FF-Rat Analysis

IOB - Indicator of Behavior (16)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en14
zh2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn10
us4
gb2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

PHPMailer2
PHP Scripts Mall Professional Service Script2
PHP2
vsftpd2
Bitrix Site Manager2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1vsftpd deny_file unknown vulnerability3.73.6$0-$5k$0-$5kNot DefinedOfficial Fix0.060.01136CVE-2015-1419
2Atlassian Confluence Server/Confluence Data Center Webwork OGNL injection6.36.0$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.060.97974CVE-2021-26084
3PHPMailer Phar Deserialization addAttachment deserialization5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00954CVE-2020-36326
4Squid Proxy HTTP Header information disclosure6.66.6$5k-$25k$5k-$25kNot DefinedNot Defined0.010.01537CVE-2019-12529
5PHP com_print_typeinfo memory corruption10.09.4$25k-$100k$0-$5kProof-of-ConceptNot Defined0.030.15607CVE-2012-2376
6Oracle WebLogic Server Console Remote Code Execution9.89.4$25k-$100k$0-$5kNot DefinedOfficial Fix0.060.94926CVE-2020-14882
7PbootCMS code injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.040.05634CVE-2018-19595
8Microsoft Windows Win32k access control7.97.5$100k and more$5k-$25kNot DefinedOfficial Fix0.000.01681CVE-2019-0623
9Western Digital PR4100 webfile_mgr.cgi link following7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.020.02199CVE-2019-9949
10PHP Scripts Mall Professional Service Script review.php sql injection8.57.9$0-$5k$0-$5kNot DefinedNot Defined0.010.00885CVE-2017-17928
11Alt-N MDaemon Worldclient user session7.37.0$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.030.00000
12Alt-N MDaemon HTTP Requests Sanitizer WorldClient.dll information disclosure2.72.5$5k-$25kCalculatingProof-of-ConceptOfficial Fix0.020.00000
13Citrix NetScaler ADC/NetScaler Gateway access control8.58.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.01055CVE-2018-6809
14Bitrix Site Manager Contact Form cross site scripting4.14.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.030.00885CVE-2017-20122
15WordPress sql injection8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.01537CVE-2017-14723
16Barracuda Networks Barracuda Spam Firewall Firmware img.pl path traversal5.35.0$0-$5k$0-$5kProof-of-ConceptWorkaround0.020.01319CVE-2005-2848

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

TTP - Tactics, Techniques, Procedures (7)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Pathname TraversalpredictiveHigh
2T1055CWE-74InjectionpredictiveHigh
3TXXXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXXCWE-XXXXxxxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (13)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1Fileadmin/review.phppredictiveHigh
2Filecgi-bin/webfile_mgr.cgipredictiveHigh
3Filexxx.xxpredictiveLow
4Filexxxxx.xxx/xxxx/x/predictiveHigh
5Libraryxxxxxxxxxxx.xxxpredictiveHigh
6ArgumentxxxxxxxpredictiveLow
7ArgumentxxpredictiveLow
8ArgumentxxxxpredictiveLow
9ArgumentxxxxxxxpredictiveLow
10ArgumentxxxxpredictiveLow
11Argumentxxxx->xxxxxxxpredictiveHigh
12Input Value<xxx xxx="xxxx://x"; xx xxxxxxx="$(’x').xxxx(’xxxxxx’)" />predictiveHigh
13Input Value{xxxxx:xx(xxxx($_xxx[x]))}x{/xxxxx:xx}predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

Want to stay up to date on a daily basis?

Enable the mail alert feature now!