Gafgyt Analysis

IOB - Indicator of Behavior (330)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en270
ru48
de4
it4
ja2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us140
sc124
ru16
li10
ca6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Gafgyt5
Mirai3
Cuba Ransomware1
Miner1
EwDoor1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined88
Content Management System42
Operating System16
Groupware Software16
Web Server10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined92
Microsoft26
Joomla22
Apache14
Oracle10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Joomla CMS22
Microsoft Windows12
Apache HTTP Server8
WordPress8
Microsoft Exchange Server8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Zyxel ARMOR Z1/ARMOR Z2 CGI Program os command injection8.88.8$5k-$25k$5k-$25kNot DefinedNot Defined0.010.01005CVE-2021-4029
2CKFinder File Name unrestricted upload7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.240.01055CVE-2019-15862
3Joomla CMS Cache information disclosure6.46.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.00954CVE-2017-9933
4Joomla CMS CSRF Token cross site scripting5.24.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.010.02746CVE-2017-9934
5Jetty URI access control5.35.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000.52164CVE-2021-34429
6Microsoft Exchange Server PowerShell ProxyNotShell Privilege Escalation7.77.3$5k-$25k$0-$5kHighOfficial Fix0.070.31667CVE-2022-41082
7Microsoft Windows LSA information disclosure6.45.9$25k-$100k$5k-$25kFunctionalOfficial Fix0.070.26327CVE-2021-36942
8ZyXEL USG FLEX 50 CGI Program os command injection8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.95443CVE-2022-30525
9VMware ESXi/Workstation/Fusion XHCI USB Controller use after free8.88.4$25k-$100k$5k-$25kNot DefinedOfficial Fix0.020.01036CVE-2021-22040
10Joomla CMS Notes List View sql injection7.57.2$5k-$25k$0-$5kHighOfficial Fix0.000.14127CVE-2018-8045
11Joomla CMS ACL input validation6.36.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.03771CVE-2020-11890
12Joomla CMS Filter cross site scripting5.24.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.00885CVE-2017-7986
13Joomla CMS Error Reporting Path information disclosure5.35.1$5k-$25kCalculatingNot DefinedOfficial Fix0.020.00885CVE-2017-8057
14Joomla CMS LDAP Authentication Password ldap injection7.57.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.01018CVE-2017-14596
15Microsoft Windows IIS memory corruption7.97.6$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.01140CVE-2019-1365
16ActionApps item_content.php3 code injection6.56.2$0-$5kCalculatingProof-of-ConceptNot Defined0.010.15272CVE-2006-2686
17nginx Error Page request smuggling6.36.1$0-$5k$0-$5kNot DefinedOfficial Fix0.060.01537CVE-2019-20372
18Asus RT-AC2900 input validation8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.030.10938CVE-2018-8826
19ConnX ESP HR Management frmLogin.aspx sql injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.040.01055CVE-2015-4043
20GitLab Community Edition/Enterprise Edition Permission permission assignment5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000.00885CVE-2019-18446

Campaigns (3)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
146.249.32.109reverse.hostingbb.comGafgytDDoS UkraineverifiedHigh
2172.245.6.134172-245-6-134-host.colocrossing.comGafgytverifiedHigh
3XXX.XX.XX.XXXxxx.xx.xx.xxx.xx.xxx.xxXxxxxxXxx-xxxx-xxxx / Xxx-xxxx-xxxxverifiedHigh
4XXX.XX.XX.XXXxxx.xx.xx.xxx.xx.xxx.xxXxxxxxXxx-xxxx-xxxx / Xxx-xxxx-xxxxverifiedHigh
5XXX.XXX.XXX.XXXXxxxxxXxx-xxxx-xxxx / Xxx-xxxx-xxxxx / Xxx-xxxx-xxxxxverifiedHigh
6XXX.XXX.XXX.Xxxxxxxxxxxxxxxx.xxxxXxxxxxverifiedHigh
7XXX.XXX.XX.XXXxxxxxXxxx XxxxxxxverifiedHigh
8XXX.XXX.XXX.XXXxxxxxXxxx XxxxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22, CWE-23Pathname TraversalpredictiveHigh
2T1055CWE-74InjectionpredictiveHigh
3T1059CWE-94Cross Site ScriptingpredictiveHigh
4T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
8TXXXXCWE-XXXXXxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxx Xxxxxxxx Xxxx Xx X Xxxxxxxx XxxxxxpredictiveHigh
9TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
12TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
13TXXXXCWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
14TXXXX.XXXCWE-XXXXxxxxxxxxxxxpredictiveHigh
15TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
17TXXXXCWE-XXXXxxxxxxxxxxxxpredictiveHigh
18TXXXXCWE-XXX, CWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh
19TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (104)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/sysmon.phppredictiveHigh
2File/api/content/posts/commentspredictiveHigh
3File/cimompredictiveLow
4File/Home/GetAttachmentpredictiveHigh
5File/LogoStore/search.phppredictiveHigh
6File/MIME/INBOX-MM-1/predictiveHigh
7File/modules/projects/vw_files.phppredictiveHigh
8File/sm/api/v1/firewall/zone/servicespredictiveHigh
9File/usr/bin/pkexecpredictiveHigh
10Fileadmin/limits.phppredictiveHigh
11FileAjaxFileUploadHandler.axdpredictiveHigh
12Fileauth-gss2.cpredictiveMedium
13Filexxxxxx.xxxpredictiveMedium
14Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
15Filexxx-xxx/xxxxxxx.xxpredictiveHigh
16Filexxx-xxx/xxxx_xxx.xxxpredictiveHigh
17Filexxxxxx.xpredictiveMedium
18Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
19Filexxxx/xxxxpredictiveMedium
20Filexxxxxx.xxxpredictiveMedium
21Filexxxxxx_xxx.xpredictiveMedium
22Filexxxxxxxxxxxxxx.xxpredictiveHigh
23Filexxxxxxxx.xxxxpredictiveHigh
24Filexxxxxxxxxx.xxxxpredictiveHigh
25Filexx/xxxxxxx/xxx.xpredictiveHigh
26Filexxx/xx/xxxx/xxxx.xxxxx.xxxpredictiveHigh
27Filexxxxxxx/xxxxxxx/xxxxxxxx.xxx.xxxpredictiveHigh
28Filexxxxx.xxxpredictiveMedium
29Filexxxxxxx.xxxpredictiveMedium
30Filexxxx_xxxxxxx.xxxxpredictiveHigh
31Filexxxxxx.xpredictiveMedium
32Filexxxxxxxx.xxxpredictiveMedium
33Filexxxxxx.xxpredictiveMedium
34Filexxxxxxxxxxxx/xxx.xpredictiveHigh
35Filexxx_xxxxxxxxx.xpredictiveHigh
36Filexxxxxxx.xxxpredictiveMedium
37Filexxx_xxxx.xxxpredictiveMedium
38Filexxx_xxxxx_xxxx.xpredictiveHigh
39Filexxxxxxxxxxxxxx.xxxxxpredictiveHigh
40Filexxxxxxx.xxxpredictiveMedium
41Filexxxxxxx/xxxxpredictiveMedium
42Filexxx/xxxxx.xxxxpredictiveHigh
43Filexxxxxxx.xxxpredictiveMedium
44Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
45Filexxxxxxxx/xxx/xxxx_xxxxxxxxx/xxxx_xxxxxx_xxxxxxx/xxxx_xxxxxx_xxxxxxx.xxxpredictiveHigh
46Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
47Filexxxxxxxx_xxxxxxxxxxxx_xxxxxx.xxpredictiveHigh
48Filexxx_xxxxx_xxxxxxxxx.xpredictiveHigh
49Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveHigh
50Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
51Filexxxxxxxx/xxxxxxxxxxxx-xxxxxxxxxxpredictiveHigh
52Filexxxxxx/xxxxxxx/xxxxxx/xxxxxxxx.xxxpredictiveHigh
53Filexxxx.xxxpredictiveMedium
54Filexxxxx.xxxpredictiveMedium
55Filexxx.xxxpredictiveLow
56Filexxx xxxx xxxxxxxpredictiveHigh
57Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
58Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
59Filexx-xxxxxxxx/xxxx.xxxpredictiveHigh
60Filexxxxxx.xxx?xxxxxx=xxxxxxxxx.xxxx&xxxxxxxxxxx=xpredictiveHigh
61Libraryxxx-xx-xxx-xxxx-xxxx-xx-x-x.xxxpredictiveHigh
62Argument-xpredictiveLow
63ArgumentxxxxxxpredictiveLow
64ArgumentxxxxxxxxxxxxxxpredictiveHigh
65ArgumentxxxxxxpredictiveLow
66Argumentxxxxx$xxxxxxxxxxxxxx$xxxxxxxxxxxpredictiveHigh
67Argumentxxxxxx/xxxxxxxpredictiveHigh
68Argumentxxxxxxxx[xxxx_xxx]predictiveHigh
69ArgumentxxxxxxpredictiveLow
70Argumentxxxxxxx[xx_xxx_xxxx]predictiveHigh
71Argumentxxxxxxxx xxxx/xxxxxxxx xxxxxxxx/xxxxxxxx xxxxxxx xx/xxxxxxx/xxxxpredictiveHigh
72ArgumentxxpredictiveLow
73ArgumentxxxxxxxxxxxpredictiveMedium
74Argumentxxxxxxx_xxxxpredictiveMedium
75ArgumentxxxxpredictiveLow
76ArgumentxxxxxpredictiveLow
77ArgumentxxxxxxxxpredictiveMedium
78ArgumentxxxxxxxxxxpredictiveMedium
79Argumentxxxx_xxx_xxxxxxxx_xxxpredictiveHigh
80ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
81ArgumentxxxxxxxpredictiveLow
82ArgumentxxxxxxxxpredictiveMedium
83ArgumentxxxxxxxxpredictiveMedium
84Argumentxxxx_xxpredictiveLow
85ArgumentxxpredictiveLow
86ArgumentxxxxxpredictiveLow
87Argumentxxxxx/xxxxxxxxpredictiveHigh
88ArgumentxxxxxpredictiveLow
89Argumentxxxxxx_xxxxxxpredictiveHigh
90Argumentxxxxx_xxxxxx_xxxxxxxxpredictiveHigh
91Argumentxx_xxx_xxxxxpredictiveMedium
92ArgumentxxxpredictiveLow
93ArgumentxxxxxpredictiveLow
94Input Value../predictiveLow
95Input Valuex!x@x#x$x%xpredictiveMedium
96Input Valuexxxx' xxxxx xxx xxxxxx xxxxxx(xxxxxx('xxxxx','xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'),'xxxxx'),xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx-- xxxx&xxxxxx=predictiveHigh
97Input Value\xpredictiveLow
98Patternxxxxxxx-xxxx|xx|predictiveHigh
99Pattern|xx xx xx xx|predictiveHigh
100Network Portxxxx/xxxxpredictiveMedium
101Network Portxxx/xxpredictiveLow
102Network Portxxx/xxxpredictiveLow
103Network Portxxx/xxxxpredictiveMedium
104Network Portxxx/xxxxpredictiveMedium

References (5)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!