Nokoyawa Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (100)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en86
zh4
de2
es2
pl2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us76
ru10
tr6
fr4
gb2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

IcedID4
Cobalt Strike4
PhotoLoader3
BazarBackdoor2
BumbleBee2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined32
Content Management System10
Operating System6
WordPress Plugin6
Connectivity Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined26
Microsoft12
Alfresco2
Oracle2
DZCP2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows6
WordPress4
Alfresco Community Edition2
Oracle ZFS Storage Appliance Kit2
DZCP deV!L`z Clanportal2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.380.00943CVE-2010-0966
2MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.750.01302CVE-2007-0354
3Microsoft Windows TCP/IP Remote Code Execution9.88.9$25k-$100k$5k-$25kUnprovenOfficial Fix0.000.28837CVE-2022-34718
4Microsoft Windows Kernel Cryptography Driver cng.sys CfgAdtpFormatPropertyBlock buffer overflow7.97.9$25k-$100k$25k-$100kProof-of-ConceptOfficial Fix0.040.26870CVE-2020-17087
5Microsoft Windows Netlogon Zerologon privileges management8.48.0$25k-$100k$0-$5kHighOfficial Fix0.040.32187CVE-2020-1472
6Microsoft Windows Event Logging Service denial of service4.34.0$5k-$25k$0-$5kUnprovenOfficial Fix0.020.00117CVE-2022-37981
7FLDS redir.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.170.00203CVE-2008-5928
8Microsoft Exchange Server Privilege Escalation9.08.5$25k-$100k$5k-$25kUnprovenOfficial Fix0.020.02289CVE-2022-41080
9PHP Link Directory Administration Page index.html cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.340.00374CVE-2007-0529
10Nystudio107 SEOmatic Plugin Template injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.030.51997CVE-2021-41749
11Adobe Premiere Pro MP4 File Parser heap-based overflow7.06.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00585CVE-2023-47056
12WordPress wpdb->prepare sql injection8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.00389CVE-2017-16510
13Microsoft IIS Frontpage Server Extensions shtml.dll Username information disclosure5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.15958CVE-2000-0114
14Caucho Resin HTTP Request pathname traversal6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.020.01258CVE-2021-44138
15Adiscon LogAnalyzer sql injection7.67.5$0-$5k$0-$5kNot DefinedNot Defined0.020.00076CVE-2023-34600
16Microsoft Windows Win32k Privilege Escalation7.26.5$25k-$100k$0-$5kProof-of-ConceptOfficial Fix0.000.00137CVE-2022-21882
17Oracle ZFS Storage Appliance Kit Operating System Image privileges management10.09.5$100k and more$5k-$25kNot DefinedOfficial Fix0.030.32187CVE-2020-1472
18Microsoft Windows Print Spooler Privilege Escalation8.17.4$25k-$100k$5k-$25kUnprovenOfficial Fix0.020.00043CVE-2022-38028
19Microsoft Office information disclosure3.83.6$5k-$25k$0-$5kUnprovenOfficial Fix0.020.00061CVE-2022-41043
20Microsoft Windows IIS Remote Code Execution7.67.0$25k-$100k$5k-$25kUnprovenOfficial Fix0.040.00107CVE-2022-30209

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Nokoyawa

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.8.18.242Cobalt StrikeNokoyawa05/22/2023verifiedHigh
223.29.115.15223-29-115-152.static.hvvc.usCobalt StrikeNokoyawa05/22/2023verifiedHigh
3XX.XX.XXX.XXXxxxxxxxxx.xxxXxxxxxXxxxxxxx05/22/2023verifiedHigh
4XX.X.XXX.XXXxxxxx-x.xxxxxxxxxx.xxxXxxxxx XxxxxxXxxxxxxx05/22/2023verifiedHigh
5XXX.XX.XXX.XXXXxxxxxXxxxxxxx05/22/2023verifiedHigh
6XXX.XX.XXX.XXXXxxxxxXxxxxxxx05/22/2023verifiedHigh
7XXX.XXX.XXX.XXXXxxxxxxx07/29/2022verifiedHigh
8XXX.XXX.XXX.XXXxxxxxXxxxxxxx05/22/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (11)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
8TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
10TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
11TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (52)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/forum/away.phppredictiveHigh
2File/homeaction.phppredictiveHigh
3File/librarian/bookdetails.phppredictiveHigh
4File/modules/projects/vw_files.phppredictiveHigh
5File/out.phppredictiveMedium
6Fileadclick.phppredictiveMedium
7Fileadmin.phppredictiveMedium
8Filexxxxx.xxxxxxx.xxxx.xxxpredictiveHigh
9Filexxxxx/xxxxxx/xxxxx-xxxxxx-xxxxxxxx.xxxpredictiveHigh
10Filexx_xxxxx_xxxxx.xxxpredictiveHigh
11Filexxx-xxx/xxxxxxx.xxpredictiveHigh
12Filexxxxx-xx-xxxx-xxxxx.xxxpredictiveHigh
13Filexxxxx.xxxpredictiveMedium
14Filexxx.xxxpredictiveLow
15Filexxxxx.xxxpredictiveMedium
16Filexxxxxxxxxx.xxxpredictiveHigh
17Filexxxxxxx.xxxpredictiveMedium
18Filexxxxxxx.xxxpredictiveMedium
19Filexxxx.xxxpredictiveMedium
20Filexxx/xxxxxx.xxxpredictiveHigh
21Filexxxxx.xxxxpredictiveMedium
22Filexxxxxxx.xxxpredictiveMedium
23Filexxxxxxxxx.xxx.xxxpredictiveHigh
24Filexxxxx.xxxpredictiveMedium
25Filexxxxxxxx.xxxpredictiveMedium
26Filexxxx.xxxpredictiveMedium
27Filexxxx/xxx/xxxx-xxxxx.xxxpredictiveHigh
28Filexx-xxxxx/xxxx.xxx?xxxx_xxxx=xxxxxpredictiveHigh
29File~/xxxxx.xxxpredictiveMedium
30Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
31ArgumentxxxxpredictiveLow
32ArgumentxxxpredictiveLow
33ArgumentxxxxxxpredictiveLow
34ArgumentxxxxxxxxpredictiveMedium
35Argumentxxx_xxxpredictiveLow
36ArgumentxxxxxxxxxxpredictiveMedium
37Argumentxxx_xxpredictiveLow
38Argumentxxxxxxxxx_xxxpredictiveHigh
39ArgumentxxxxxxpredictiveLow
40Argumentxxxx_xxxxxpredictiveMedium
41Argumentxxxxxxxx[xxxx_xxx]predictiveHigh
42ArgumentxxxxxpredictiveLow
43ArgumentxxxxxxxxpredictiveMedium
44ArgumentxxxxpredictiveLow
45ArgumentxxpredictiveLow
46ArgumentxxpredictiveLow
47ArgumentxxxxxxxpredictiveLow
48ArgumentxxxxpredictiveLow
49ArgumentxxxxxxxxxpredictiveMedium
50Argumentxxxxx_xxxx_xxxxpredictiveHigh
51ArgumentxxxxxxxxpredictiveMedium
52Input Value' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx)-- xxxxpredictiveHigh

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!