DEV-0530 Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (166)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en166

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA166

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Cobalt Strike1
Ave Maria1
BitRAT1
Nanocore RAT1
NetWire RC1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined72
Content Management System8
Operating System8
Application Server Software8
JavaScript Library6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined56
Microsoft14
Apache6
H3C4
Dell EMC4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows6
Apache Tomcat6
H3C Magic R1004
swftools4
jQuery-UI4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1TLS Protocol/SSL Protocol RC4 Encryption Bar Mitzvah Attack cryptographic issues5.34.7$0-$5k$0-$5kUnprovenWorkaroundpossible0.488400.05CVE-2015-2808
2Couchbase Server information disclosure3.53.4$0-$5k$0-$5kNot definedOfficial fix 0.003710.00CVE-2022-32192
3OTRS Forwarder information disclosure3.53.5$0-$5k$0-$5kNot definedNot defined 0.003450.00CVE-2022-32740
4Veritas NetBackup pbx_exchange Process access control8.38.1$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.002410.00CVE-2017-6407
5Microsoft Azure RTOS USBX ux_device_class_dfu_control_request buffer overflow9.89.6$25k-$100k$0-$5kNot definedOfficial fix 0.014270.00CVE-2022-29246
6PHPMailer Phar Deserialization addAttachment deserialization5.55.3$0-$5k$0-$5kNot definedOfficial fix 0.009900.00CVE-2020-36326
7jQuery UI dialog cross site scripting5.24.9$0-$5k$0-$5kNot definedOfficial fix 0.013970.05CVE-2016-7103
8Intel Xeon BIOS information disclosure3.33.2$0-$5k$0-$5kNot definedOfficial fix 0.001330.00CVE-2021-33117
9HID Mercury LP1501/LP1502/LP2500/LP4502/EP4502 Update buffer overflow9.99.7$0-$5k$0-$5kNot definedOfficial fix 0.009840.00CVE-2022-31481
10Apache Tomcat HTTP Split input validation7.26.8$5k-$25k$0-$5kProof-of-ConceptOfficial fix 0.031040.03CVE-2016-6816
11Delta Controls enteliTOUCH HTTP Request privilege escalation5.55.3$0-$5k$0-$5kNot definedNot defined 0.004010.00CVE-2022-29735
12Moment.js path traversal6.96.7$0-$5k$0-$5kNot definedOfficial fix 0.005390.03CVE-2022-24785
13Laravel PendingBroadcast.php __destruct deserialization6.36.1$0-$5k$0-$5kNot definedNot defined 0.000000.00CVE-2022-31279
14Piwigo admin.php cross site scripting3.53.5$0-$5k$0-$5kNot definedNot defined 0.001810.00CVE-2021-40678
15Linux Kernel Floating Point Register ptrace-fpu.c ptrace_get_fpr buffer overflow8.07.6$5k-$25k$0-$5kNot definedOfficial fix 0.003700.09CVE-2022-32981
16GNU C Library mq_notify use after free5.55.5$0-$5k$0-$5kNot definedNot defined 0.001290.00CVE-2021-33574
17Vyper Contract Address control flow7.37.2$0-$5k$0-$5kNot definedOfficial fix 0.003440.00CVE-2022-29255
18Easy Blog cross-site request forgery4.34.2$0-$5k$0-$5kNot definedNot defined 0.001510.00CVE-2022-27174
19Brocade SANnav REST API log file3.53.4$0-$5k$0-$5kNot definedOfficial fix 0.000240.00CVE-2022-28162
20Python mailcap Module os command injection7.37.3$0-$5k$0-$5kNot definedNot defined 0.012180.04CVE-2015-20107

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • H0lyGh0st

IOC - Indicator of Compromise (1)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1193.56.29.123DEV-0530H0lyGh0st07/15/2022verifiedMedium

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
11TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-XXCWE-XXX, CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
18TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
19TXXXX.XXXCAPEC-XXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh

IOA - Indicator of Attack (70)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin.php?page=batch_manager&mode=unitpredictiveHigh
2File/goform/aspFormpredictiveHigh
3File/omps/sellerpredictiveMedium
4File/php/passport/index.phppredictiveHigh
5File/replicationpredictiveMedium
6File/settingspredictiveMedium
7File/staff/tools/custom-fieldspredictiveHigh
8File/strings/ctype-latin1.cpredictiveHigh
9File/xxxxxxx/predictiveMedium
10File/xxxxxxx-xxxxxxxxxx/xxxxx/xxxxxx_xxxxxx_xxxxxxx_xxxxxxx.xxx?xxxxxxx_xx=xxpredictiveHigh
11Filexxxxx/xxxxxxxxxxxxxxxxx.xxxpredictiveHigh
12Filexxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
13Filexxxxxxx.xxxxpredictiveMedium
14Filex:\xxxxxxx\xxxxxxxx\xxxxxx\xxxpredictiveHigh
15Filexxx-xxx/xxxxxxx.xxpredictiveHigh
16Filexxxxxxxxx.xxxpredictiveHigh
17Filexxxxx.xxxxxxxxxxx.xxxx[x]=xxxpredictiveHigh
18Filexxxxxxxxxxxxxxxxxxxxxxx.xpredictiveHigh
19Filexxxx/xxxxx/xxx_xxxxx.xxxpredictiveHigh
20Filexxxx_xx.xxpredictiveMedium
21Filexxx_xxxxxx.xxpredictiveHigh
22Filexxxxxxxxxx\xxxxxxxxxxxx\xxxxxxxxxxxxxxxx.xxxpredictiveHigh
23Filexxxxx.xxxpredictiveMedium
24Filexxxxxxxxx/xxxx/xxxxxx/xxxxxx_xxxxxxxxxx.xxxpredictiveHigh
25Filexxxxxxxx/xx/xxxx_xxxxxx.xxpredictiveHigh
26Filexxxxxxxxxx/xxxxxx_xxxxxxxx.xpredictiveHigh
27Filexx/xxxxx/xxxxxxx/xxxx.xxpredictiveHigh
28Filexxx/xxxx/xxxx.xpredictiveHigh
29Filexxxxxx-xxx.xpredictiveMedium
30Filexxxxxx.xpredictiveMedium
31Filexxxxxx/xxxxx/xxxxxxxxxxxx/xxxxxxxxxxxx.xxxxpredictiveHigh
32Filexxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
33Filexxxxx.xxxpredictiveMedium
34Filexxx/xxxx_xxxxxxx.xxpredictiveHigh
35Filexxx/xxxx_xxxx.xxpredictiveHigh
36Filexxxxxxx.xpredictiveMedium
37Filexxxx_xxx_xxx.xxxpredictiveHigh
38Filexxxxxxx/xxxxxxxx/xxxxxxxx/xxxxxx/xxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
39Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
40File~/xxxxxxxx/xxxxx-xxx-xxxxxx-xxxxxxxxxxxx.xxxpredictiveHigh
41Libraryxxxxx.xxxpredictiveMedium
42Argument?xxxx_xxxx=xxxxxxx.xxx/xxxx=xxxxxx/xxx=xxx+/xxx/.xxxxxxxx/xxxxxxx=//xxxxxxxxxxxxxx.xxx=xpredictiveHigh
43ArgumentxxxxxxxxpredictiveMedium
44ArgumentxxpredictiveLow
45Argumentxxx_xxxxxxxxxxxxxxxxxxxxxxxpredictiveHigh
46ArgumentxxxxxxxpredictiveLow
47Argumentxxxxxxxxxx_xxxxpredictiveHigh
48Argumentxxxxx.xxxxxxxxxxx.xxxx[x]=xxxpredictiveHigh
49ArgumentxxxxxxxxxpredictiveMedium
50ArgumentxxxxxxpredictiveLow
51Argumentxxxxxx/xxxxxxxxxxpredictiveHigh
52Argumentxxxxx xxxxpredictiveMedium
53ArgumentxxpredictiveLow
54Argumentxxxxxxxxx/xxxxxxxxxpredictiveHigh
55ArgumentxxxxpredictiveLow
56ArgumentxxpredictiveLow
57ArgumentxxxxpredictiveLow
58ArgumentxxxxxxpredictiveLow
59ArgumentxxxxxxxxpredictiveMedium
60ArgumentxxxxxxxxpredictiveMedium
61ArgumentxxxxxxxpredictiveLow
62ArgumentxxxxxpredictiveLow
63Argumentxxxxxx_xxxxpredictiveMedium
64ArgumentxxxxxxxxxxxxxxxxxxxpredictiveHigh
65ArgumentxxxpredictiveLow
66ArgumentxxxxxxxxpredictiveMedium
67ArgumentxxxxxpredictiveLow
68Argumentxxxx_xxpredictiveLow
69Argumentx-xxxxxxxxx-xxxpredictiveHigh
70Network Portxxx/xxxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!