Ozone RAT Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (45)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en46

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA44

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Meterpreter5
Ozone RAT4
DarkComet1
Nanocore RAT1
NetWire RC1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined26
Operating System8
Smartphone Operating System6
Content Management System2
Web Browser2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Linux6
Apple6
Not Defined6
InterWorx4
M-Files2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Linux Kernel6
Apple iOS6
Apple iPadOS6
InterWorx SiteWorx4
M-Files Server2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Oracle Middleware Common Libraries and Tools Third Party denial of service7.57.3$5k-$25k$0-$5kNot definedOfficial fix 0.006880.00CVE-2022-45688
2sjqzhang go-fastdfs File Upload uploa upload path traversal8.17.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.234070.08CVE-2023-1800
3M-Files Server resource consumption6.56.4$0-$5k$0-$5kNot definedOfficial fix 0.000580.00CVE-2023-0382
4Siemens Tecnomatix Plant Simulation SPP File out-of-bounds write7.06.9$5k-$25k$0-$5kNot definedOfficial fix 0.000570.00CVE-2023-24995
5SourceCodester Clinics Patient Management System update_user.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.000520.07CVE-2023-1035
6Vastal phpVID browse_videos.php cross site scripting4.33.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.072350.00CVE-2013-5312
7Check_MK Failed-Log Save race condition4.84.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.086520.00CVE-2017-14955
8Chris92de AdminServ adminserv.php cross site scripting4.44.3$0-$5k$0-$5kNot definedOfficial fix 0.000660.07CVE-2020-36637
9Chris92de AdminServ adminserv.php cross site scripting4.44.3$0-$5k$0-$5kNot definedOfficial fix 0.000660.07CVE-2020-36638
10tcpdump CFM Parser print-cfm.c cfm_print memory corruption8.07.9$0-$5k$0-$5kNot definedOfficial fix 0.013600.03CVE-2017-13052
11Synology DiskStation Manager Webapi path traversal6.46.4$0-$5kCalculatingNot definedOfficial fix 0.005950.02CVE-2022-27610
12jserv cross site scripting4.34.1$0-$5k$0-$5kNot definedOfficial fix 0.000000.00
13Cisco AsyncOS ZIP Archive Spam input validation7.57.5$5k-$25k$5k-$25kNot definedNot defined 0.003830.00CVE-2016-1438
14Microsoft Windows LPC Request denial of service7.87.0$5k-$25k$0-$5kProof-of-ConceptOfficial fix 0.000000.00
15Microsoft Windows Guest Account privileges management7.37.1$25k-$100k$5k-$25kNot definedWorkaround 0.000000.01
16Apple iOS/iPadOS Audio information disclosure3.33.2$5k-$25k$0-$5kNot definedOfficial fix 0.000460.00CVE-2022-32825
17InterWorx SiteWorx httpd.php cross site scripting3.53.5$0-$5k$0-$5kNot definedNot defined 0.010440.00CVE-2007-4588
18InterWorx SiteWorx ftp.php cross site scripting4.34.3$0-$5k$0-$5kNot definedNot defined 0.010440.00CVE-2007-4588
19phpHtmlLib NavTable.php privileges management7.36.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.081220.00CVE-2006-4287
20Apple iOS/iPadOS WebRTC memory corruption8.07.9$25k-$100k$25k-$100kHighOfficial fixverified0.018020.00CVE-2022-2294

IOC - Indicator of Compromise (12)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
13.13.191.225ec2-3-13-191-225.us-east-2.compute.amazonaws.comOzone RAT05/04/2021verifiedVery Low
23.14.182.203ec2-3-14-182-203.us-east-2.compute.amazonaws.comOzone RAT05/04/2021verifiedVery Low
33.22.53.161ec2-3-22-53-161.us-east-2.compute.amazonaws.comOzone RAT04/07/2021verifiedVery Low
4X.XXX.XXX.XXXxxx-x-xxx-xxx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx07/17/2021verifiedVery Low
5X.XXX.XXX.XXXxxx-x-xxx-xxx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx05/04/2021verifiedVery Low
6X.XXX.XXX.Xxxx-x-xxx-xxx-x.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx07/17/2021verifiedVery Low
7X.XXX.XXX.XXxxx-x-xxx-xxx-xx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx06/19/2021verifiedVery Low
8XX.XX.XX.XXXxxx-xx-xx-xx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx04/07/2021verifiedVery Low
9XX.XXX.XXX.XXxxx-xx-xxx-xxx-xx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx06/19/2021verifiedVery Low
10XX.XX.XX.XXXxxx-xx-xx-xx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx04/07/2021verifiedVery Low
11XXX.XX.XXX.XXXxxx.xxxxxxxxxx.xxxxxXxxxx Xxx03/28/2021verifiedLow
12XXX.XXX.XXX.XXXxxxx Xxx03/22/2021verifiedLow

TTP - Tactics, Techniques, Procedures (5)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22, CWE-23, CWE-24Path TraversalpredictiveHigh
2TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
3TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
4TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (22)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/group1/uploapredictiveHigh
2File/vicidial/AST_agent_time_sheet.phppredictiveHigh
3Filearch/powerpc/mm/mmu_context_book3s64.cpredictiveHigh
4Filexxxx/xxxxx/xxxxxx/xxxxx.xpredictiveHigh
5Filexxxxxx_xxxxxx.xxxpredictiveHigh
6Filexxxxxxx/xxx/xxx/xxxx/xxxx_xxx_xxxxxxx.xpredictiveHigh
7Filexxx.xxxpredictiveLow
8Filexxxxx.xxxpredictiveMedium
9Filexxxxxx/xxxxxx.xpredictiveHigh
10Filexxxxxxxx.xxxpredictiveMedium
11Filexxxxx-xxx.xpredictiveMedium
12Filexxxxxxxxx/xxxx/xxxxxxxxx.xxxpredictiveHigh
13Filexxxxxx_xxxx.xxxpredictiveHigh
14Libraryxxxx/xxx/xxx/xxxx-xxxx.xpredictiveHigh
15Libraryxxx/xxx.xpredictiveMedium
16ArgumentxxxxxpredictiveLow
17ArgumentxxxpredictiveLow
18ArgumentxxxxxpredictiveLow
19Argumentxxxx_xxxxpredictiveMedium
20ArgumentxxxxxxxxxxpredictiveMedium
21ArgumentxxxxpredictiveLow
22Argumentxxxx_xxpredictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!