Grandoreiro Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (261)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en	238
es	14
it	4
pt	4
zh	2

Country

us	26
es	10
cn	2
pt	2
it	2

Actors

Grandoreiro	6
Wocao	1
APT34	1
BianLian	1
Responder	1

Activities

Interest

Timeline

Type

Not Defined	18
Web Server	12
Content Management System	4
Firewall Software	4
Reporting Software	2

Vendor

Not Defined	18
Apache	8
Cisco	2
SAS	2
AMI	2

Product

Apache HTTP Server	8
HTML Include	2
Replace Macro Plugin	2
Cisco HyperFlex Software	2
SAS Web Report Studio	2

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	CTI	EPSS	CVE
1	SOCKS 5 Proxy Config privileges management	7.3	7.1	$0-$5k	$0-$5k	Not Defined	Workaround	0.05	0.00000
2	nginx request smuggling	6.9	6.9	$0-$5k	$0-$5k	Not Defined	Not Defined	4.61	0.00000	CVE-2020-12440
3	PHP GD Extension imageloadfont buffer size	6.4	6.3	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.07	0.00052	CVE-2022-31630
4	OrangeScrum AWS Credential cross site scripting	5.9	5.9	$0-$5k	$0-$5k	Not Defined	Not Defined	0.03	0.00049	CVE-2023-1783
5	Apache HTTP Server mod_auth_digest stack-based overflow	5.6	5.4	$25k-$100k	$5k-$25k	Not Defined	Official Fix	0.07	0.00632	CVE-2020-35452
6	Oracle HTTP Server OSSL Module server-side request forgery	9.0	8.8	$5k-$25k	$0-$5k	Not Defined	Official Fix	0.04	0.97515	CVE-2021-40438
7	Apache HTTP Server mod_proxy server-side request forgery	7.3	7.3	$25k-$100k	$25k-$100k	Not Defined	Not Defined	0.09	0.97515	CVE-2021-40438
8	Apache HTTP Server MPM Event Worker access control	6.5	6.4	$5k-$25k	$0-$5k	Proof-of-Concept	Not Defined	0.03	0.97436	CVE-2019-0211
9	Apache HTTP Server mod_proxy_uwsgi buffer overflow	8.5	8.5	$25k-$100k	$5k-$25k	Not Defined	Not Defined	0.13	0.01081	CVE-2020-11984
10	Apache HTTP Server ap_escape_quotes buffer overflow	5.6	5.6	$25k-$100k	$25k-$100k	Not Defined	Not Defined	0.00	0.03739	CVE-2021-39275
11	HPE iLO 4 privileges management	9.9	9.4	$25k-$100k	$0-$5k	High	Official Fix	0.03	0.97377	CVE-2017-12542
12	AMI Megarac API password recovery	7.4	7.4	$0-$5k	$0-$5k	Not Defined	Not Defined	0.04	0.00091	CVE-2022-26872
13	Docmint CMS file inclusion	5.6	4.9	$0-$5k	$0-$5k	Proof-of-Concept	Unavailable	0.04	0.36664	CVE-2006-5240
14	Smartisoft phpBazar classified_right.php file inclusion	6.5	6.2	$0-$5k	$0-$5k	Proof-of-Concept	Unavailable	0.03	0.00937	CVE-2006-2528
15	F5 BIG-IP iControl REST Authentication bash missing authentication	9.8	9.3	$5k-$25k	$0-$5k	Proof-of-Concept	Official Fix	0.07	0.97480	CVE-2022-1388
16	Docmint index.php cross site scripting	4.3	4.1	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.06	0.03319	CVE-2010-0319
17	DZCP deV!L`z Clanportal browser.php information disclosure	5.3	5.0	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.19	0.02257	CVE-2007-1167
18	SAS Web Report Studio javascript: URL logonAndRender.do cross site scripting	3.5	3.4	$0-$5k	$0-$5k	Not Defined	Not Defined	0.04	0.00089	CVE-2022-25256
19	Pre News Manager news_detail.php sql injection	6.3	6.0	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.04	0.00000
20	Host Web Server phpinfo.php phpinfo information disclosure	5.3	5.2	$5k-$25k	$0-$5k	Not Defined	Workaround	0.03	0.00000

IOC - Indicator of Compromise (14)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Identified	Type	Confidence
1	15.188.63.127	ec2-15-188-63-127.eu-west-3.compute.amazonaws.com	Grandoreiro	08/23/2022	verified	Medium
2	15.228.57.146	ec2-15-228-57-146.sa-east-1.compute.amazonaws.com	Grandoreiro	06/19/2023	verified	Medium
3	15.228.233.242	ec2-15-228-233-242.sa-east-1.compute.amazonaws.com	Grandoreiro	06/19/2023	verified	Medium
4	XX.XXX.XX.XXX	xxx-xx-xxx-xx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxx	Xxxxxxxxxxx	06/19/2023	verified	Medium
5	XX.XXX.XXX.XX	xxx-xx-xxx-xxx-xx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxx	Xxxxxxxxxxx	06/19/2023	verified	Medium
6	XX.XXX.XXX.XX	xxx-xx-xxx-xxx-xx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxx	Xxxxxxxxxxx	08/23/2022	verified	Medium
7	XX.XXX.XX.XXX	xxx-xx-xxx-xx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxx	Xxxxxxxxxxx	08/23/2022	verified	Medium
8	XX.XX.XXX.XX	xxx-xxxxxxxx.xxx.xxx.xxx	Xxxxxxxxxxx	01/29/2023	verified	High
9	XX.XX.XX.XXX	xxx-xx-xx-xx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxx	Xxxxxxxxxxx	08/23/2022	verified	Medium
10	XX.XXX.XX.XX	xxx-xx-xxx-xx-xx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxx	Xxxxxxxxxxx	08/23/2022	verified	Medium
11	XXX.XXX.XXX.XXX	xxxxx.xx-xxx-xxx-xxx.xxx	Xxxxxxxxxxx	08/23/2022	verified	High
12	XXX.XX.XXX.XXX	xx.xxxxxxx.xxxx	Xxxxxxxxxxx	04/16/2021	verified	High
13	XXX.XXX.XXX.XXX		Xxxxxxxxxxx	11/22/2022	verified	High
14	XXX.XX.X.XXX	xxxxx.xx-xxx-xx-x.xxx	Xxxxxxxxxxx	11/22/2022	verified	High

TTP - Tactics, Techniques, Procedures (10)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Vulnerabilities	Access Vector	Type	Confidence
1	T1006	CWE-22	Pathname Traversal	predictive	High
2	T1055	CWE-74	Injection	predictive	High
3	TXXXX	CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
4	TXXXX.XXX	CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
5	TXXXX	CWE-XXX, CWE-XXX, CWE-XXX	X2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxx Xxxxxxxxxxx Xxx Xxx Xxxxxxx	predictive	High
6	TXXXX.XXX	CWE-XXX	Xxxx Xxxxxxxx	predictive	High
7	TXXXX	CWE-XX	Xxx Xxxxxxxxx	predictive	High
8	TXXXX	CWE-XXX	Xxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx Xxxx	predictive	High
9	TXXXX	CWE-XXX	Xxxxxxxxxxxxx	predictive	High
10	TXXXX.XXX	CWE-XXX	Xxxxxxxxxxxx Xxxxxx	predictive	High

IOA - Indicator of Attack (36)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	/cgi-bin/wapopen	predictive	High
2	File	/mgmt/tm/util/bash	predictive	High
3	File	/SASWebReportStudio/logonAndRender.do	predictive	High
4	File	/uncpath/	predictive	Medium
5	File	account/login.php	predictive	High
6	File	xxxxx/xxx/xxxxxxx/xxx/xxxx.xxx	predictive	High
7	File	xxxxxxxxxx_xxxxx.xxx	predictive	High
8	File	xxxxxxxxx_xxxxxxx.xxx	predictive	High
9	File	xxxxxxxx.xxx	predictive	Medium
10	File	xxxx_xxxx.x	predictive	Medium
11	File	xxx/xxxxxxxxxxx/xxxxxxx.xxx	predictive	High
12	File	xxxxx.xxx	predictive	Medium
13	File	xxxx.xxxx	predictive	Medium
14	File	xxxx_xxxxxx.xxx	predictive	High
15	File	xxxxxxx.xxx	predictive	Medium
16	File	xxxx.xxx	predictive	Medium
17	File	xxxxxxx.xxx	predictive	Medium
18	File	xxxxx/xxxxxxx.x	predictive	High
19	Argument	xxxxxxxxxxx	predictive	Medium
20	Argument	xxxxx_xxxxx_xxx	predictive	High
21	Argument	xxxxxxx_xx	predictive	Medium
22	Argument	xxxxxx	predictive	Low
23	Argument	xxxx	predictive	Low
24	Argument	xxxxxxxxxx	predictive	Medium
25	Argument	xxxxxxx[xx_xxx_xxxx]	predictive	High
26	Argument	xx	predictive	Low
27	Argument	xxxxxxxxxxxxxx	predictive	High
28	Argument	xxxxxxxx_xxx	predictive	Medium
29	Argument	xx_xxx[xxxx_xxxxxx_xxx]	predictive	High
30	Argument	xxxxxx_xxxxxxx_xxxxxxxxx_xxxx/xxxxxx_xxxxxxx_xxxxxxx_xxxx	predictive	High
31	Argument	xxxxxx	predictive	Low
32	Argument	xxxxxxxx	predictive	Medium
33	Argument	\xxx\	predictive	Low
34	Input Value	../..	predictive	Low
35	Input Value	xxxxx	predictive	Low
36	Network Port	xxx/xxxxx	predictive	Medium

References (7)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Do you know our Splunk app?

Download it now for free!