Earth Krahang Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (273)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en166
zh92
ja6
it2
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China142
US: USA96
AU: Australia12
ID: Indonesia8
GB: Great Britain4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Earth Krahang8
Cobalt Strike5
Azorult2
GobRAT2
Tropic Trooper1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined98
Content Management System30
Operating System10
Web Server8
Forum Software6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined72
Microsoft18
Apache10
Cisco10
Atlassian6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows8
Apache HTTP Server6
WordPress6
Joomla CMS6
jforum4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix
 
0.009700.15CVE-2010-0966
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaroundpossible0.029560.00CVE-2007-1192
3PHP Link Directory Administration Page index.html cross site scripting4.34.3$0-$5k$0-$5kNot definedNot defined
 
0.002850.06CVE-2007-0529
4SOGo SAML Assertion signature verification6.36.0$0-$5k$0-$5kNot definedOfficial fix
 
0.002910.00CVE-2021-33054
5Iij SmartKey One-Time Password information disclosure5.05.0$0-$5k$0-$5kNot definedOfficial fix
 
0.000920.00CVE-2022-41986
6FLDS redir.php sql injection7.37.3$0-$5k$0-$5kHighUnavailablepossible0.005050.15CVE-2008-5928
7Magicblack Maccms10 Template Upload unrestricted upload5.55.5$0-$5k$0-$5kNot definedNot defined
 
0.011100.00CVE-2020-21359
8OpenSSL c_rehash os command injection5.55.3$5k-$25k$0-$5kNot definedOfficial fix
 
0.759010.03CVE-2022-1292
9PHPWind goto.php redirect6.36.3$0-$5k$0-$5kNot definedNot defined
 
0.003650.04CVE-2015-4134
10LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot definedUnavailable
 
0.000000.56
11jforum username User input validation5.35.3$0-$5k$0-$5kNot definedNot defined
 
0.004430.03CVE-2019-7550
12Cisco ASA WebVPN Login Page logon.html cross site scripting5.35.2$5k-$25k$0-$5kHighOfficial fixverified0.783450.06CVE-2014-2120
13Apache HTTP Server HTTP/2 Request request smuggling6.46.4$25k-$100k$5k-$25kNot definedNot defined
 
0.699710.04CVE-2020-9490
14Synology VPN Plus Server Remote Desktop out-of-bounds write9.99.7$0-$5k$0-$5kNot definedOfficial fix
 
0.200810.00CVE-2022-43931
15Microsoft IIS uncpath cross site scripting5.25.0$5k-$25k$0-$5kProof-of-ConceptOfficial fix
 
0.033890.06CVE-2017-0055
16Telesquare SDT-CW3B1 os command injection7.36.6$0-$5k$0-$5kProof-of-ConceptNot defined
 
0.942250.04CVE-2021-46422
17muhttpd URL request.c do_request information disclosure4.34.1$0-$5k$0-$5kNot definedOfficial fix
 
0.934430.00CVE-2022-31793
18Indexu suggest_category.php cross site scripting3.53.5$0-$5k$0-$5kNot definedNot defined
 
0.000000.53
19wp-polls Plugin sql injection8.58.4$0-$5k$0-$5kNot definedOfficial fix
 
0.005130.00CVE-2015-9352
20Plexus-utils Double Quote command injection8.58.4$0-$5k$0-$5kNot definedOfficial fix
 
0.250590.02CVE-2017-1000487

IOC - Indicator of Compromise (13)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
123.106.122.5Earth Krahang03/25/2024verifiedVery High
223.106.122.46Earth Krahang03/25/2024verifiedVery High
323.106.124.152Earth Krahang03/25/2024verifiedVery High
4XX.XX.XX.XXxx.xx.xx.xx.xxxxxxxxxxxxxxxx.xxxXxxxx Xxxxxxx03/25/2024verifiedHigh
5XX.XX.XXX.XXxx.xx.xxx.xx.xxxxxxxxxxxxxxxx.xxxXxxxx Xxxxxxx03/25/2024verifiedHigh
6XX.X.XX.XXXxxxx Xxxxxxx03/25/2024verifiedVery High
7XX.X.XX.XXXxxxx Xxxxxxx03/25/2024verifiedVery High
8XX.X.XX.XXXxxxx Xxxxxxx03/25/2024verifiedVery High
9XXX.XXX.XX.XXXxxx-xxx-xx-xxx.xxx.xxXxxxx Xxxxxxx03/25/2024verifiedVery High
10XXX.XX.X.XXXxxx-xx-x-xxx.xxx.xxXxxxx Xxxxxxx03/25/2024verifiedVery High
11XXX.XXX.XXX.XXxx.xxx-xxx-xxx.xxxx.xxxxxxxxxxx.xxxXxxxx Xxxxxxx03/25/2024verifiedVery High
12XXX.XXX.XX.Xxxx.xxx.xx.x.xxxxxxxxxxxxxxxx.xxxXxxxx Xxxxxxx03/25/2024verifiedHigh
13XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxxxxxxxxxxxxx.xxxXxxxx Xxxxxxx03/25/2024verifiedHigh

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-35Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
11TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
12TXXXXCAPEC-XCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
14TXXXXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
19TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (101)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/+CSCOE+/logon.htmlpredictiveHigh
2File/admin/index.phppredictiveHigh
3File/administrator/components/table_manager/predictiveHigh
4File/crmeb/app/admin/controller/store/CopyTaobao.phppredictiveHigh
5File/filemanager/php/connector.phppredictiveHigh
6File/forum/away.phppredictiveHigh
7File/lab.htmlpredictiveMedium
8File/languages/index.phppredictiveHigh
9File/objects/getSpiritsFromVideo.phppredictiveHigh
10File/public/login.htmpredictiveHigh
11File/servicespredictiveMedium
12File/uncpath/predictiveMedium
13File/xxx/xxx/xxxxpredictiveHigh
14File/xxxxxxxx/xxxxxxx/xxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
15Filexxxxxxx/xxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
16Filexxxxxxx.xxxpredictiveMedium
17Filexxxxx/xxxxx/xxxxxxxxx.xxxxpredictiveHigh
18Filexxxxx.xxxpredictiveMedium
19Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
20Filexxxxxxxx.xxxpredictiveMedium
21Filexxxxxxxxxx/xxxxxxx.xxxxpredictiveHigh
22Filexxxxxxxxx.xxxpredictiveHigh
23Filex_xxxxxxpredictiveMedium
24Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
25Filexxxxxx.xxxpredictiveMedium
26Filexxxx.xxxpredictiveMedium
27Filexxxxxxxxx.xxx.xxxpredictiveHigh
28Filexxxx.xxxpredictiveMedium
29Filexxxxxxxxx.xxxpredictiveHigh
30Filexxxxxxxxx.xxxpredictiveHigh
31Filex-xxxx.xxxpredictiveMedium
32Filexxxxxxx/xxxxxxxx/xxxxxxxxxxxxxxxxxx/x?xxxxxxxxxxxxxxx=xpredictiveHigh
33Filexxx/xxxxxx.xxxpredictiveHigh
34Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
35Filexxxxx.xxxxpredictiveMedium
36Filexxxxx.xxxpredictiveMedium
37Filexxxxx/predictiveLow
38Filexxxxx_xxx.xxxpredictiveHigh
39Filexxxxxxxxxxx.xxxpredictiveHigh
40Filexxxxxxx/xxxxx/xx_xxxxxx.xpredictiveHigh
41Filexxxxxx.xxxxpredictiveMedium
42Filexxxxxxxx-xxxxxx.xxxpredictiveHigh
43Filexxxxx.xxxpredictiveMedium
44Filexxxxxxxx.xxpredictiveMedium
45Filexxxxxxxxxx.xxxpredictiveHigh
46Filexxxxx/xx/xxxxxxxxx/predictiveHigh
47Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
48Filexxxxxxxx_xxxx.xxxpredictiveHigh
49Filexxxxxxx.xpredictiveMedium
50Filexxxxxx_xxx_xxxxxx.xxxpredictiveHigh
51Filexxxxx.xxxpredictiveMedium
52Filexxxxxxx_xxxxxxxx.xxxpredictiveHigh
53Filexxxxxxxxx/xxxxxxxx/xxx/xxxxxx/xxx.xxxpredictiveHigh
54Filexxxxxx.xxxpredictiveMedium
55Filexxx.xxxpredictiveLow
56Filexx-xxxxxxxx/xx-xxxxxxxxx.xxxpredictiveHigh
57Filexx-xxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
58Filexx-xxxxx.xxxpredictiveMedium
59Filexx-xxxx.xxxpredictiveMedium
60Filexxxx.xxpredictiveLow
61File\xxx_xxx.xxxpredictiveMedium
62File\xxxxxxx\xxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
63Libraryxxxxxxxxxxx.xxxpredictiveHigh
64Libraryxxxxxxxx.xxxpredictiveMedium
65Libraryxxxxxxxxx.xxpredictiveMedium
66Libraryxxxxxx/xxxxxxxxx/xxxxx.xxxpredictiveHigh
67ArgumentxxxxxxpredictiveLow
68ArgumentxxxxxxxxxpredictiveMedium
69ArgumentxxxxxxxxpredictiveMedium
70Argumentxxxx_xxpredictiveLow
71ArgumentxxxxxxxxxxxxxxxpredictiveHigh
72ArgumentxxxxxxxpredictiveLow
73Argumentxxxx_xxxxxpredictiveMedium
74ArgumentxxpredictiveLow
75Argumentxxxxx->xxxxpredictiveMedium
76Argumentxxxxx_xxxpredictiveMedium
77ArgumentxxxxpredictiveLow
78Argumentxxxxxx/xxxxpredictiveMedium
79ArgumentxxxxxxpredictiveLow
80ArgumentxxxxxxxxxpredictiveMedium
81ArgumentxxxxpredictiveLow
82ArgumentxxpredictiveLow
83ArgumentxxxxxxxxxxxxpredictiveMedium
84Argumentxxxxx_xxpredictiveMedium
85Argumentxxxx_xxxxpredictiveMedium
86ArgumentxxxxxpredictiveLow
87ArgumentxxxxxxpredictiveLow
88Argumentxxxxxxx xxxxpredictiveMedium
89ArgumentxxxxxpredictiveLow
90Argumentxxxx_xxxxxpredictiveMedium
91ArgumentxxxxxxxxxpredictiveMedium
92ArgumentxxxpredictiveLow
93Argumentxxxxxxxx/xxxxpredictiveHigh
94Argumentxxxxxxxx/xxxxxxxxpredictiveHigh
95ArgumentxxxxxpredictiveLow
96ArgumentxxxxxxpredictiveLow
97Argumentxxxx->xxxxxxxpredictiveHigh
98Input Value'xx''='predictiveLow
99Input Valuexxxx:xxxxxxpredictiveMedium
100Input Value[]xxxxxx{}/x["xxx"]predictiveHigh
101Network Portxxx/xx (xxx)predictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!