GandCrab 2.1 Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (198)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en188
de4
ru2
it2
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA106
BG: Bulgaria54
RO: Romania10
RU: Russia4
DE: Germany2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

GandCrab 2.14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined68
Operating System16
Content Management System14
Web Server14
Router Operating System10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined56
Microsoft20
TP-LINK10
Apache8
Apple8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows8
Joomla CMS6
Apache HTTP Server6
phpMyAdmin4
WordPress4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002410.52CVE-2020-12440
2Apache HTTP Server HTTP Digest Authentication Challenge improper authentication8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.018500.00CVE-2018-1312
3TVT Dvr Firmware path traversal7.57.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.047040.03CVE-2013-6023
4FreeBSD Ping pr_pack stack-based overflow6.96.8$5k-$25k$0-$5kNot DefinedOfficial Fix0.000430.07CVE-2022-23093
5Acme Mini HTTPd Terminal input validation5.34.8$0-$5k$0-$5kProof-of-ConceptNot Defined0.003380.03CVE-2009-4490
6Apache HTTP Server mod_rewrite redirect6.76.7$5k-$25k$5k-$25kNot DefinedNot Defined0.009890.13CVE-2020-1927
7WordPress Press This class-wp-press-this.php information disclosure6.36.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.004260.03CVE-2017-5610
8profanity weak prng5.05.0$0-$5k$0-$5kNot DefinedNot Defined0.001140.00CVE-2022-40769
9Photocrati ecomm-sizes.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.000810.04CVE-2015-2216
10Microsoft IIS uncpath cross site scripting5.25.0$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.311380.08CVE-2017-0055
11Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.038280.00CVE-2007-1192
12TP-LINK WR740N Wireless N Router HTTP Request denial of service7.56.8$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.000000.00
13Joomla CMS File Upload media.php input validation6.36.0$5k-$25k$0-$5kHighOfficial Fix0.778960.03CVE-2013-5576
14Copadata zenon zenAdminSrv.exe memory corruption7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.029550.00CVE-2011-4533
15ClassCMS Article admin cross site scripting3.23.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.000960.05CVE-2024-8145
16D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection8.78.3$5k-$25k$0-$5kProof-of-ConceptWorkaround0.169290.21CVE-2024-10914
17D-Link DNS-320L/DNS-325/DNS-327L/DNS-340L HTTP GET Request nas_sharing.cgi hard-coded credentials9.89.7$5k-$25k$0-$5kHighWorkaround0.062570.03CVE-2024-3272
18Tenda i22 apPortalAuth formApPortalWebAuth buffer overflow9.18.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.002940.00CVE-2024-7585
19TP-LINK WR1043ND V2 Management Web Interface improper authentication8.58.2$0-$5k$0-$5kFunctionalWorkaround0.028550.00CVE-2019-6971
20D-Link Good Line Router v2 HTTP GET Request devinfo information disclosure5.35.0$5k-$25k$0-$5kProof-of-ConceptNot Defined0.001750.31CVE-2024-0717

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
137.143.160.70net1-customer70.adrana.roGandCrab 2.104/26/2018verifiedLow
266.171.248.178api1.whatismyipaddress.comGandCrab 2.104/26/2018verifiedLow
3XX.XXX.XX.XXXxxxxxxx X.x04/26/2018verifiedLow
4XX.XXX.XXX.XXXxx-xxx-xxx-xxx.xxxxxx.xxXxxxxxxx X.x04/26/2018verifiedLow
5XXX.XX.XXX.XXXxxxxxxx X.x04/26/2018verifiedLow
6XXX.XXX.XX.XXXxxxxxxx.xxxxxxxx.xxxXxxxxxxx X.x04/26/2018verifiedLow
7XXX.XXX.XX.XXXXxxxxxxx X.x04/26/2018verifiedLow
8XXX.XXX.XX.XXXXxxxxxxx X.x04/26/2018verifiedLow

TTP - Tactics, Techniques, Procedures (15)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXXCAPEC-XXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
12TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
14TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
15TXXXX.XXXCAPEC-XXXCWE-XXX, CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh

IOA - Indicator of Attack (84)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/cgi-bin/account_mgr.cgi?cmd=cgi_user_addpredictiveHigh
2File/cgi-bin/nas_sharing.cgipredictiveHigh
3File/devinfopredictiveMedium
4File/etc/tomcat8/Catalina/attackpredictiveHigh
5File/ext/phar/phar_object.cpredictiveHigh
6File/goform/apPortalAuthpredictiveHigh
7File/inc/campaign/count_of_send.phppredictiveHigh
8File/index.php/adminpredictiveHigh
9File/rdms/admin/?page=user/manage_userpredictiveHigh
10File/TeleoptiWFM/Administration/GetOneTenantpredictiveHigh
11File/xxxxxxxxxxxx/xxxpredictiveHigh
12File/xxxxxxx/predictiveMedium
13Filexxxxx/xxxxxx/xxxxxxx.xxxpredictiveHigh
14Filexxxxx/xxx/xxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx.xxpredictiveHigh
15Filexxxxxxxxxxxxx/xxxxxxxxxx/xxx_xxxxx/xxxxxxx/xxxxx.xxxpredictiveHigh
16Filexxxxxxx.xxpredictiveMedium
17Filexxxxx.xxxpredictiveMedium
18Filex:\xxxxxxpredictiveMedium
19Filexxxxxx.xxxpredictiveMedium
20Filexxx.xxx?xxxxxx=xxxxxxxxxxxxx&xxx=xxpredictiveHigh
21Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
22Filexxxxxx.xxxpredictiveMedium
23Filexxxxxxxxx/xxxx/xxxxxxxxxxxxxxxxxx.xxpredictiveHigh
24Filexxxxx-xxxxx.xxxpredictiveHigh
25Filexxxxxxx/xxxx-xxxxx-xxxxxx.xxxpredictiveHigh
26Filexxxxxxx/xxxx-xxxxx-xxxxxx.xxx?xxxxxx=xpredictiveHigh
27Filexxx/xxxx/xxx/xxxxx_xxxx.xpredictiveHigh
28Filexxxx.xpredictiveLow
29Filexxxx/xxxxxxxxxxxxxpredictiveHigh
30Filexx/xxxxx_xxx.xpredictiveHigh
31Filexxxx_xxx_xxxxxx_xxxxxxx.xpredictiveHigh
32Filexxxxx.xxxpredictiveMedium
33Filexx/xxxxxxx.xpredictiveMedium
34Filexxxxxxx/xxxxxxx/xxx_xxxxxxx.xpredictiveHigh
35Filexxxxx\xxxxxx_xxxx.xxxpredictiveHigh
36Filexxxxxx_xxxxxx.xxpredictiveHigh
37Filexxxxxxx/xxx-xxxx.xxxpredictiveHigh
38Filexxxxxxxxxxx.xxxpredictiveHigh
39Filexxxxxxxxx/xxxxxxxxxxpredictiveHigh
40Filexxxxx.xpredictiveLow
41Filexxxxxx.xxxpredictiveMedium
42Filexxxxxxx/xxxxxxxxxxxx.xxxpredictiveHigh
43Filexxxxx/xxxxx.xxpredictiveHigh
44Filexxx-xxx/xxxx/xxxxxxxxxx.xxxpredictiveHigh
45Filexxxxxxx.xxxpredictiveMedium
46Filexx-xxxxx/xxxxxxxx/xxxxx-xx-xxxxx-xxxx.xxxpredictiveHigh
47Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
48Filexx-xxxxxx.xxxpredictiveHigh
49Filexx-xxxx.xxxpredictiveMedium
50Filexx-xxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
51Filexxxxx-xxxxxx.xxxpredictiveHigh
52Filexxxxxxxxxxx.xxxpredictiveHigh
53Libraryxxxxxxxxx/xxxx/xxxxxx/xxxxxx.xxxx.xxx.xxxpredictiveHigh
54Libraryxxxxx.xxxpredictiveMedium
55Argument${xxx}predictiveLow
56Argument.xxx.x.x.x.x.x.xx.x.x.x.x.x.x.x.x.x.x.xpredictiveHigh
57ArgumentxxxxpredictiveLow
58ArgumentxxxxxxpredictiveLow
59Argumentxxxx_xxpredictiveLow
60ArgumentxxxxxxpredictiveLow
61ArgumentxxxxxxxxxpredictiveMedium
62ArgumentxxxxxxpredictiveLow
63ArgumentxxxxxxxxxxxxpredictiveMedium
64Argumentxxxxxx_xxxxx_xxxpredictiveHigh
65ArgumentxxxxpredictiveLow
66ArgumentxxpredictiveLow
67ArgumentxxxxxxxxxpredictiveMedium
68ArgumentxxxxxpredictiveLow
69ArgumentxxxxxpredictiveLow
70ArgumentxxxxpredictiveLow
71ArgumentxxxxxxxxpredictiveMedium
72ArgumentxxxxxxxxpredictiveMedium
73ArgumentxxxxxpredictiveLow
74Argumentxxxx_xxpredictiveLow
75ArgumentxxxxxxpredictiveLow
76ArgumentxxxxxxpredictiveLow
77ArgumentxxxxxxxxxxxxxxxpredictiveHigh
78ArgumentxxxxxpredictiveLow
79ArgumentxxxxxxpredictiveLow
80ArgumentxxxxpredictiveLow
81Argumentxxxxxxxx/xxxxpredictiveHigh
82Argumentxxxxxxxxxxx/xxxxxxxxxxxxxxxpredictiveHigh
83Input ValuexxxxxxxxxxpredictiveMedium
84Input Valuexxxxxx|xxx|xxxxxxxpredictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!