxxxxxx.xxxpredictiveMedium
18Filexxxx/xxxxxxxx.xpredictiveHigh
19Filexxxxxx_xxxxxxxx_xxx.xxxpredictiveHigh
20Filexxxxx\xxxx\xxx_xxxx\xxxx_xxxx.xxxpredictiveHigh
21Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
22Filexxxxx_xxxxxxxxxx.xpredictiveHigh
23Filexxx/xxx/xxxxxpredictiveHigh
24Filexxxxx.xxxpredictiveMedium
25Filexxxxxx_xxx.xxxpredictiveHigh
26Filexxxx/xxxx.xpredictiveMedium
27Filexxxxxxxx.xpredictiveMedium
28Filexxx.xpredictiveLow
29Filexxxxx.xxxxpredictiveMedium
30Filexxxxx.xxxpredictiveMedium
31Filexxxxxx.xpredictiveMedium
32Filexxxxxxx.xxxpredictiveMedium
33Filexxxxxxxx.xpredictiveMedium
34Filexxxxxx/xxxxxxx.xxxpredictiveHigh
35Filexxxxxxx/xxx_xxxxxx/xxxxxx.xpredictiveHigh
36Filexxxxxxxx/xxxx/xxxx.xxxpredictiveHigh
37Filexxxxx.xxxpredictiveMedium
38Filexxxxxxxxxx.xxxpredictiveHigh
39Filexxxxxx_xxxxxx.xxpredictiveHigh
40Filexxxxxxxxxx.xxxxpredictiveHigh
41Filexxxx_xxxxxxx.xpredictiveHigh
42Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveHigh
43Filexxxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
44Filexxx-xxxxxxx.xpredictiveHigh
45Filexxx_xxxxxx.xpredictiveMedium
46Filexxxxxx/xxxxxxx/xxxxxx/xxxxxxxx.xxxpredictiveHigh
47Filexxxxxxxx.xpredictiveMedium
48Filexxxxx/xxxxxxxx.xpredictiveHigh
49Filexxxxx/xxxxxxx.xpredictiveHigh
50Filexxxxxx\xxxxxxx\xxx\xxxxxxx.xxxpredictiveHigh
51Filexxxx/xxxx_xxxx.xpredictiveHigh
52Filexxxx/xxx/xxxx-xxxxx.xxxpredictiveHigh
53Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
54Filexxx_xxxxx.xpredictiveMedium
55Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
56Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
57File_xxxx_xxxx.xxxpredictiveHigh
58File~/xxxxx/xxxxx.xxxpredictiveHigh
59Libraryxxx/xxxx/xxx/xxx.xxxpredictiveHigh
60Libraryxxx/xxxxx.xpredictiveMedium
61LibraryxxxxxxxpredictiveLow
62Libraryxxxxxxxxx.xxxpredictiveHigh
63Argument${xxx}predictiveLow
64ArgumentxxxxxxpredictiveLow
65Argumentxxxxxxxxxx_xxpredictiveHigh
66ArgumentxxxxxxxxxxxxxpredictiveHigh
67Argumentxxxx_xxxxxpredictiveMedium
68Argumentxxxx_xxxpredictiveMedium
69ArgumentxxpredictiveLow
70ArgumentxxxxxxpredictiveLow
71ArgumentxxxxxxxxpredictiveMedium
72ArgumentxxxxxxxxpredictiveMedium
73ArgumentxxxxxxxpredictiveLow
74Argumentx_xxpredictiveLow
75ArgumentxxxxpredictiveLow
76Argumentxxxxxx[xxxxxxx_xxxxxxxx]predictiveHigh
77ArgumentxxxxxxxxpredictiveMedium
78ArgumentxxxxxxxxpredictiveMedium
79Argumentxxxxx_xxxx_xxxxpredictiveHigh
80Argumentxxxx_xxxxxxpredictiveMedium
81ArgumentxxxxxxxxpredictiveMedium
82Argumentxxxxxxx_xxpredictiveMedium
83Argumentxxxxxxx_xxxxpredictiveMedium
84ArgumentxxxxxxxxxxxxxxpredictiveHigh
85ArgumentxxxxxxxpredictiveLow
86ArgumentxxxxxpredictiveLow
87ArgumentxxxpredictiveLow
88ArgumentxxxpredictiveLow
89ArgumentxxxxxxxxpredictiveMedium
90ArgumentxxxxxxxxxxxxxxxxxpredictiveHigh
91Argumentx-xxxxxxxxx-xxxpredictiveHigh
92Argument_xxxxpredictiveLow
93Input Value-<xxxxxx>predictiveMedium
94Network Portxxx/xxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!