Gootkit Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (254)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en218
ru16
sv8
de6
zh4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us160
ru44
cn24
de6
gb4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Gootkit8
Gozi7
SharkBot7
Conti5
Cobalt Strike4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined70
Web Server18
Content Management System16
Application Server Software10
Operating System10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined64
Microsoft20
Squiz8
Cisco6
Apache6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft IIS8
WordPress6
PHP6
Microsoft Windows6
SugarCRM6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1SugarCRM sql injection5.85.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.020.00208CVE-2020-17373
2SourceCodester Alphaware Simple E-Commerce System sql injection7.06.8$0-$5k$0-$5kProof-of-ConceptNot Defined0.070.00152CVE-2023-1504
3nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.260.00241CVE-2020-12440
4SugarCRM Emails sql injection7.57.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00087CVE-2019-17319
5DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.720.00943CVE-2010-0966
6SugarCRM Configurator input validation5.95.8$0-$5kCalculatingNot DefinedOfficial Fix0.000.00090CVE-2019-17306
7SugarCRM Administration sql injection7.57.4$0-$5k$0-$5kNot DefinedOfficial Fix0.070.00087CVE-2019-17298
8jQuery Property extend Pollution cross site scripting6.66.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.030.03625CVE-2019-11358
9OpenSSH scp scp.c os command injection6.46.4$25k-$100k$5k-$25kNot DefinedUnavailable0.030.00289CVE-2020-15778
10jQuery html cross site scripting5.85.1$0-$5k$0-$5kNot DefinedOfficial Fix0.030.01900CVE-2020-11023
11Microweber controller.php information disclosure6.46.1$0-$5k$0-$5kNot DefinedOfficial Fix0.030.01002CVE-2020-13405
12Naviwebs Navigate CMS File Upload navigate_upload.php unrestricted upload7.16.9$0-$5k$0-$5kHighOfficial Fix0.030.89749CVE-2018-17553
13Sunny WebBox cross-site request forgery7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.010.00150CVE-2019-13529
14Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.030.00817CVE-2014-4078
15AlienVault Open Source Security Information Management radar-iso27001-potential.php sql injection7.37.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.000.00127CVE-2013-5967
16WordPress WP_Query class-wp-query.php sql injection8.58.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.020.00318CVE-2017-5611
17Siemens SIMATIC Drive Controller Service Port 102 memory corruption7.37.1$5k-$25k$5k-$25kNot DefinedWorkaround0.020.00526CVE-2020-15782
18Siemens SIMATIC S7-1200 PLC memory corruption7.57.5$5k-$25k$0-$5kNot DefinedNot Defined0.020.00261CVE-2013-0700
19SunHater KCFinder upload.php cross site scripting5.75.7$0-$5k$0-$5kNot DefinedNot Defined0.040.00131CVE-2019-14315
20Xerox WorkCentre input validation7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00117CVE-2018-20767

IOC - Indicator of Compromise (14)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
131.214.157.14dev.neto-svedberg.comGootkit04/28/2022verifiedHigh
231.214.157.162crm.tuxexpert.comGootkit04/28/2022verifiedHigh
3109.230.199.13sw1-wg.celo.netGootkit04/28/2022verifiedHigh
4XXX.XXX.XXX.XXXXxxxxxx04/28/2022verifiedHigh
5XXX.XXX.XXX.XXXXxxxxxx04/28/2022verifiedHigh
6XXX.XX.XXX.XXXxxxxxx04/28/2022verifiedHigh
7XXX.XXX.XXX.XXXxxxxxxxxxxxxx.xxxxxxxx.xxxXxxxxxx04/28/2022verifiedHigh
8XXX.XXX.XXX.XXxxxxxxxx.xxxxXxxxxxx04/28/2022verifiedHigh
9XXX.XXX.XXX.XXXXxxxxxx04/28/2022verifiedHigh
10XXX.XXX.XX.XXXXxxxxxx04/28/2022verifiedHigh
11XXX.XXX.XX.XXXxxxxxx04/28/2022verifiedHigh
12XXX.XX.XXX.XXxxxx.xxxxxxxxxxx.xxxXxxxxxx04/28/2022verifiedHigh
13XXX.XX.XXX.XXXxxxxxxxx.xxxxxxxxxxxxxx.xxxXxxxxxx04/28/2022verifiedHigh
14XXX.XX.XXX.XXXxxxxxx04/28/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Path TraversalpredictiveHigh
2T1040CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
17TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (76)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/addnews.htmlpredictiveHigh
3File/cgi-bin/supervisor/PwdGrp.cgipredictiveHigh
4File/downloadpredictiveMedium
5File/secure/admin/ImporterFinishedPage.jspapredictiveHigh
6File/uncpath/predictiveMedium
7File/_errorpredictiveLow
8File/_nextpredictiveLow
9Fileacl.cpredictiveLow
10Filexxxxx/xxxx.xxx?xxxx=xxxxxx_x&xxxx_xxxxpredictiveHigh
11Filexxxx-xxxx.xpredictiveMedium
12Filexxxx_xxx.xxxpredictiveMedium
13Filexxxxx.xxxpredictiveMedium
14Filexxxxxxxxxx/xxxxxx/xxxxxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
15Filexxxx/xxxxxx/xxxx/xxxx_xxxxxxxx_xxxxx/xxxx_xxxxxxxx_xxxx_xxxx_xxxxxx/xxxx_xxxxxxxx_xxxx_xxxx_xxxxxx.xxxpredictiveHigh
16Filexxxxxxxx.xxxpredictiveMedium
17Filexxx/xxxxx/xxxxx.xpredictiveHigh
18Filexxxxxx_xxxx.xxxpredictiveHigh
19Filexx-xxxxxxx/xxxxxxxpredictiveHigh
20Filexxxx.xxxpredictiveMedium
21Filexxx/xxxxxx.xxxpredictiveHigh
22Filexxxxx.xxxpredictiveMedium
23Filexxxxxxxx/xxxxxx-xxxx-xxxxxxxxx-xxxpredictiveHigh
24Filexxx?xxxx.xxxpredictiveMedium
25Filex_xxxxxxxx_xxxxxpredictiveHigh
26Filexxxxx/xxx_xxxxxxxxpredictiveHigh
27Filexxxxx/xxxxxxxxxpredictiveHigh
28Filexxxxxxxxxxx/xxxxx.xpredictiveHigh
29Filexxxx.xpredictiveLow
30Filexxxx.xxxpredictiveMedium
31Filexxxxxxxxxxxx.xxxxpredictiveHigh
32Filexxxxxxx/xxxxxxxxxxxxxxxxxx/xxxx_xxxxxx.xxxpredictiveHigh
33Filexxxxxxxx_xxxxxx.xxxpredictiveHigh
34Filexxx/xxxx/xxxxxxxxx/xx_xxx_xxxx_xxxxx_xxxx.xpredictiveHigh
35Filexxx_xxxxx.xpredictiveMedium
36Filexxxxx.xxxpredictiveMedium
37Filexxxxxxxx/xxx/xxxx_xxxxxxxxx/xxxx_xxxxxx_xxxxxxx/xxxx_xxxxxx_xxxxxxx.xxxpredictiveHigh
38Filexxxxxx.xpredictiveMedium
39Filexxxxxxxxxxxxx.xpredictiveHigh
40Filexxxxx-xxxxxxxx-xxxxxxxxx.xxxpredictiveHigh
41Filexxx_xxxxx_xxxxxxx.xpredictiveHigh
42Filexxxxxx_xxxx.xpredictiveHigh
43Filexxx.xpredictiveLow
44Filexxxx-xxxxxx.xpredictiveHigh
45Filexxxxx-xxxx.xxxpredictiveHigh
46Filexxxxxx.xxxpredictiveMedium
47Filexxxxxxxxx/xxxxxxx/xxxxx/xxxxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
48Filexxxx.xxxpredictiveMedium
49Filexxxxxx.xxxpredictiveMedium
50Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
51Filexx-xxxxx/xxxxx.xxxpredictiveHigh
52Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
53Filexxxxxxx.xxxxpredictiveMedium
54Argument$xxxxx_xxxxxxxxxxpredictiveHigh
55ArgumentxxxxxxxxpredictiveMedium
56ArgumentxxxxxxxxxxpredictiveMedium
57ArgumentxxxpredictiveLow
58ArgumentxxxxxxxxxxxxxxxpredictiveHigh
59Argumentxxxx_xxxxpredictiveMedium
60ArgumentxxxxxxxxxxxpredictiveMedium
61Argumentxxxxx/xxxxxxxxpredictiveHigh
62Argumentxxx_xxxxx_xxxx_xxxxxxxpredictiveHigh
63ArgumentxxpredictiveLow
64Argumentx_xxxxxxxxpredictiveMedium
65Argumentxxxx_xxxxpredictiveMedium
66ArgumentxxxxxxxxpredictiveMedium
67ArgumentxxxxxxxpredictiveLow
68ArgumentxxxxpredictiveLow
69Argumentxxxxx_xxxx/xxxxx_xxxxxx/xxx_xxxx/xxx_xxxxxx/xxxxxxxxpredictiveHigh
70ArgumentxxxxxpredictiveLow
71Argumentxxxx-xxxxx/xxxxxxxpredictiveHigh
72Argumentxxxx/xx/xxxxpredictiveMedium
73ArgumentxxxxxpredictiveLow
74Input Valuexxx?xxxx.xxxpredictiveMedium
75Input Valuexxxxx%xxxxxx.xxx ' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxxpredictiveHigh
76Network Portxxx/xxpredictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!