Gootkit Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (274)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en232
ru14
de10
sv10
fr4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA154
RU: Russia46
CN: China30
GB: Great Britain14
IR: Iran6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Gootkit9
ISFB7
SharkBot6
Cobalt Strike5
Conti5

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined80
Content Management System24
Web Server16
Firewall Software10
Application Server Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined70
Microsoft16
Joomla6
Apache4
Atlassian4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

nginx8
OpenSSH8
Microsoft Office6
SugarCRM6
Microsoft Exchange Server6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1SugarCRM sql injection5.85.3$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.011660.06CVE-2020-17373
2SourceCodester Alphaware Simple E-Commerce System sql injection7.06.8$0-$5k$0-$5kProof-of-ConceptNot defined 0.000450.05CVE-2023-1504
3nginx request smuggling6.96.9$0-$5k$0-$5kNot definedNot defined 0.000000.17CVE-2020-12440
4SugarCRM Emails sql injection7.57.4$0-$5k$0-$5kNot definedOfficial fix 0.003710.00CVE-2019-17319
5DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.009700.09CVE-2010-0966
6SugarCRM Configurator input validation5.95.8$0-$5k$0-$5kNot definedOfficial fix 0.005250.08CVE-2019-17306
7SugarCRM Administration sql injection7.57.4$0-$5k$0-$5kNot definedOfficial fix 0.003710.00CVE-2019-17298
8Bitcoin wallet.dat AES Encryption Padding missing encryption7.16.3$0-$5k$0-$5kNot definedOfficial fix 0.000000.15
9Kamailio SIP Invite Request buffer overflow6.66.6$0-$5k$0-$5kNot definedOfficial fix 0.000790.05CVE-2020-27507
10Fortinet FortiOS SSL-VPN out-of-bounds write9.89.7$100k and more$25k-$100kAttackedOfficial fixverified0.915350.03CVE-2024-21762
11Palo Alto Networks PAN-OS GlobalProtect command injection9.49.2$0-$5k$0-$5kAttackedOfficial fixverified0.942940.00CVE-2024-3400
12jQuery Property extend Pollution cross site scripting6.66.3$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.020220.04CVE-2019-11358
13OpenSSH scp scp.c os command injection6.96.9$5k-$25k$5k-$25kNot definedUnavailablepossible0.661120.13CVE-2020-15778
14jQuery html cross site scripting5.95.8$0-$5k$0-$5kAttackedOfficial fixverified0.118000.03CVE-2020-11023
15Microweber controller.php information disclosure6.46.1$0-$5k$0-$5kNot definedOfficial fix 0.268660.00CVE-2020-13405
16Naviwebs Navigate CMS File Upload navigate_upload.php unrestricted upload7.17.0$0-$5k$0-$5kHighOfficial fixexpected0.806410.07CVE-2018-17553
17Sunny WebBox cross-site request forgery7.57.2$0-$5k$0-$5kProof-of-ConceptNot defined 0.001510.00CVE-2019-13529
18Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial fix 0.155470.03CVE-2014-4078
19AlienVault Open Source Security Information Management radar-iso27001-potential.php sql injection7.36.6$0-$5k$0-$5kProof-of-ConceptNot defined 0.003040.09CVE-2013-5967
20WordPress WP_Query class-wp-query.php sql injection8.58.4$5k-$25k$0-$5kProof-of-ConceptOfficial fix 0.088390.04CVE-2017-5611

IOC - Indicator of Compromise (14)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
131.214.157.14dev.neto-svedberg.comGootkit04/28/2022verifiedLow
231.214.157.162crm.tuxexpert.comGootkit04/28/2022verifiedLow
3109.230.199.13sw1-wg.celo.netGootkit04/28/2022verifiedLow
4XXX.XXX.XXX.XXXXxxxxxx04/28/2022verifiedLow
5XXX.XXX.XXX.XXXXxxxxxx04/28/2022verifiedLow
6XXX.XX.XXX.XXXxxxxxx04/28/2022verifiedLow
7XXX.XXX.XXX.XXXxxxxxxxxxxxxx.xxxxxxxx.xxxXxxxxxx04/28/2022verifiedLow
8XXX.XXX.XXX.XXxxxxxxxx.xxxxXxxxxxx04/28/2022verifiedLow
9XXX.XXX.XXX.XXXXxxxxxx04/28/2022verifiedLow
10XXX.XXX.XX.XXXXxxxxxx04/28/2022verifiedLow
11XXX.XXX.XX.XXXxxxxxx04/28/2022verifiedLow
12XXX.XX.XXX.XXxxxx.xxxxxxxxxxx.xxxXxxxxxx04/28/2022verifiedLow
13XXX.XX.XXX.XXXxxxxxxxx.xxxxxxxxxxxxxx.xxxXxxxxxx04/28/2022verifiedLow
14XXX.XX.XXX.XXXxxxxxx04/28/2022verifiedLow

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXXCAPEC-XXCWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
17TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (86)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/addnews.htmlpredictiveHigh
3File/api/runs/search/run/predictiveHigh
4File/cgi-bin/supervisor/PwdGrp.cgipredictiveHigh
5File/dental_form.phppredictiveHigh
6File/downloadpredictiveMedium
7File/secure/admin/ImporterFinishedPage.jspapredictiveHigh
8File/sp/ListSp.phppredictiveHigh
9File/uncpath/predictiveMedium
10File/_errorpredictiveLow
11File/_xxxxpredictiveLow
12Filexxx.xpredictiveLow
13Filexxxxx/xxxx.xxx?xxxx=xxxxxx_x&xxxx_xxxxpredictiveHigh
14Filexxxx-xxxx.xpredictiveMedium
15Filexxxx_xxx.xxxpredictiveMedium
16Filexxxxx.xxxpredictiveMedium
17Filexxxxxxxxxx/xxxxxx/xxxxxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
18Filexxxx/xxxxxx/xxxx/xxxx_xxxxxxxx_xxxxx/xxxx_xxxxxxxx_xxxx_xxxx_xxxxxx/xxxx_xxxxxxxx_xxxx_xxxx_xxxxxx.xxxpredictiveHigh
19Filexxxxxxxx.xxxpredictiveMedium
20Filexxx/xxxxx/xxxxx.xpredictiveHigh
21Filexxxxxxxxxx/xxxxxxxxxxxxxxxx.xxxxxpredictiveHigh
22Filexxxxxx_xxxx.xxxpredictiveHigh
23Filexx-xxxxxxx/xxxxxxxpredictiveHigh
24Filexxxx.xxxpredictiveMedium
25Filexxx/xxxxxx.xxxpredictiveHigh
26Filexxxxx.xxxpredictiveMedium
27Filexxxxxxx_xxxx.xxxpredictiveHigh
28Filexxxxxxxx/xxxxxx-xxxx-xxxxxxxxx-xxxpredictiveHigh
29Filexxx?xxxx.xxxpredictiveMedium
30Filex_xxxxxxxx_xxxxxpredictiveHigh
31Filexxxxx/xxx_xxxxxxxxpredictiveHigh
32Filexxxxx/xxxxxxxxxpredictiveHigh
33Filexxxxxxxxxxx/xxxxx.xpredictiveHigh
34Filexxxx.xpredictiveLow
35Filexxxx.xxxpredictiveMedium
36Filexxxxxxxxxxxx.xxxxpredictiveHigh
37Filexxxxxxx/xxxxxxxxxxxxxxxxxx/xxxx_xxxxxx.xxxpredictiveHigh
38Filexxxxxxxx_xxxxxx.xxxpredictiveHigh
39Filexxx/xxxx/xxxxxxxxx/xx_xxx_xxxx_xxxxx_xxxx.xpredictiveHigh
40Filexxx_xxxxx.xpredictiveMedium
41Filexxxxx.xxxpredictiveMedium
42Filexxxxxxxx/xxx/xxxx_xxxxxxxxx/xxxx_xxxxxx_xxxxxxx/xxxx_xxxxxx_xxxxxxx.xxxpredictiveHigh
43Filexxxxxx.xpredictiveMedium
44Filexxxxxxxxxxxxx.xpredictiveHigh
45Filexxxxx-xxxxxxxx-xxxxxxxxx.xxxpredictiveHigh
46Filexxx_xxxxx_xxxxxxx.xpredictiveHigh
47Filexxxxxx_xxxx.xpredictiveHigh
48Filexxx.xpredictiveLow
49Filexxxx-xxxxxx.xpredictiveHigh
50Filexxxxxx/xxxxxxx/xxxxxx/xxxxxxxx.xxxpredictiveHigh
51Filexxxxx-xxxx.xxxpredictiveHigh
52Filexxxxxx.xxxpredictiveMedium
53Filexxxxxxxxx/xxxxxxx/xxxxx/xxxxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
54Filexxxx.xxxpredictiveMedium
55Filexxxxxx.xxxpredictiveMedium
56Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
57Filexx-xxxxx/xxxxx.xxxpredictiveHigh
58Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
59Filexxxxxxx.xxxxpredictiveMedium
60Argument$xxxxx_xxxxxxxxxxpredictiveHigh
61ArgumentxxxxxxxxpredictiveMedium
62ArgumentxxxxxxxxxxpredictiveMedium
63ArgumentxxxpredictiveLow
64ArgumentxxxxxxxxxxxxxxxpredictiveHigh
65Argumentxxxx_xxxxpredictiveMedium
66ArgumentxxxxxxxxxxxpredictiveMedium
67Argumentxxxxx/xxxxxxxxpredictiveHigh
68ArgumentxxxxxxxxpredictiveMedium
69Argumentxxx_xxxxx_xxxx_xxxxxxxpredictiveHigh
70ArgumentxxpredictiveLow
71Argumentxx_xxxxxpredictiveMedium
72Argumentxxx_xxpredictiveLow
73Argumentxxx_xx/xxxxxx_xxpredictiveHigh
74Argumentx_xxxxxxxxpredictiveMedium
75Argumentxxxx_xxxxpredictiveMedium
76ArgumentxxxxxxxxpredictiveMedium
77ArgumentxxxxxxxpredictiveLow
78ArgumentxxxxpredictiveLow
79Argumentxxxxx_xxxx/xxxxx_xxxxxx/xxx_xxxx/xxx_xxxxxx/xxxxxxxxpredictiveHigh
80ArgumentxxxxxpredictiveLow
81Argumentxxxx-xxxxx/xxxxxxxpredictiveHigh
82Argumentxxxx/xx/xxxxpredictiveMedium
83ArgumentxxxxxpredictiveLow
84Input Valuexxx?xxxx.xxxpredictiveMedium
85Input Valuexxxxx%xxxxxx.xxx ' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxxpredictiveHigh
86Network Portxxx/xxpredictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!