GIMF Analysis

IOB - Indicator of Behavior (91)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en74
zh12
fr4
pl2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

la74
cn8
us6
ir4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

MATA2
Lazarus2
GIMF2
APT291
Dark Caracal1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined32
WordPress Plugin6
Router Operating System6
Content Management System6
Learning Management Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined36
Microsoft4
Adobe4
Cisco4
Liferay2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Moodle4
CodeIgniter4
Adobe ColdFusion4
Liferay Portal2
Liferay DXP2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Microsoft Office Remote Code Execution7.06.1$5k-$25k$0-$5kUnprovenOfficial Fix0.010.01103CVE-2023-21735
2Alt-N MDaemon Worldclient injection4.94.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.10855CVE-2021-27182
3CouchCMS mysql2i.func.php Path information disclosure3.33.3$0-$5k$0-$5kNot DefinedNot Defined0.010.00000CVE-2019-1010042
4Esri ArcGIS Server sql injection8.18.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000.01055CVE-2021-29114
5TP-LINK TL-WR940N PingIframeRpm.htm ipAddrDispose memory corruption7.57.4$0-$5k$0-$5kNot DefinedWorkaround0.020.04891CVE-2019-6989
6JoomlaTune Com Jcomments admin.jcomments.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.020.02945CVE-2010-5048
7DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.430.04187CVE-2010-0966
8Microsoft Exchange Server Privilege Escalation8.37.3$25k-$100k$5k-$25kUnprovenOfficial Fix0.030.00885CVE-2023-21764
9SalesForce Tableau Server Administration Agent path traversal8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.010.01156CVE-2022-22128
10Strapi Admin Panel authorization5.65.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.000.00890CVE-2021-28128
11Xampp Installation default permission6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.050.01086CVE-2022-29376
12CodeIgniter DB_query_builder.php sql injection8.07.9$0-$5k$0-$5kNot DefinedNot Defined0.000.00885CVE-2022-40835
13ZZZCMS zzzphp File Upload unrestricted upload7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.030.00885CVE-2019-16720
14M-Files Server/Web excessive authentication5.05.0$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00885CVE-2021-41807
15Plesk Obsidian REST API commands cross-site request forgery4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.020.00885CVE-2022-45130
16SAP BusinessObjects BI Platform Central Management Console/BI LaunchPad deserialization9.39.1$5k-$25k$5k-$25kNot DefinedOfficial Fix0.000.00885CVE-2022-41203
17Moodle Backup File Privilege Escalation8.07.9$5k-$25k$5k-$25kNot DefinedNot Defined0.020.01978CVE-2022-40314
18CodeIgniter HTTP Request input validation8.38.2$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00885CVE-2022-24711
19Cisco FirePOWER Management Center sftunnel inadequate encryption5.95.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.01055CVE-2020-3549
20Fusion Builder Plugin HTTP Request server-side request forgery5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.010.00954CVE-2022-1386

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Cyber Jihad

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
1111.90.148.5server1.kamon.laGIMFCyber JihadverifiedHigh
2XXX.XX.XXX.XXXxxxxx.xx-xxx-xx-xxx.xxXxxxXxxxx XxxxxverifiedHigh
3XXX.XXX.XXX.XXXXxxxXxxxx XxxxxverifiedHigh
4XXX.XXX.XXX.XXxx.xxx-xxx-xxx.xxxxxx.xxxx.xxx.xxXxxxXxxxx XxxxxverifiedHigh
5XXX.XXX.XXX.XXXxxx.xxx-xxx-xxx.xxxxxx.xxxx.xxx.xxXxxxXxxxx XxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (14)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Pathname TraversalpredictiveHigh
2T1055CWE-74InjectionpredictiveHigh
3T1059CWE-94Cross Site ScriptingpredictiveHigh
4TXXXX.XXXCWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx Xx Xxxxxxxxx Xxxxxxxxxxxxxx XxxxxxxxpredictiveHigh
7TXXXXCWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
9TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
11TXXXX.XXXCWE-XXXXxxxxxxxpredictiveHigh
12TXXXXCWE-XXXXxxxxxxxxxxxxpredictiveHigh
13TXXXXCWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (54)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/dl_sendmail.phppredictiveHigh
2File/api/v2/cli/commandspredictiveHigh
3File/spip.phppredictiveMedium
4Fileadmin.jcomments.phppredictiveHigh
5Fileapplication/modules/admin/views/ecommerce/products.phppredictiveHigh
6Filebase/ErrorHandler.phppredictiveHigh
7Fileblog.phppredictiveMedium
8Filexxx-xxx/xxxxxx.xxxpredictiveHigh
9Filexxxx-xxxxxx.xxxpredictiveHigh
10Filexxxx.xxxpredictiveMedium
11Filexxxxxxxxxx\xxxxxx\xxxxxxxxxxxxx.xxxpredictiveHigh
12Filexxx/xxxxxx.xxxpredictiveHigh
13Filexxxxxxxx/xxxxxxx/xxxxxxx.xxxx.xxxpredictiveHigh
14Filexxxxx.xxxpredictiveMedium
15Filexxxxx.xxx/xxxxxx.xxx/xxxxxxxxxxxxx.xxx/xxxxxxxx.xxxpredictiveHigh
16Filexxxxx.xxxpredictiveMedium
17Filexx_xxxx.xpredictiveMedium
18Filexxx/xxxx/xxxx_xxxxxxxxx.xpredictiveHigh
19Filexxxxxxxxxxxxx.xxxpredictiveHigh
20Filexxxxxxx/xxxxxxx/xxx/xxxxxxxxxx.xxx?xxxxxxxx=xxxx&xxxxxx=xxxxxxxxxxpredictiveHigh
21Filexxxx_xxxxxxx_xxxxxxxx.xxxpredictiveHigh
22Filexxxx_xxxxx.xxxxpredictiveHigh
23Filexxxxxx\xxxxxxxx\xx_xxxxx_xxxxxxx.xxxpredictiveHigh
24Filexxxxxxx.xxx.xx.xxxxxxxxxxx.xxxpredictiveHigh
25Filexxxx-xxxxx.xxxpredictiveHigh
26Filexxxxxx.xxxpredictiveMedium
27Filexxxxxxx-xxxxx.xxxpredictiveHigh
28Filexx-xxxxx-xxxxxx.xxxpredictiveHigh
29File~/xxx/xxxx-xxxxxxxxx.xxxpredictiveHigh
30File~/xxxxxxxx/xxxxx-xx-xxxxxxxxxx-xxxxxxxxx.xxxpredictiveHigh
31Libraryxxxxxx.xxxpredictiveMedium
32ArgumentxxxxxxxxpredictiveMedium
33Argumentxxx_xxx_xx_xxx_xxxxxxxxxx_xpredictiveHigh
34Argumentxxxxx_xxxxpredictiveMedium
35Argumentxxx_xxpredictiveLow
36ArgumentxxxpredictiveLow
37ArgumentxxxxxxxxxxxxxxxpredictiveHigh
38Argumentxxxxxxxxx_xxxxxxpredictiveHigh
39ArgumentxxxxxxxxxpredictiveMedium
40ArgumentxxxxpredictiveLow
41ArgumentxxxxxxxxpredictiveMedium
42Argumentxxxxxxx[xxxxxxx]predictiveHigh
43ArgumentxxpredictiveLow
44ArgumentxxxxpredictiveLow
45ArgumentxxxxpredictiveLow
46Argumentxxxxxx_xxxxxxpredictiveHigh
47Argumentxxxxxxxx_xxpredictiveMedium
48Argumentxxxxxx_xxxxxpredictiveMedium
49ArgumentxxxxxxxpredictiveLow
50ArgumentxxxpredictiveLow
51ArgumentxxxxxxxxpredictiveMedium
52Argument_xxx_xxxxxxxxxxx_predictiveHigh
53Input Valuexxxxxxxxx' xxx 'x'='xpredictiveHigh
54Network Portxxx/xxxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!