Gootkit Analysis

IOB - Indicator of Behavior (199)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en174
de16
sv4
zh2
fr2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us144
ru12
cn10
gb8
ir6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Gootkit9
Conti5
DanaBot2
FIN71
TrickBot1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined62
Application Server Software12
Content Management System8
Web Server8
Firewall Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined36
Microsoft12
Apache8
Cobham6
Oracle4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Cobham Sea Tel4
WordPress4
Apache HTTP Server4
Apache Tomcat4
IBM WebSphere Message Broker4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1SugarCRM sql injection5.85.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.020.00890CVE-2020-17373
2SugarCRM Emails sql injection7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.010.00885CVE-2019-17319
3DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.840.04187CVE-2010-0966
4SugarCRM Configurator input validation5.95.7$0-$5k$0-$5kNot DefinedOfficial Fix0.010.00885CVE-2019-17306
5SugarCRM Administration sql injection7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00885CVE-2019-17298
6Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.200.29797CVE-2014-4078
7AlienVault Open Source Security Information Management radar-iso27001-potential.php sql injection7.37.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.010.00986CVE-2013-5967
8WordPress WP_Query class-wp-query.php sql injection8.58.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.020.01974CVE-2017-5611
9Siemens SIMATIC Drive Controller Service Port 102 memory corruption7.37.1$5k-$25k$5k-$25kNot DefinedWorkaround0.020.01136CVE-2020-15782
10Siemens SIMATIC S7-1200 PLC memory corruption7.57.5$5k-$25k$0-$5kNot DefinedNot Defined0.020.01055CVE-2013-0700
11SunHater KCFinder upload.php cross site scripting5.75.7$0-$5k$0-$5kNot DefinedNot Defined0.020.01055CVE-2019-14315
12Xerox WorkCentre input validation7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.010.01156CVE-2018-20767
13Microsoft Exchange Server Mail memory corruption8.58.2$25k-$100k$5k-$25kNot DefinedOfficial Fix0.050.34599CVE-2018-8302
14sympa Reflected redirect5.24.9$0-$5k$0-$5kNot DefinedOfficial Fix0.020.01018CVE-2018-1000671
15SugarCRM ModuleBuilder input validation7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.010.00885CVE-2019-17302
16SugarCRM cross site scripting4.44.3$0-$5k$0-$5kNot DefinedOfficial Fix0.010.00950CVE-2020-17372
17drf-jwt django-rest-framework-jwt improper authentication8.27.8$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00954CVE-2020-10594
18Oracle Business Intelligence Enterprise Edition Analytics Server/Analytics Web General information disclosure5.95.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.06217CVE-2019-1559
19Microsoft IIS FTP Command information disclosure5.34.8$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.030.29797CVE-2012-2532
20Squiz Matrix CMS page_remote_content.inc deserialization7.47.1$0-$5k$0-$5kNot DefinedOfficial Fix0.040.05634CVE-2019-19373

IOC - Indicator of Compromise (14)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
131.214.157.14dev.neto-svedberg.comGootkitverifiedHigh
231.214.157.162crm.tuxexpert.comGootkitverifiedHigh
3109.230.199.13sw1-wg.celo.netGootkitverifiedHigh
4XXX.XXX.XXX.XXXXxxxxxxverifiedHigh
5XXX.XXX.XXX.XXXXxxxxxxverifiedHigh
6XXX.XX.XXX.XXXxxxxxxverifiedHigh
7XXX.XXX.XXX.XXXxxxxxxxxxxxxx.xxxxxxxx.xxxXxxxxxxverifiedHigh
8XXX.XXX.XXX.XXxxxxxxxx.xxxxXxxxxxxverifiedHigh
9XXX.XXX.XXX.XXXXxxxxxxverifiedHigh
10XXX.XXX.XX.XXXXxxxxxxverifiedHigh
11XXX.XXX.XX.XXXxxxxxxverifiedHigh
12XXX.XX.XXX.XXxxxx.xxxxxxxxxxx.xxxXxxxxxxverifiedHigh
13XXX.XX.XXX.XXXxxxxxxxx.xxxxxxxxxxxxxx.xxxXxxxxxxverifiedHigh
14XXX.XX.XXX.XXXxxxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (15)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Pathname TraversalpredictiveHigh
2T1055CWE-74InjectionpredictiveHigh
3T1059CWE-94Cross Site ScriptingpredictiveHigh
4TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx Xx Xxxxxxxxx Xxxxxxxxxxxxxx XxxxxxxxpredictiveHigh
7TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXXCWE-XXX, CWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
12TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCWE-XXXXxxxxxxxxxxxxpredictiveHigh
14TXXXXCWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (61)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/addnews.htmlpredictiveHigh
3File/cgi-bin/supervisor/PwdGrp.cgipredictiveHigh
4File/downloadpredictiveMedium
5File/secure/admin/ImporterFinishedPage.jspapredictiveHigh
6File/uncpath/predictiveMedium
7File/_errorpredictiveLow
8File/_xxxxpredictiveLow
9Filexxxxx/xxxx.xxx?xxxx=xxxxxx_x&xxxx_xxxxpredictiveHigh
10Filexxxx-xxxx.xpredictiveMedium
11Filexxxx_xxx.xxxpredictiveMedium
12Filexxxxxxxxxx/xxxxxx/xxxxxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
13Filexxxx/xxxxxx/xxxx/xxxx_xxxxxxxx_xxxxx/xxxx_xxxxxxxx_xxxx_xxxx_xxxxxx/xxxx_xxxxxxxx_xxxx_xxxx_xxxxxx.xxxpredictiveHigh
14Filexxxxxxxx.xxxpredictiveMedium
15Filexxxxxx_xxxx.xxxpredictiveHigh
16Filexx-xxxxxxx/xxxxxxxpredictiveHigh
17Filexxxx.xxxpredictiveMedium
18Filexxx/xxxxxx.xxxpredictiveHigh
19Filexxxxx.xxxpredictiveMedium
20Filexxxxxxxx/xxxxxx-xxxx-xxxxxxxxx-xxxpredictiveHigh
21Filex_xxxxxxxx_xxxxxpredictiveHigh
22Filexxxxx/xxx_xxxxxxxxpredictiveHigh
23Filexxxxx/xxxxxxxxxpredictiveHigh
24Filexxxxxxxxxxx/xxxxx.xpredictiveHigh
25Filexxxx.xxxpredictiveMedium
26Filexxxxxxxxxxxx.xxxxpredictiveHigh
27Filexxxxxxx/xxxxxxxxxxxxxxxxxx/xxxx_xxxxxx.xxxpredictiveHigh
28Filexxx/xxxx/xxxxxxxxx/xx_xxx_xxxx_xxxxx_xxxx.xpredictiveHigh
29Filexxx_xxxxx.xpredictiveMedium
30Filexxxxx.xxxpredictiveMedium
31Filexxxxxxxx/xxx/xxxx_xxxxxxxxx/xxxx_xxxxxx_xxxxxxx/xxxx_xxxxxx_xxxxxxx.xxxpredictiveHigh
32Filexxxxxx.xpredictiveMedium
33Filexxxxx-xxxxxxxx-xxxxxxxxx.xxxpredictiveHigh
34Filexxx_xxxxx_xxxxxxx.xpredictiveHigh
35Filexxxxxx_xxxx.xpredictiveHigh
36Filexxx.xpredictiveLow
37Filexxxxxx.xxxpredictiveMedium
38Filexxxx.xxxpredictiveMedium
39Filexxxxxx.xxxpredictiveMedium
40Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
41Filexx-xxxxx/xxxxx.xxxpredictiveHigh
42Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
43Filexxxxxxx.xxxxpredictiveMedium
44ArgumentxxxxxxxxpredictiveMedium
45ArgumentxxxpredictiveLow
46ArgumentxxxxxxxxxxxxxxxpredictiveHigh
47Argumentxxxx_xxxxpredictiveMedium
48ArgumentxxxxxxxxxxxpredictiveMedium
49Argumentxxx_xxxxx_xxxx_xxxxxxxpredictiveHigh
50ArgumentxxpredictiveLow
51Argumentx_xxxxxxxxpredictiveMedium
52Argumentxxxx_xxxxpredictiveMedium
53ArgumentxxxxxxxxpredictiveMedium
54ArgumentxxxxxxxpredictiveLow
55ArgumentxxxxpredictiveLow
56Argumentxxxxx_xxxx/xxxxx_xxxxxx/xxx_xxxx/xxx_xxxxxx/xxxxxxxxpredictiveHigh
57ArgumentxxxxxpredictiveLow
58Argumentxxxx-xxxxx/xxxxxxxpredictiveHigh
59Argumentxxxx/xx/xxxxpredictiveMedium
60ArgumentxxxxxpredictiveLow
61Network Portxxx/xxpredictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!