GhostEmperor Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (399)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en280
zh108
ko4
de4
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China246
US: USA134
RU: Russia8
GB: Great Britain8
IR: Iran2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

GhostEmperor6
Andariel4
Cobalt Strike2
GuLoader1
Ave Maria1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined130
Operating System32
Content Management System20
Firewall Software14
Web Browser12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined110
Microsoft28
Oracle18
Apache16
Cisco14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows18
WordPress12
Oracle VM VirtualBox10
Linux Kernel8
Cisco IOS XE8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1jforum User input validation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.002890.04CVE-2019-7550
2ipTIME NAS-I Bulletin Manage unrestricted upload7.17.1$0-$5k$0-$5kNot DefinedNot Defined0.009880.06CVE-2020-7847
3Cisco IOS XE hard-coded credentials8.58.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.003660.00CVE-2018-0150
4Cisco Secure Access Control System EAP-FAST Authentication Module improper authentication9.89.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.005030.04CVE-2013-3466
5Codoforum New Topic cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2020-9007
6LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable0.000003.18
7Oracle GlassFish Server Java Server Faces path traversal5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.174960.04CVE-2013-3827
8Zoom On-Premise Meeting Connector Controller Network Proxy Page os command injection4.74.5$0-$5k$0-$5kNot DefinedOfficial Fix0.001410.04CVE-2021-34414
9ThinkPHP index.php sql injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.001790.05CVE-2018-10225
10KingView stgopenstorage API integer overflow6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.000440.00CVE-2018-7471
11Zoho ManageEngine ADManager Plus Privilege Escalation5.75.6$0-$5k$0-$5kNot DefinedOfficial Fix0.001230.05CVE-2023-38743
12Palo Alto PAN-OS unknown vulnerability4.94.9$0-$5k$0-$5kNot DefinedNot Defined0.000750.04CVE-2023-0004
13Serendipity exit.php privileges management6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.000000.18
14spring-boot-actuator-logview LogViewEndpoint.view path traversal5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.000510.04CVE-2023-29986
15Ruby WEBrick request smuggling6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.002950.00CVE-2020-25613
16WEBrick Gem path traversal5.45.3$0-$5k$0-$5kNot DefinedNot Defined0.000440.07CVE-2019-11879
17Synacor Zimbra Collaboration Memcache Command injection6.36.0$0-$5k$0-$5kHighOfficial Fix0.096650.05CVE-2022-27924
18PHPMailer validateAddress injection5.65.4$0-$5k$0-$5kNot DefinedOfficial Fix0.003440.00CVE-2021-3603
19Dahua IPC-HX3XXX Data Packet improper authentication8.17.7$0-$5k$0-$5kNot DefinedOfficial Fix0.225630.04CVE-2021-33044
20Dahua IPC-HX3XXX Data Packet improper authentication8.17.7$0-$5k$0-$5kNot DefinedOfficial Fix0.050810.04CVE-2021-33045

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
127.102.113.57yukonpick.netGhostEmperor03/22/2022verifiedMedium
227.102.113.240power.playtimeins.netGhostEmperor03/22/2022verifiedMedium
3XX.XXX.XXX.XXXxxxxxxxxxxx03/22/2022verifiedMedium
4XX.XXX.XXX.XXXxxxxxxxxxxx03/22/2022verifiedMedium
5XX.XXX.XXX.XXXXxxxxxxxxxxx03/22/2022verifiedMedium
6XXX.XXX.XXX.XXXxxxxx.xxxxxxx.xxxXxxxxxxxxxxx03/22/2022verifiedMedium
7XXX.XXX.XXX.XXXXxxxxxxxxxxx03/22/2022verifiedMedium
8XXX.XXX.XX.XXXXxxxxxxxxxxx07/19/2024verifiedVery High

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-104CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-CWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
11TXXXXCAPEC-CWE-XXX, CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
12TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
13TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
14TXXXXCAPEC-102CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (128)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/.envpredictiveLow
2File/admin/comment.phppredictiveHigh
3File/admin/index.phppredictiveHigh
4File/api/v1/terminal/sessions/?limit=1predictiveHigh
5File/blogpredictiveLow
6File/cgi-bin/login.cgipredictiveHigh
7File/etc/postfix/sender_loginpredictiveHigh
8File/forum/away.phppredictiveHigh
9File/ghost/previewpredictiveHigh
10File/lists/index.phppredictiveHigh
11File/login.htmlpredictiveMedium
12File/mobilebroker/ServiceToBroker.svc/Json/ConnectpredictiveHigh
13File/newpredictiveLow
14File/sdm-ws-rest/preconfigurationpredictiveHigh
15File/secure/QueryComponent!Default.jspapredictiveHigh
16File/xxxxxxxxpredictiveMedium
17File/xxxxxx?xxxxxx=xxxxxxxxxxxxpredictiveHigh
18File/xxxxxx.xxxpredictiveMedium
19File/xxxxxxx/xxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
20File/xxx/xxx/xxxxxpredictiveHigh
21File/xxxxxx/xxxxxxxx/xxxxxxxx/xxxxxxxxxxxx.xxxpredictiveHigh
22File/xx-xxxxpredictiveMedium
23Filexxxxxxx.xxxpredictiveMedium
24Filexxx_xxxxx.xxxpredictiveHigh
25Filexxxxx/xxxxx.xxx?x=xxxxxxxx&x=xxxpredictiveHigh
26Filexxxxx/xxxxxx.xxx?xxxxxx=xxx_xxxxpredictiveHigh
27Filexxxxx/xxxxxxx/xxxxxxxxxxpredictiveHigh
28Filexxxxxxxx.xxxpredictiveMedium
29Filexxxx/xxxxxx/xxxxxx_xxxpredictiveHigh
30Filexxxx_xxxxxxxxxx.xpredictiveHigh
31Filexxx_xxxxxxx.xxxpredictiveHigh
32Filexxxxxxxx.xxxpredictiveMedium
33Filexxxxxx/xx_xxx.xpredictiveHigh
34Filexxxxx.xxxpredictiveMedium
35Filexxxxxxx_xxxxxxx.xxpredictiveHigh
36Filexxxx.xxxpredictiveMedium
37Filexxxxxxxxxxxx.xxxpredictiveHigh
38Filexxxxxxxx.xxpredictiveMedium
39Filexxxx_xxxxx.xpredictiveMedium
40Filexxxx/xxxxxxxxxxxxxxxxpredictiveHigh
41Filexx/xx_xxxxx.xpredictiveHigh
42Filexxxxxxxxx.xxxpredictiveHigh
43Filexxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
44Filexxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
45Filexxxxxx_xxx_xxxx_xxxxx_xx_xxxxx.xpredictiveHigh
46Filexxxxxxxxxx/xxxxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
47Filexxx/xxxxxx.xxxpredictiveHigh
48Filexxxxx.xxxpredictiveMedium
49Filexxxxxxxxxxxxx.xxxpredictiveHigh
50Filexxx/xxx_xxxxxxxxxx.xpredictiveHigh
51Filexxxxxx/xxxxxx.xpredictiveHigh
52Filexxxxxxxxxxx/xxxxx.xpredictiveHigh
53Filexxxxxxx/xxxxx/xx/xxxxxx/xxxxx.xxxxx.xxxpredictiveHigh
54Filexxxxxxxxx.xxxpredictiveHigh
55Filexxxxxxx.xxxpredictiveMedium
56Filexxxxxxx/xxxx_xxx_xxxxx.xxxpredictiveHigh
57Filexxxxxxx.xxxpredictiveMedium
58Filexxxxxxx.xxxpredictiveMedium
59Filexxxxxxx.xxxpredictiveMedium
60Filexxx/xxxxxx/xxxxxxxx/xxxxx/xxxxxxxxx.xxxxpredictiveHigh
61Filexxxxxxxxxxxxx.xxxpredictiveHigh
62Filexxxxxxx/xxx/xxxxxxx/xxxxxx/xxxx-xxxxxxxxxx/<xxxxxx>/xx.xxxpredictiveHigh
63Filexxxxx_xxxx.xpredictiveMedium
64Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
65Filexxxxxxxx.xxxpredictiveMedium
66Filexxxx.xxxpredictiveMedium
67Filexxxxxxx.xxpredictiveMedium
68Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
69Filexx_xxx.xxpredictiveMedium
70Filexx_xxxx.xpredictiveMedium
71Filexxxx-xxxxxx.xpredictiveHigh
72Filexxxxxx/xxxxxxx.xxxpredictiveHigh
73Filexxxxx/xxx/xxxxxxx/xxxxxx.xxxpredictiveHigh
74Filexxxx.xxpredictiveLow
75Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
76Filexxxxxxx/xxxxxxxx_xxxx_xx_xxx.xpredictiveHigh
77Filexx-xxxx.xxxpredictiveMedium
78Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
79Filexx-xxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
80Filexx-xxxxxxxx/xxxx.xxxpredictiveHigh
81Filexx-xxxxx.xxxpredictiveMedium
82File__xxxx_xxxxxxxx.xxxpredictiveHigh
83Libraryxxxxxxxxx.xxxpredictiveHigh
84Libraryxxx/xxxxxxxx.xxpredictiveHigh
85Libraryxxxxxx.xxxpredictiveMedium
86Libraryxxxxxxxx.xxxpredictiveMedium
87Libraryxx_xxxx.x/xxx_xxxx.x/xx_xxx.xpredictiveHigh
88Libraryxxx.xxxpredictiveLow
89Libraryxxxxxx.xxxxx.xxxxxxxxpredictiveHigh
90Argumentxxx_xxxx_xxxxxpredictiveHigh
91ArgumentxxxxxxxxpredictiveMedium
92ArgumentxxxpredictiveLow
93ArgumentxxxpredictiveLow
94Argumentxxxxxxxxxx_xxxxx_xxxxxxpredictiveHigh
95Argumentxxxxxxx_xxx/xxxxxpredictiveHigh
96ArgumentxxxxxpredictiveLow
97Argumentxxxx/xxxxxxxxxxpredictiveHigh
98ArgumentxxxxxxxxpredictiveMedium
99Argumentxxxx xxxxpredictiveMedium
100ArgumentxxxxxxxpredictiveLow
101ArgumentxxxxpredictiveLow
102ArgumentxxxxpredictiveLow
103ArgumentxxpredictiveLow
104Argumentxx xxxxxxxpredictiveMedium
105ArgumentxxxpredictiveLow
106ArgumentxxxxxxxxxpredictiveMedium
107Argumentxxxxx_xxxxxx_xxx/xxxxx_xxxx_xxxxxxxxpredictiveHigh
108Argumentxxxxx_xxxxpredictiveMedium
109Argumentxxxx_xxpredictiveLow
110ArgumentxxxxxxxxpredictiveMedium
111ArgumentxxxxxxxxxxxxxpredictiveHigh
112Argumentxxxxxxxxx_predictiveMedium
113ArgumentxxxxxxpredictiveLow
114ArgumentxxxpredictiveLow
115ArgumentxxxxpredictiveLow
116ArgumentxxxxxxxxpredictiveMedium
117ArgumentxxxpredictiveLow
118ArgumentxxxpredictiveLow
119Argumentxxxxxxxxxxxx[xxxx]predictiveHigh
120Argumentx-xxxx-xxxxxpredictiveMedium
121Argument_x_xxxxxxxxxxpredictiveHigh
122Input Value@xxxxxxx.xxx.xxxxxxx.xxxpredictiveHigh
123Input Valuexxxx.xxx::$xxxxpredictiveHigh
124Input Valuexxxxx&#xx;xxxx:predictiveHigh
125Input Value\xxx\xxxpredictiveMedium
126Network Portxxx/xx & xxx/xxxpredictiveHigh
127Network Portxxx/xxxxpredictiveMedium
128Network Portxxx/xxxxxpredictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!