Expiro Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (248)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en196
fr14
de12
es8
sv4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us116
ru52
fr4
cn4
es4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Expiro9
Ramnit2
Emotet1
Cobalt Strike1
Domestic Kitten1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined70
Content Management System24
Programming Language Software12
Web Server10
Operating System10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined92
Microsoft18
Cisco8
QSAN6
Apache4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows8
Microsoft IIS6
WordPress6
QSAN Storage Manager4
Joomla CMS4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1TikiWiki tiki-register.php input validation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix8.960.01009CVE-2006-6168
2Phplinkdirectory PHP Link Directory conf_users_edit.php cross-site request forgery6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.050.00526CVE-2011-0643
3Python Software Foundation BaseHTTPServer HTTP Request denial of service7.56.9$0-$5k$0-$5kProof-of-ConceptWorkaround0.120.00000
4Maran PHP Shop prod.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.040.00137CVE-2008-4879
5OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.000.10737CVE-2016-6210
6WordPress sql injection7.36.6$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.000.00175CVE-2011-3130
7Apache Tomcat CORS Filter 7pk security8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.07849CVE-2018-8014
8DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.430.00943CVE-2010-0966
9Apache HTTP Server suEXEC Feature .htaccess information disclosure5.35.0$5k-$25k$0-$5kProof-of-ConceptWorkaround0.030.00000
10WordPress WP_Query class-wp-query.php sql injection8.58.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.020.00318CVE-2017-5611
11Microsoft Office Object data processing7.06.3$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.020.97339CVE-2017-8570
12TP-LINK TL-WR740N/TL-WR741N Firmware Local Privilege Escalation5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00000
13Drupal User Module access control8.88.4$0-$5kCalculatingNot DefinedOfficial Fix0.000.00208CVE-2016-6211
14Rockwell Automation FactoryTalk Service Platform permission assignment8.58.3$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00043CVE-2024-21915
15PHP Link Directory Administration Page index.html cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.350.00374CVE-2007-0529
16TikiWiki tiki-index.php path traversal7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.430.01414CVE-2007-5684
17AWStats Config awstats.pl cross site scripting4.34.1$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.160.00587CVE-2006-3681
18vu Mass Mailer Login Page redir.asp sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.030.00181CVE-2007-6138
19LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable5.120.00000
20Suricata Rule path traversal6.96.7$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00053CVE-2023-35852

IOC - Indicator of Compromise (34)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.79.71.205Expiro08/01/2022verifiedHigh
25.79.71.225Expiro08/01/2022verifiedHigh
318.213.250.117ec2-18-213-250-117.compute-1.amazonaws.comExpiro04/28/2022verifiedMedium
418.215.128.143ec2-18-215-128-143.compute-1.amazonaws.comExpiro04/28/2022verifiedMedium
535.205.61.6767.61.205.35.bc.googleusercontent.comExpiro06/03/2023verifiedMedium
635.234.136.1313.136.234.35.bc.googleusercontent.comExpiro08/01/2022verifiedMedium
746.165.220.145Expiro04/28/2022verifiedHigh
8XX.XXX.XXX.XXXXxxxxx04/28/2022verifiedHigh
9XX.XXX.XXX.XXXxxxxx08/01/2022verifiedHigh
10XX.XXX.XXX.XXXxxxxx08/01/2022verifiedHigh
11XX.XXX.XX.XXXXxxxxx06/03/2023verifiedHigh
12XX.X.XXX.XXXxxxxx06/03/2023verifiedHigh
13XX.XXX.XXX.XXXxx-xxx-xxx-xxx-xx.xxx.xxXxxxxx08/01/2022verifiedHigh
14XX.XX.XX.XXXxxxxx08/01/2022verifiedHigh
15XX.XX.XX.XXXXxxxxx08/01/2022verifiedHigh
16XX.XXX.XXX.XXXXxxxxx04/28/2022verifiedHigh
17XX.XXX.XXX.XXXxxxxx06/03/2023verifiedHigh
18XX.XXX.XXX.XXXXxxxxx04/28/2022verifiedHigh
19XXX.XXX.XXX.XXXxx-xxx-xxx.xxxxx.xxxXxxxxx06/03/2023verifiedHigh
20XXX.XXX.XXX.XXXxx-xxx-xxx.xxxxx.xxxXxxxxx06/03/2023verifiedHigh
21XXX.XX.XX.XXXxxxxx08/01/2022verifiedHigh
22XXX.XXX.XX.XXxxxxxx-xx.xxxxxxx.xxxxxx.xxxXxxxxx08/01/2022verifiedHigh
23XXX.XXX.XX.XXXxxxxxxxx-xx-xxx.xxxxx.xxxXxxxxx04/28/2022verifiedHigh
24XXX.XXX.XXX.XXXxxxxxxx.xxx.xxxx.xxxXxxxxx06/03/2023verifiedHigh
25XXX.XXX.XXX.XXXxxxxxxx.xxx.xxxx.xxxXxxxxx08/01/2022verifiedHigh
26XXX.XXX.XXX.XXXXxxxxx08/01/2022verifiedHigh
27XXX.XXX.XXX.XXXXxxxxx08/01/2022verifiedHigh
28XXX.XXX.XXX.XXXXxxxxx08/01/2022verifiedHigh
29XXX.XXX.XXX.XXXXxxxxx08/01/2022verifiedHigh
30XXX.XXX.XX.XXXxxxxx08/01/2022verifiedHigh
31XXX.XX.XXX.XXXXxxxxx06/03/2023verifiedHigh
32XXX.XXX.XXX.XXXxxxxx08/01/2022verifiedHigh
33XXX.XXX.XX.XXXxxxxx.xxx-xxx-xx.xxxxxx.xxxxxxxxxxxx.xxxXxxxxx04/28/2022verifiedHigh
34XXX.XXX.XXX.XXXXxxxxx05/11/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (21)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Path TraversalpredictiveHigh
2T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CWE-94Argument InjectionpredictiveHigh
4T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5T1068CWE-264, CWE-269, CWE-284Execution with Unnecessary PrivilegespredictiveHigh
6TXXXX.XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXX, CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXXCWE-XXXXxx Xx Xxxxxxxxxx Xxxxxxx Xxxxxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
13TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
17TXXXX.XXXCWE-XXXXxxxxxxxpredictiveHigh
18TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
19TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
20TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
21TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (136)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/ajax-files/followBoard.phppredictiveHigh
3File/DATAREPORTSpredictiveMedium
4File/etc/gsissh/sshd_configpredictiveHigh
5File/Forms/predictiveLow
6File/forum/away.phppredictiveHigh
7File/getcfg.phppredictiveMedium
8File/maint/modules/home/index.phppredictiveHigh
9File/uncpath/predictiveMedium
10Fileaccount.asppredictiveMedium
11Fileaddentry.phppredictiveMedium
12Fileadmin/conf_users_edit.phppredictiveHigh
13Fileapi.phppredictiveLow
14Fileawstats.plpredictiveMedium
15Filecarbon/resources/add_collection_ajaxprocessor.jsppredictiveHigh
16Filexxx-xxx/xxx/xxxxxx.xxpredictiveHigh
17Filexxx.xxpredictiveLow
18Filexxxxxx.xxxpredictiveMedium
19Filexxxxx_xxxx.xxxpredictiveHigh
20Filexxxxxxxx/xxxxxxxxxx.xxxxpredictiveHigh
21Filexxxxxx/xxx.xpredictiveMedium
22Filexxx.xxx.xxxxpredictiveMedium
23Filexxxxxxxx_xxxxxxxxxxxxxxxxx.xxxpredictiveHigh
24Filexxxxxxx/xxx_xxxxxxx.xxxpredictiveHigh
25Filexxxxxx-xxxx.xpredictiveHigh
26Filexxxxx_xxxx.xpredictiveMedium
27Filexxxxxxxx.xxxpredictiveMedium
28Filexxx/xxxx/predictiveMedium
29Filexxxxxxxxxxxxxx.xxxpredictiveHigh
30Filexxxx_xxxxxxx.xxx.xxxpredictiveHigh
31Filexxx/xxxxxxxxxx.xpredictiveHigh
32Filexxxxx.xxxpredictiveMedium
33Filexxxx.xxxpredictiveMedium
34Filexxxx/xxxxxx.xpredictiveHigh
35Filexxxxxxxx.xxxpredictiveMedium
36Filexxx/xxxxxx.xxxpredictiveHigh
37Filexxxxx.xxxxpredictiveMedium
38Filexxxxx.xxxpredictiveMedium
39Filexxxxxx/xxxxx/xxxxx.xpredictiveHigh
40Filexxxxxxx/xxxx-xxxx.xpredictiveHigh
41Filexxxxx.xxxpredictiveMedium
42Filexxxx.xpredictiveLow
43Filexxxxxx/xxxxxx.xpredictiveHigh
44Filexxxxxxxxxx/xxxxx.xpredictiveHigh
45Filexx/predictiveLow
46Filexxx_xxxxx_xxxxxx_xxxxx.xxxpredictiveHigh
47Filexxxx.xxxxxxxxxx.xxxpredictiveHigh
48Filexxxxxxxx_xxxxxx.xxxpredictiveHigh
49Filexxxxx-xxxx.xxxpredictiveHigh
50Filexxxx.xxxpredictiveMedium
51FilexxxxxxxpredictiveLow
52Filexxxxxx.xxxpredictiveMedium
53Filexxxxxxxxxxx_xxxxxx/xxxxxxxxxxxx/xxx_xxxxxxxxxxx.xxxpredictiveHigh
54Filexxxxx.xxxpredictiveMedium
55Filexxxxxxx.xxpredictiveMedium
56Filexxx/xxxxxxx/xxxxxx/xxxx/xxxxx/xxxxxxx/xxxxxx/xxxxx/xxx%xxxxxxxxxxxxx.xx.xxxpredictiveHigh
57Filexxxxxxxxx.xxxpredictiveHigh
58Filexxxxxxxxxx.xxxpredictiveHigh
59Filexxxxxxxxxxx.xxxpredictiveHigh
60Filexxxxxxxxx_xxxxxxxxx.xxxpredictiveHigh
61Filexxxxxxxxx/xxxxx/xxxx/xxx_xxxxxxx/xxxxxxx/xxxxxxx.xxxpredictiveHigh
62Filexxxxxxx.xxxpredictiveMedium
63Filexxxx-xxxxx.xxxpredictiveHigh
64Filexxxx-xxxxxxxx.xxxpredictiveHigh
65Filexxxxxx.xxxpredictiveMedium
66Filexxxxxx-xxxxxxx-xxxx.xxxpredictiveHigh
67Filexxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx_xxx.xxxxpredictiveHigh
68Filexxxxxxx.xxxpredictiveMedium
69Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
70Filexxxxx_xx.xxxpredictiveMedium
71Filexxxx/xx_xxxxxxx.xxxpredictiveHigh
72Filexxxxx/xxxxx.xxpredictiveHigh
73Filexxxxxx.xxxpredictiveMedium
74Filexxxxxxx/xxxxxx.xpredictiveHigh
75Filexx-xxxxx/xxxxxxxx/xxxxx-xx-xxxxx-xxxx-xxxxx.xxxpredictiveHigh
76Filexx-xxxxx/xxxxxxx-xxxxxxx.xxxpredictiveHigh
77Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
78Filexxxxxx.xxxpredictiveMedium
79Library/xxx/xxx/xxxx.xxxpredictiveHigh
80Libraryxxx/xxxx/xxxxxx.xxpredictiveHigh
81Libraryxxx/xx/xxxxx/xxxxxxxxxx/xxxx.xxpredictiveHigh
82Libraryxxxxxxx/xxx/xxxxxxxxxxxx.xxxpredictiveHigh
83Libraryxxxxxxx.xxxpredictiveMedium
84Libraryxxxxxx/x/xxxxxxxxpredictiveHigh
85ArgumentxxxxxxxxpredictiveMedium
86ArgumentxxxxxpredictiveLow
87ArgumentxxxxpredictiveLow
88ArgumentxxxpredictiveLow
89ArgumentxxxxxxxpredictiveLow
90Argumentxxxxxxxxxxxxxx/xxxxxxxxxxpredictiveHigh
91ArgumentxxxxxxpredictiveLow
92Argumentxxxxxx[xxxxxxx_xxx]predictiveHigh
93ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
94ArgumentxxxxxxxxpredictiveMedium
95Argumentxxxxxxxx_xxxxx[]predictiveHigh
96ArgumentxxxxxxxxxpredictiveMedium
97Argumentxxx_xxxxxxxxpredictiveMedium
98Argumentxxxxx.xxx?xxxxxx=xxx_xxxxxxx/xxxx=xxxxxxx/xx=x/xxxxxxxx=xxxxxpredictiveHigh
99ArgumentxxxxxxxxxpredictiveMedium
100ArgumentxxxpredictiveLow
101ArgumentxxxxpredictiveLow
102Argumentxxx_xxxpredictiveLow
103ArgumentxxxxpredictiveLow
104Argumentxx_xxxxxxxxpredictiveMedium
105ArgumentxxxxpredictiveLow
106ArgumentxxxpredictiveLow
107ArgumentxxxxxxxxpredictiveMedium
108ArgumentxxxxxxxxpredictiveMedium
109Argumentxxxx[xxxxxxxxxxxxxxxxx]predictiveHigh
110Argumentxxxx_xxxxpredictiveMedium
111Argumentxxxxx_xxxx_xxxxpredictiveHigh
112ArgumentxxxpredictiveLow
113ArgumentxxxxxxxxpredictiveMedium
114ArgumentxxxxxpredictiveLow
115ArgumentxxxxpredictiveLow
116ArgumentxxxxxxpredictiveLow
117ArgumentxxxxxxxxxxxxxpredictiveHigh
118ArgumentxxxxpredictiveLow
119ArgumentxxxxpredictiveLow
120ArgumentxxxxxxxxpredictiveMedium
121ArgumentxxxxxxxxpredictiveMedium
122ArgumentxxxpredictiveLow
123ArgumentxxxxpredictiveLow
124Argumentxxxx->xxxxxxxpredictiveHigh
125Argumentxxxxx_xxxxxxpredictiveMedium
126ArgumentxxxxxpredictiveLow
127Input Value#/+predictiveLow
128Input Value' xxx (xxxxxx xxxx xxxx(xxxxxx xxxxx(*),xxxxxx(xxxxxxxxxxxx,(xxxxxx (xxx(xxxx=xxxx,x))),xxxxxxxxxxxx,xxxxx(xxxx(x)*x))x xxxx xxxxxxxxxxx_xxxxxx.xxxxxxxxx_xxxx xxxxx xx x)x) xxx 'xxxx'='xxxxpredictiveHigh
129Input Value../predictiveLow
130Input Valuexxxx -x xxxxxxxx=xxxxxx.xxxxxxx xxxx://xxx.xxx.x.x/xxxxxx.xxxpredictiveHigh
131Input Value\xpredictiveLow
132Network PortxxxxpredictiveLow
133Network Portxxx/xxxxpredictiveMedium
134Network Portxxx/xxxxpredictiveMedium
135Network Portxxx/xxx (xxxx)predictiveHigh
136Network Portxxx xxxxxx xxxxpredictiveHigh

References (5)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!