Chafer Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (357)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en308
es18
fr8
zh6
ru6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA194
RU: Russia32
CN: China22
ES: Spain20
GB: Great Britain18

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Chafer5
APT392
MyKings1
Cobalt Strike1
MechaFlounder1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined112
Content Management System36
WordPress Plugin16
Operating System16
Web Server16

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined138
Microsoft18
D-Link12
Apache12
Google10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

WordPress14
Microsoft Windows8
Google Chrome8
PHP6
BigBlueButton6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1nginx request smuggling6.96.9$0-$5k$0-$5kNot definedNot defined 0.000001.50CVE-2020-12440
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaroundpossible0.029560.00CVE-2007-1192
3Microsoft IIS uncpath cross site scripting5.25.0$5k-$25k$0-$5kProof-of-ConceptOfficial fix 0.013870.00CVE-2017-0055
4VMware vRealize Orchestrator Path redirect3.02.9$5k-$25k$0-$5kNot definedOfficial fix 0.005820.00CVE-2021-22036
5vm2 injection9.99.7$0-$5k$0-$5kNot definedOfficial fixpossible0.509960.03CVE-2023-32314
6OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial fixexpected0.924870.56CVE-2016-6210
7PHPMailer Phar Deserialization addAttachment deserialization5.55.3$0-$5k$0-$5kNot definedOfficial fix 0.011500.00CVE-2020-36326
8jQuery Property extend Pollution cross site scripting6.66.3$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.020220.37CVE-2019-11358
9Rust Programming Language Standard Library type_id memory corruption7.77.5$0-$5k$0-$5kNot definedOfficial fix 0.009970.00CVE-2019-12083
10PHP ldap_escape out-of-bounds write9.89.6$25k-$100k$5k-$25kNot definedOfficial fix 0.001800.00CVE-2024-11236
11phpMyAdmin grab_globals.lib.php path traversal4.84.4$5k-$25k$0-$5kProof-of-ConceptOfficial fix 0.059090.00CVE-2005-3299
12WordPress sql injection6.86.7$5k-$25k$0-$5kNot definedOfficial fix 0.067480.00CVE-2022-21664
13Apple iOS WebKit buffer overflow8.07.9$25k-$100k$5k-$25kHighOfficial fixverified0.009010.00CVE-2021-30666
14WordPress path traversal5.75.6$5k-$25k$0-$5kNot definedOfficial fixexpected0.855130.00CVE-2023-2745
15Canon IJ Network Tool Wi-Fi Connection Setup missing password field masking5.45.4$0-$5k$0-$5kNot definedNot defined 0.000350.00CVE-2023-1763
16ciubotaru share-on-diaspora new_window.php cross site scripting4.44.3$0-$5k$0-$5kNot definedOfficial fix 0.000700.09CVE-2017-20176
17Postfix Admin functions.inc.php sql injection7.37.0$5k-$25k$0-$5kHighOfficial fix 0.005150.00CVE-2014-2655
18D-Link DCS-2530L/DCS-2670L ddns_enc.cgi command injection7.57.5$5k-$25k$5k-$25kNot definedNot defined 0.182570.02CVE-2020-25079
19Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial fix 0.096100.65CVE-2014-4078
20SourceCodester Library Management System bookdetails.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.000720.00CVE-2022-2214

Campaigns (2)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (11)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
183.142.230.113Chafer12/22/2020verifiedLow
289.38.97.11289-38-97-112.hosted-by-worldstream.netChafer12/22/2020verifiedVery Low
389.38.97.11589-38-97-115.hosted-by-worldstream.netChafer12/22/2020verifiedVery Low
4XX.XXX.XXX.XXXXxxxxx12/22/2020verifiedLow
5XX.XXX.XX.XXXxx-xxx-xx-xxx.xxxxxx.xxxx.xxXxxxxx12/22/2020verifiedLow
6XXX.XX.XXX.XXXxxx.xx.xxx.xxx.xxxxxxxxxxxxxxxx.xxxXxxxxxXxxxxx03/27/2022verifiedVery Low
7XXX.XXX.XXX.XXXxxxxx12/22/2020verifiedLow
8XXX.XXX.XXX.XXXxxxxXxxxxx12/12/2020verifiedLow
9XXX.XXX.XXX.XXXxxx-xx.xxxxxx.xxXxxxxx12/22/2020verifiedVery Low
10XXX.XX.XXX.XXxxx.xxxxxxxxxxxxxxx.xxxxXxxxxx12/22/2020verifiedLow
11XXX.XXX.XX.XXXxxxxXxxxxx12/12/2020verifiedLow

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294, CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94, CWE-1321Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-XXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-XXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
17TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh
19TXXXXCWE-XXXXxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (147)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File//etc/RT2870STA.datpredictiveHigh
2File/admin/index.php?id=themes&action=edit_template&filename=blogpredictiveHigh
3File/api/loginpredictiveMedium
4File/appConfig/userDB.jsonpredictiveHigh
5File/bin/boapredictiveMedium
6File/cgi-bin/wapopenpredictiveHigh
7File/cgi-bin/widget_api.cgipredictiveHigh
8File/CPEpredictiveLow
9File/cwp_{SESSION_HASH}/admin/loader_ajax.phppredictiveHigh
10File/jquery_file_upload/server/php/index.phppredictiveHigh
11File/librarian/bookdetails.phppredictiveHigh
12File/magnoliaPublic/travel/members/login.htmlpredictiveHigh
13File/Main_AdmStatus_Content.asppredictiveHigh
14File/public/login.htmpredictiveHigh
15File/requests.phppredictiveHigh
16File/self.keypredictiveMedium
17File/xxxxxxx/predictiveMedium
18File/xxx/xxx/xxxxxpredictiveHigh
19File/xxxxxxxx/xxxx_xxxxx.xxxpredictiveHigh
20Filexxxxxxx.xxxpredictiveMedium
21Filexxxxx.xxxpredictiveMedium
22Filexxxxx/xxxx_xxxxx_xxxx.xxxpredictiveHigh
23Filexxxxxxxxxxxxx/xxxxxxxxxx/xxx_xxxxx/xxxxxxx/xxxxx.xxxpredictiveHigh
24Filexxxxxxxxxx.xxxpredictiveHigh
25Filexxxxxxxxxxx.xxxpredictiveHigh
26Filexx_xxxxxxxxxx.xxxpredictiveHigh
27Filexxx:.xxxpredictiveMedium
28Filexxx/xxx.xxxpredictiveMedium
29Filexxxxxxx.xxxpredictiveMedium
30Filexxxxxx_xxxxxx.xxxpredictiveHigh
31Filexxxxxxxx.xxxpredictiveMedium
32Filexxx-xxx/xxxx_xxx.xxxpredictiveHigh
33Filexxxxxx.xxxpredictiveMedium
34Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
35Filexxxxxx.xxxpredictiveMedium
36Filexxx.xxxpredictiveLow
37Filexxxxx.xxxpredictiveMedium
38Filexxx/xxxxxxxx/xxx_xxxxxxxxxxxx.xxpredictiveHigh
39Filexxxx_xxxxxx.xxxpredictiveHigh
40Filexxxxxxxxx.xxx.xxxpredictiveHigh
41Filexxxxxxxxxxxx_xxxx.xxxpredictiveHigh
42Filexxx_xxxxxx.xxxpredictiveHigh
43Filexxxx_xxxxxxx.xxx.xxxpredictiveHigh
44Filexxxx_xxxx.xpredictiveMedium
45Filexxxxxxxxx.xxxpredictiveHigh
46Filexxxxxxxx/xxxxx.xxxx-xxx.xxxpredictiveHigh
47Filexxxxx.xxxpredictiveMedium
48Filexxxxxx.xpredictiveMedium
49Filexxxxxxxx-xxxxxxx.xxxpredictiveHigh
50Filexxxx/xxx_xxx.xpredictiveHigh
51Filexxxxxxxx.xxxpredictiveMedium
52Filexxxxxxx/xxxxxxx/xxx_xxxxxxx.xpredictiveHigh
53Filexxx_xxxxxx.xxpredictiveHigh
54Filexxxx/xxxx/xxxxx.xxxpredictiveHigh
55Filexxx_xxxxxx.xxxpredictiveHigh
56Filexxxxxx.xxxpredictiveMedium
57Filexxxxxxxxxxxxxx.xxxpredictiveHigh
58Filexxxxxxx.xxxpredictiveMedium
59Filexxxxx.xxxxx.xxxpredictiveHigh
60Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
61Filexxxx/xxxxxpredictiveMedium
62Filexxxxx.xxxpredictiveMedium
63Filexxxxxxxx.xxxpredictiveMedium
64Filexxxxxxxxxx.xxxpredictiveHigh
65Filexxxxxxxx_xxxx.xxxpredictiveHigh
66Filexxxxxxxx.xxx?x=xxxxxx&x=xxxxxxxxxxpredictiveHigh
67Filexxxxxxx.xpredictiveMedium
68Filexxxxxx.xxxpredictiveMedium
69Filexxxx.xxxpredictiveMedium
70Filexxxxx/xxx/xxxx.xpredictiveHigh
71Filexxxxxx_xxx_xxxxx_xxx.xxxpredictiveHigh
72Filexxxxxx.xpredictiveMedium
73Filexxx_xxx_xxxxx.xxxpredictiveHigh
74Filexxxx/xxxxxxxxxxxxxxx.xxxxxxpredictiveHigh
75Filexxxxxxx_xxxxx.xxxpredictiveHigh
76Filexxxxxxx_xxxxxxxxxx.xxxpredictiveHigh
77Filexxx.xxxpredictiveLow
78Filexxxxxx.xxxpredictiveMedium
79Filexxxxxxx.xxxpredictiveMedium
80Filexxxxxx.xxxpredictiveMedium
81Filexxxxx.xxxpredictiveMedium
82Filexxxxxxxxxxxxxx.xxxpredictiveHigh
83Filexxxxxxx.xxxpredictiveMedium
84Filexx-xxxxx/xxxx-xxx.xxxpredictiveHigh
85Filexx-xxxxxxxx-xxxx.xxxpredictiveHigh
86Filexx-xxxxxxx/xxxxxxx/xxxx-xx-xxxx/predictiveHigh
87Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
88Filexx-xxxxxxxx/xxxxx-xx-xxxxxx-xxxxxx.xxxpredictiveHigh
89Filexx-xxxxxxxxxxx.xxxpredictiveHigh
90Libraryxxxxxxx/xxx/xxxxxx.xxx.xxxpredictiveHigh
91Libraryxxxxxx.xxxpredictiveMedium
92Argument$xxxxx_xxxxxxxxxxpredictiveHigh
93ArgumentxxxxxxxpredictiveLow
94ArgumentxxxxxpredictiveLow
95ArgumentxxxxxxpredictiveLow
96ArgumentxxxpredictiveLow
97ArgumentxxxxxpredictiveLow
98ArgumentxxxxxxxxxxxxxxxpredictiveHigh
99Argumentxxxx/xxxxpredictiveMedium
100ArgumentxxxxxxxxpredictiveMedium
101ArgumentxxxxpredictiveLow
102ArgumentxxxxxxxxxxpredictiveMedium
103ArgumentxxxxpredictiveLow
104ArgumentxxxxxxxxxxpredictiveMedium
105Argumentxxxx_xxxxxxxxpredictiveHigh
106Argumentxx_xxpredictiveLow
107Argumentxxxx[xxx]predictiveMedium
108Argumentxxxxx/xxxxxx/xxxxxxpredictiveHigh
109ArgumentxxxxxxxxpredictiveMedium
110ArgumentxxxxpredictiveLow
111ArgumentxxxxxpredictiveLow
112Argumentxxxxx_xxpredictiveMedium
113Argumentxxxx_xxxxxxxpredictiveMedium
114ArgumentxxpredictiveLow
115ArgumentxxxxpredictiveLow
116Argumentxxxxxxxxxxxxx/xxxxxxxxxxxxxxpredictiveHigh
117Argumentx/xx/xxxpredictiveMedium
118Argumentxxxx_xxxxpredictiveMedium
119Argumentxx_xxxxxxxpredictiveMedium
120ArgumentxxxpredictiveLow
121Argumentxxxxxxxxx/xxxxxx/xxxxxxxxxpredictiveHigh
122ArgumentxxxxxxxxxxpredictiveMedium
123Argumentxxxxxxxx_xxxxpredictiveHigh
124ArgumentxxxxxxxxxxxxxpredictiveHigh
125Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
126ArgumentxxxxxxpredictiveLow
127Argumentxxxxx_xxxxpredictiveMedium
128ArgumentxxxxxxxxpredictiveMedium
129ArgumentxxxxxxxxpredictiveMedium
130ArgumentxxxxxxxpredictiveLow
131Argumentxxxx xxxxxpredictiveMedium
132Argumentxxxx_xxxxxpredictiveMedium
133ArgumentxxxxpredictiveLow
134ArgumentxxxxxxpredictiveLow
135ArgumentxxxxxxxxxxpredictiveMedium
136Argumentx/xxxxxxxxxxxxpredictiveHigh
137ArgumentxxxxpredictiveLow
138ArgumentxxxxxxxxpredictiveMedium
139Argumentxxxxx/xxxpredictiveMedium
140ArgumentxxxpredictiveLow
141ArgumentxxxxxxpredictiveLow
142ArgumentxxxxxxxxpredictiveMedium
143Argumentxxxxxxxxx_xxxxxx_xx_[xxxx]predictiveHigh
144Input Value' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx)-- xxxxpredictiveHigh
145Input Value../..predictiveLow
146Network Portxxx/xxxxpredictiveMedium
147Network Portxxx/xxx (xxx)predictiveHigh

References (5)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!