EwDoor Analysis

IOB - Indicator of Behavior (203)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en198
pl2
jp2
ru2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

sc142
li10
us6
ml2
cn2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Google Android8
Microsoft Windows6
GitLab Community Edition4
GitLab Enterprise Edition4
GitLab4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Jetty URI access control5.35.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000.47555CVE-2021-34429
2portable SDK for UPnP unique_service_name memory corruption10.09.5$0-$5k$0-$5kHighOfficial Fix0.030.97445CVE-2012-5958
3CKFinder File Name unrestricted upload7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.070.00155CVE-2019-15862
4Asus RT-AC2900 input validation8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.020.08597CVE-2018-8826
5GitLab Community Edition/Enterprise Edition Permission permission assignment5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.040.00054CVE-2019-18446
6phpMyAdmin PMA_safeUnserialize deserialization9.89.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00433CVE-2016-9865
7phpMyAdmin Username sql injection7.57.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.00326CVE-2016-9864
8Libbitcoin Explorer Milk Sad entropy5.35.3$0-$5k$0-$5kHighNot Defined0.020.00116CVE-2023-39910
9Microsoft ASP.NET Core Kestrel Web Application password recovery8.07.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.02783CVE-2018-0787
10KeyCloak Admin REST API injection3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00080CVE-2022-1274
11Schneider Electric Modicon PLC Project File unusual condition6.56.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00044CVE-2023-25620
12Kubernetes kubelet pprof information disclosure7.37.2$0-$5k$0-$5kNot DefinedOfficial Fix0.050.53513CVE-2019-11248
13Sonatype Nexus Repository Manager OSS Admin Panel access control6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.090.00044CVE-2022-31289
14Microsoft Exchange Server Remote Code Execution9.88.5$25k-$100k$5k-$25kUnprovenOfficial Fix0.000.04447CVE-2021-28481
15Apple Safari WebKit state issue5.95.8$5k-$25k$0-$5kNot DefinedOfficial Fix0.220.00079CVE-2022-46692
16Portainer API Credentials credentials management7.57.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.030.00431CVE-2018-19466
17Google Chrome Screen Capture heap-based overflow7.57.4$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.00209CVE-2022-3043
18CGI Script printenv information disclosure5.35.2$0-$5k$0-$5kNot DefinedWorkaround0.020.00000
19Mumble cryptographic issues5.35.3$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00042CVE-2012-0863
20Git Plugin Build authorization6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.050.01156CVE-2022-36883

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.141.157.217ip-157-217.CN-GlobalEwDoor02/09/2022verifiedHigh
2XXX.XX.XX.XXxx.xx.xx.xxx.xx.xxx.xxXxxxxx02/09/2022verifiedHigh
3XXX.XXX.XX.XXXXxxxxx02/09/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IOA - Indicator of Attack (59)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/sysmon.phppredictiveHigh
2File/api/content/posts/commentspredictiveHigh
3File/debug/pprofpredictiveMedium
4File/Home/GetAttachmentpredictiveHigh
5File/modules/projects/vw_files.phppredictiveHigh
6Fileadmin/limits.phppredictiveHigh
7Filecgi-bin/ddns_enc.cgipredictiveHigh
8Filexxx.xxxpredictiveLow
9Filexxxxxx.xpredictiveMedium
10Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
11Filexxxx/xxxxpredictiveMedium
12Filexxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxpredictiveHigh
13Filexxxxxx_xxx.xpredictiveMedium
14Filexxxxxxxxxxxxxx.xxpredictiveHigh
15Filexx/xxxxxxx/xxx.xpredictiveHigh
16Filexxx/xx/xxxx/xxxx.xxxxx.xxxpredictiveHigh
17Filexxxxx.xxxpredictiveMedium
18Filexxxxxx.xpredictiveMedium
19Filexxxxxxxx.xxxpredictiveMedium
20Filexxxxxxxxxxxx/xxx.xpredictiveHigh
21Filexxx_xxxxxxxxx.xpredictiveHigh
22Filexxxxxxx.xxxpredictiveMedium
23Filexxx_xxxxx_xxxx.xpredictiveHigh
24Filexxxxxxx/xxxxpredictiveMedium
25Filexxxxxxx.xxxpredictiveMedium
26Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
27Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
28Filexxxxxxxxxxxxx.xxxpredictiveHigh
29Filexxxxxxxx_xxxxxxxxxxxx_xxxxxx.xxpredictiveHigh
30Filexxx_xxxxx_xxxxxxxxx.xpredictiveHigh
31Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveHigh
32Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
33Filexxxxxxxx/xxxxxxxxxxxx-xxxxxxxxxxpredictiveHigh
34Filexxxxxx/xxxxxxx/xxxxxx/xxxxxxxx.xxxpredictiveHigh
35Filexxxx.xxxpredictiveMedium
36Filexxx xxxx xxxxxxxpredictiveHigh
37Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
38Libraryxxx-xx-xxx-xxxx-xxxx-xx-x-x.xxxpredictiveHigh
39Argument-xpredictiveLow
40ArgumentxxxxxxxxxxxxxxpredictiveHigh
41Argumentxxxxxx/xxxxxxxpredictiveHigh
42Argumentxxxxxxxx[xxxx_xxx]predictiveHigh
43Argumentxxxxxxxx xxxx/xxxxxxxx xxxxxxxx/xxxxxxxx xxxxxxx xx/xxxxxxx/xxxxpredictiveHigh
44Argumentxxxxxx xxxxxxpredictiveHigh
45Argumentxxxx_xxxxxxxpredictiveMedium
46ArgumentxxpredictiveLow
47ArgumentxxxxxxxxpredictiveMedium
48ArgumentxxxxxxxxxxpredictiveMedium
49Argumentxxxx_xxx_xxxxxxxx_xxxpredictiveHigh
50ArgumentxxxxxxxpredictiveLow
51Argumentxxxxx/xxxxxxxxpredictiveHigh
52ArgumentxxxxxpredictiveLow
53ArgumentxxxxpredictiveLow
54Argumentxx_xxx_xxxxxpredictiveMedium
55Input Value../predictiveLow
56Input Value\xpredictiveLow
57Network Portxxx/xxpredictiveLow
58Network Portxxx/xxxpredictiveLow
59Network Portxxx/xxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

Want to stay up to date on a daily basis?

Enable the mail alert feature now!