Gozi Analysis

IOB - Indicator of Behavior (16)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en	14
it	2

Country

us	8
dk	6
ru	2

Actors

Gozi	2
Emotet	1
TrickBot	1

Activities

Interest

Timeline

Type

Web Server	4
Not Defined	4
WordPress Plugin	2
Smartphone Operating System	2
Bug Tracking Software	2

Vendor

Ashley Brown	2
IBM	2
Apache	2
Fujitsu	2
Not Defined	2

Product

Ashley Brown iWeb Server	2
IBM Security AppScan Enterprise	2
Apache HTTP Server	2
Fujitsu PaperStream IP	2
social-warfare Plugin	2

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	CTI	EPSS	CVE
1	Atlassian JIRA Server Issue Key ActionsAndOperations permission	5.3	5.1	$0-$5k	$0-$5k	Not Defined	Official Fix	0.02	0.01055	CVE-2020-14185
2	Atlassian JIRA Server/Data Center Global Permissions Screen information disclosure	6.4	6.1	$0-$5k	Calculating	Not Defined	Official Fix	0.01	0.01055	CVE-2019-20898
3	Atlassian JIRA Server/Data Center createshared authorization	4.3	4.1	$0-$5k	$0-$5k	Not Defined	Official Fix	0.07	0.01055	CVE-2020-4029
4	Fujitsu PaperStream IP FJTWSVIC Service UninOldIS.dll ChangeUninstallString untrusted search path	8.1	8.1	$0-$5k	$0-$5k	Not Defined	Not Defined	0.08	0.03254	CVE-2018-16156
5	Ashley Brown iWeb Server HTTP Request path traversal	5.3	5.3	$0-$5k	$0-$5k	Not Defined	Not Defined	0.03	0.01055	CVE-2003-0474
6	Samba mount.cifs access control	4.0	3.8	$0-$5k	Calculating	Not Defined	Official Fix	0.04	0.01547	CVE-2009-2948
7	Apple iOS Foundation out-of-bounds	8.5	8.2	$100k and more	$5k-$25k	Not Defined	Official Fix	0.04	0.34789	CVE-2019-8641
8	Apache HTTP Server suEXEC Feature .htaccess information disclosure	5.3	5.0	$5k-$25k	$0-$5k	Proof-of-Concept	Workaround	0.02	0.00000
9	social-warfare Plugin Stored cross site scripting	5.2	4.8	$0-$5k	$0-$5k	Functional	Official Fix	0.01	0.55361	CVE-2019-9978
10	Joomla CMS Installation information disclosure	5.3	5.3	$5k-$25k	$0-$5k	Not Defined	Not Defined	0.03	0.01055	CVE-2012-3829
11	Joomla CMS sql injection	7.3	6.9	$5k-$25k	$0-$5k	Proof-of-Concept	Not Defined	0.03	0.00986	CVE-2013-1453
12	PHPNetToolpack os command injection	9.8	9.8	$0-$5k	$0-$5k	Not Defined	Not Defined	0.02	0.06523	CVE-2002-0471
13	Microsoft IIS IP/Domain Restriction access control	6.5	5.7	$25k-$100k	$0-$5k	Unproven	Official Fix	0.11	0.29797	CVE-2014-4078
14	IBM Security AppScan Enterprise Enterprise Source Database cryptographic issues	9.8	8.5	$5k-$25k	Calculating	Unproven	Official Fix	0.05	0.01055	CVE-2013-3989
15	Virtual Programming VP-ASP shoprestoreorder.asp denial of service	5.3	4.6	$0-$5k	$0-$5k	Unproven	Official Fix	0.02	0.01319	CVE-2004-2164

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Type	Confidence
1	51.15.98.97	97-98-15-51.instances.scw.cloud	Gozi	verified	High
2	XXX.XXX.XXX.XXX	xxx-xxx-xxx-xxx.xx.xxxxxxxxxxxxxxxxx.xxx	Xxxx	verified	High
3	XXX.XX.XXX.XXX	xxx-xxx-xx-xxx-xxx.xxxxxxxxx.xxx	Xxxx	verified	High
4	XXX.XXX.XX.XX		Xxxx	verified	High

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Vulnerabilities	Access Vector	Type	Confidence
1	T1006	CWE-22	Pathname Traversal	predictive	High
2	T1059.007	CWE-79	Cross Site Scripting	predictive	High
3	TXXXX	CWE-XXX	Xxxxxxxxx Xxxx Xxxxxxxxxxx Xxxxxxxxxx	predictive	High
4	TXXXX	CWE-XX	Xxxxxxx Xxxxxxxxx	predictive	High
5	TXXXX	CWE-XXX	Xxxxxxxxxx Xxxxxx	predictive	High
6	TXXXX	CWE-XX	Xxx Xxxxxxxxx	predictive	High
7	TXXXX	CWE-XXX	Xxxxxxxxx Xxxxxx Xxxx	predictive	High
8	TXXXX	CWE-XXX	Xxxxxxxxxxxxx	predictive	High
9	TXXXX	CWE-XXX	X2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx Xxxxxxxxxx	predictive	High

IOA - Indicator of Attack (12)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	.htaccess	predictive	Medium
2	File	/rest/project-templates/1.0/createshared	predictive	High
3	File	xxxxxxxxxxxxxxxxxxxx	predictive	High
4	File	xxxxx.xxxx	predictive	Medium
5	File	xxxxxxxxxxxxxxxx.xxx	predictive	High
6	File	xx-xxxxx/xxxxx-xxxx.xxx?xxx_xxxxx=xxxx_xxxxxxx	predictive	High
7	Library	xxxxxxxxx.xxx	predictive	High
8	Argument	--xxxxxxx	predictive	Medium
9	Argument	x_xxxxx	predictive	Low
10	Argument	xxxxxxxxx	predictive	Medium
11	Argument	xxxx	predictive	Low
12	Argument	xxx_xxx	predictive	Low

References (2)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Interested in the pricing of exploits?

See the underground prices here!