Rancor Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (914)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

sv166
pl164
fr150
it146
es140

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA884
CN: China14
VN: Vietnam12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Rancor5
NjRAT1
LokiBot1
Cobalt Strike1
Feodo1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined358
Content Management System68
Operating System46
Web Browser40
Cloud Software24

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined248
IBM48
Oracle34
Cisco28
Microsoft28

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

FFmpeg20
Microsoft Internet Explorer14
Apple Mac OS X12
Drupal10
Linux Kernel10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1TikiWiki tiki-register.php input validation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.042770.96CVE-2006-6168
2Boa Webserver GET wapopen path traversal6.46.1$0-$5k$0-$5kProof-of-ConceptNot definedexpected0.907480.04CVE-2017-9833
3Anti-Web write.cgi path traversal7.27.2$0-$5k$0-$5kNot definedNot defined 0.095350.00CVE-2017-9097
4mpg123 MP3 File id3.c next_text memory corruption4.44.4$0-$5k$0-$5kNot definedNot defined 0.004210.00CVE-2017-9545
5LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot definedUnavailable 0.000000.33
6Clash Configuration File cfw-setting.yaml permission assignment8.08.0$0-$5k$0-$5kNot definedNot defined 0.007740.05CVE-2023-24205
7Lenovo X Server FFDC Service Log command injection5.45.4$0-$5k$0-$5kNot definedNot defined 0.002640.00CVE-2017-3744
8DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.009700.07CVE-2010-0966
9Synacor Zimbra Collaboration xml external entity reference8.58.2$0-$5k$0-$5kNot definedOfficial fix 0.017330.00CVE-2016-9924
10e-Quick Cart shopprojectlogin.asp sql injection6.36.3$0-$5k$0-$5kNot definedNot defined 0.000000.00
11Tiki Admin Password tiki-login.php improper authentication8.07.7$0-$5k$0-$5kNot definedOfficial fixexpected0.911381.74CVE-2020-15906
12Pligg cloud.php sql injection6.36.3$0-$5k$0-$5kNot definedNot defined 0.000000.96
13vBulletin redirector.php6.66.6$0-$5k$0-$5kNot definedNot defined 0.187770.06CVE-2018-6200
14phpPgAds adclick.php5.35.3$0-$5k$0-$5kNot definedNot defined 0.003360.07CVE-2005-3791
15Google Android SDK Platform Tools Signedness adb_client.c adb_connect memory corruption8.88.3$100k and more$0-$5kProof-of-ConceptOfficial fix 0.000000.00
16Netgear D6300B Credential Storage nvram cleartext storage5.44.6$5k-$25k$0-$5kProof-of-ConceptWorkaround 0.000000.00
17OpenStack Keystone input validation5.35.1$0-$5k$0-$5kNot definedOfficial fix 0.027600.00CVE-2013-2014
18Sensysnetworks TrafficDOT code injection8.37.9$0-$5k$0-$5kNot definedOfficial fix 0.004530.00CVE-2014-2378
19Cws sahab-alkher.com X.509 Certificate cryptographic issues6.36.3$0-$5k$0-$5kNot definedNot defined 0.000360.00CVE-2014-7052
20Appbasedtechnologies Belaire Family Orthodontics X.509 Certificate cryptographic issues6.36.3$0-$5k$0-$5kNot definedNot defined 0.000360.00CVE-2014-7405

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • PLAINTEE/DDKONG

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.76.176.23645.76.176.236.vultr.comRancorPLAINTEE/DDKONG12/20/2020verifiedVery Low
245.121.146.26businesso.topRancorPLAINTEE/DDKONG12/20/2020verifiedLow
3XX.XX.XXX.XXxx.xxx.xx.xx.xx-xxxx.xxxxXxxxxxXxxxxxxx/xxxxxx12/20/2020verifiedLow
4XXX.XX.XXX.XXxxxxxx.xxxxxxxx.xxxXxxxxxXxxxxxxx/xxxxxx12/20/2020verifiedLow
5XXX.XX.XXX.XXxxxxxxxxxxxxxxx.xxxxXxxxxxXxxxxxxx/xxxxxx12/20/2020verifiedLow
6XXX.XX.XXX.XXXXxxxxxXxxxxxxx/xxxxxx12/20/2020verifiedLow
7XXX.XXX.XX.XXXXxxxxxXxxxxxxx/xxxxxx12/20/2020verifiedLow
8XXX.XXX.X.XXXxxx.xxx.x.xxx.xxxxx.xxxXxxxxxXxxxxxxx/xxxxxx12/20/2020verifiedVery Low

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Basic Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCAPEC-XXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-XXCWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxxpredictiveHigh
15TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (233)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/bin/login.phppredictiveHigh
2File/cgi-bin/wapopenpredictiveHigh
3File/cgi/cpaddons_feature.plpredictiveHigh
4File/data/nvrampredictiveMedium
5File/forum/away.phppredictiveHigh
6File/frontend/x3/cpanelpro/filelist-thumbs.htmlpredictiveHigh
7File/fs/cifs/file.cpredictiveHigh
8File/goform/loginpredictiveHigh
9File/horde/util/go.phppredictiveHigh
10File/mib.dbpredictiveLow
11File/modules/profile/index.phppredictiveHigh
12File/OA_HTML/cabo/jsps/a.jsppredictiveHigh
13File/out.phppredictiveMedium
14File/secure/QueryComponent!Default.jspapredictiveHigh
15File/system/site.phppredictiveHigh
16Fileadb/adb_client.cpredictiveHigh
17Fileadclick.phppredictiveMedium
18Fileadd_comment.phppredictiveHigh
19Fileadelogs.adobe.compredictiveHigh
20Fileadmin.phppredictiveMedium
21Fileadmin/google_search_console/class-gsc-table.phppredictiveHigh
22Fileadministrator/components/com_media/helpers/media.phppredictiveHigh
23Fileandroid/webkit/SearchBoxImpl.javapredictiveHigh
24Fileapp-layer-ssh.cpredictiveHigh
25FileapplicationContext-spring-security.xmlpredictiveHigh
26Filearch_init.cpredictiveMedium
27Fileauthenticate.cpredictiveHigh
28Filexxxxxxx.xxpredictiveMedium
29Filexxxxxxxxx.xxxpredictiveHigh
30Filexx.xxxpredictiveLow
31FilexxxxxxpredictiveLow
32Filexxx_xxxxxxxxx.xxxpredictiveHigh
33Filexxxxxxxx.xxxpredictiveMedium
34Filexxxxxxxxxxxx.xxxpredictiveHigh
35Filexxx-xxxx.xxxpredictiveMedium
36Filexxx-xxxxxxx.xxxxpredictiveHigh
37Filexxx-xxx/xxxxx.xxxpredictiveHigh
38FilexxxxxxxxpredictiveMedium
39Filexxxxx.xxxpredictiveMedium
40Filexxxxxx/xxx.xpredictiveMedium
41Filexxxxxx/xxxxx/xxxxxxx.xpredictiveHigh
42Filexxxxxxxxxxxxx.xxxpredictiveHigh
43Filexxxxxxx.xxxpredictiveMedium
44Filexxxxxxx-xxxxx-xxxxxxxx.xxxpredictiveHigh
45Filexxxxxxx/xxxxxx/xxxxxxxxxxxxxxx_xxxx.xxpredictiveHigh
46Filexxxxxxxxx.xxxpredictiveHigh
47Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
48Filexxxx_xxxxxxx.xxxpredictiveHigh
49Filexxxxxx.xxxpredictiveMedium
50Filexxxxxx-xxxxx.xpredictiveHigh
51Filexxxx_xxxxx.xxxpredictiveHigh
52Filexxxx/xxxxxxxxxx/xxxxxx-xxxxx.xpredictiveHigh
53Filexxxxxxxxxxxxx/predictiveHigh
54Filexxxxxxx/xxxxxxxxxxx/xxxxxxxxxpredictiveHigh
55Filexxxxxxxx_xxxxxxxx.xxxpredictiveHigh
56Filexx/xxx/xxxxx.xpredictiveHigh
57Filexxxxxxx.xxxpredictiveMedium
58Filexxxx_xxxx.xxxpredictiveHigh
59Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
60Filexxxx.xxxpredictiveMedium
61Filexxxxxxxx.xxxpredictiveMedium
62Filexxxxx.xxpredictiveMedium
63Filexxxxxxxx-xxxx-xxxxxx-xx-xxxxxxx.xxxpredictiveHigh
64Filexxx/xxxxxx.xxxpredictiveHigh
65Filexxx/xxxxx/xxxx-xxxxxxxx.xxxpredictiveHigh
66Filexxxxx.xxxpredictiveMedium
67Filexxxxxxx-xx.xpredictiveMedium
68Filexxx.xpredictiveLow
69Filexxxxxxxxxx/xxxx.xpredictiveHigh
70Filexxxxxxxxxx/xxxx.xpredictiveHigh
71Filexxxxxxxxxx/xxxx_xxpredictiveHigh
72Filexxxxxxxxxxx/xxxxx.xpredictiveHigh
73Filexxxxxxxxxxx/xxxxxxxxxxx.xpredictiveHigh
74Filexxxxx.xxxpredictiveMedium
75Filexxxxx.xxxpredictiveMedium
76Filexxxx.xxxpredictiveMedium
77Filexxxxxxxxxx.xpredictiveMedium
78Filexxxxx/xxxxxxx/xxxxxx_xxxxx_xxxxxxx.xxpredictiveHigh
79Filexxxx_xxxxx.xxxxxxxx-xxx.xxxpredictiveHigh
80Filexxxxxxxx.xpredictiveMedium
81Filexxxx.xxxpredictiveMedium
82Filexxx-xxxxxxxx.xpredictiveHigh
83Filexxxxxxx.xxxpredictiveMedium
84Filexxxxxxx.xxxpredictiveMedium
85Filexxxxxxx/xxxxxxxxxxxx.xpredictiveHigh
86Filexxx_xxx_xxx/xxxxx.xpredictiveHigh
87Filexxxxxxxxx.xpredictiveMedium
88Filexxx/xxxx/xxx_xxxxxx.xpredictiveHigh
89Filexxx/xxxxxx/xxxxxxxx/xxxxxxxxx/xxxxxxxxxxxxx.xxxxpredictiveHigh
90Filexxx/xxxxxx/xxxxxxxx/xxxxx/xxxxxxxxx.xxxxpredictiveHigh
91Filexxxx/xxxxxxxxx.xxxpredictiveHigh
92Filexxxxxxxxxx_xxxx.xxxpredictiveHigh
93Filexx_xxxx.xxxpredictiveMedium
94Filexxx.xxxxpredictiveMedium
95Filexxxxxxx.xxxpredictiveMedium
96Filexxxxx.xxxpredictiveMedium
97Filexxxxxxxx.xxxpredictiveMedium
98Filexxxxxxxxxx.xxxpredictiveHigh
99Filexxxxxxxxx/xxx/xxxxxxxxxxxxx.xxxpredictiveHigh
100Filexxxxxxx_xxx_xxxxx_xxxxxx.xxxxpredictiveHigh
101Filexxxxxx.xxxpredictiveMedium
102Filexxxxxxxxxx.xxxpredictiveHigh
103Filexxxxxxxx.xxxpredictiveMedium
104Filexxxxx/xxxxxxxxxxxx/xxxxxxx/xxx.xxxxpredictiveHigh
105Filexxxxxxxxxxxxxxxx.xxxpredictiveHigh
106Filexxxxx_xxxxxx_xxxxxxx.xxxpredictiveHigh
107Filexxxxxxxxx.xpredictiveMedium
108Filexxxxx/xxxx/xxxxx.xpredictiveHigh
109Filexxxxxxxxx.xxxpredictiveHigh
110Filexx_xxxxxxx.xxxpredictiveHigh
111Filexxxxxxxxxxx.xxxpredictiveHigh
112Filexxxxxxxx.xxxpredictiveMedium
113Filexxxx-xxxxx.xxxpredictiveHigh
114Filexxxx-xxxxxxxx.xxxpredictiveHigh
115Filexxx.xxxpredictiveLow
116Filexxxxxxxxxxx_xxxxx.xxxpredictiveHigh
117Filexxxx/xxxx_xxxx.xpredictiveHigh
118Filexxxxxxxxx_xxxx.xpredictiveHigh
119Filexxxxxxx.xpredictiveMedium
120Filexxxxxxx.xxxpredictiveMedium
121Filexxx.xxxpredictiveLow
122Filexx-xxxxx/xx/xxxx-xxx.xxpredictiveHigh
123Filexx-xxxxxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
124Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
125Filexx-xxxxxxxx/xxxxx-xx-xxxxxx-xxxxxx.xxxpredictiveHigh
126Filexx-xxxxxxxxxxx.xxxpredictiveHigh
127Filexx-xxxxxxxxx.xxxpredictiveHigh
128Libraryxxxxxxx\xxx\xxxxxxxx-xxx-x.xxxpredictiveHigh
129Libraryxxx/xxxxxx_xxxx.xx)predictiveHigh
130Libraryxxx/xxxxxx/xxxxxx_.xpredictiveHigh
131Libraryxxx/xxxxxx/xxxxxxxx/xxx.xxxpredictiveHigh
132Libraryxxx/xxx.xxpredictiveMedium
133Libraryxxx/xxxxxxxx/xxxx.xxpredictiveHigh
134LibraryxxxxxxpredictiveLow
135Libraryxxxxxxx/xxxxx/xxx/xxxxxx.xpredictiveHigh
136Libraryxxx/xxxxxxxxx/xxx.xpredictiveHigh
137Argument$_xxxxxxx['xxxx']predictiveHigh
138Argument-xpredictiveLow
139Argument/../predictiveLow
140ArgumentxxxxxxxxxxpredictiveMedium
141ArgumentxxxxxxxxxxxpredictiveMedium
142ArgumentxxxxxxxxpredictiveMedium
143ArgumentxxxpredictiveLow
144ArgumentxxxxxxxxxxpredictiveMedium
145ArgumentxxxpredictiveLow
146ArgumentxxxxxxxpredictiveLow
147ArgumentxxxxxxpredictiveLow
148ArgumentxxxxpredictiveLow
149ArgumentxxxpredictiveLow
150ArgumentxxxxxxxxpredictiveMedium
151ArgumentxxxxpredictiveLow
152ArgumentxxxxxxxxxxxxxpredictiveHigh
153ArgumentxxxpredictiveLow
154ArgumentxxxxxxxpredictiveLow
155ArgumentxxxxxpredictiveLow
156ArgumentxxxxxxxxxxpredictiveMedium
157ArgumentxxxxxxxxpredictiveMedium
158ArgumentxxxxxpredictiveLow
159ArgumentxxxxxxxpredictiveLow
160ArgumentxxxxxxxxxpredictiveMedium
161ArgumentxxxxpredictiveLow
162ArgumentxxxxxxxxpredictiveMedium
163ArgumentxxxxxxxxxxxxpredictiveMedium
164ArgumentxxpredictiveLow
165Argumentxxxxx_xxxx_xxxxxxpredictiveHigh
166ArgumentxxxxpredictiveLow
167ArgumentxxxxpredictiveLow
168ArgumentxxxxxxpredictiveLow
169ArgumentxxxxxxpredictiveLow
170Argumentxxxx/xxx_xxxxxx/xxxxpredictiveHigh
171ArgumentxxxxxxxxxxpredictiveMedium
172ArgumentxxxpredictiveLow
173ArgumentxxxxxpredictiveLow
174Argumentxxxx_xxxxxpredictiveMedium
175Argumentxxx_xxxxxxpredictiveMedium
176ArgumentxxxxpredictiveLow
177ArgumentxxxxxxxxpredictiveMedium
178Argumentxxx-xxx xxxx xxxxxxxxpredictiveHigh
179ArgumentxxxxxxxxxpredictiveMedium
180ArgumentxxxxxxxxpredictiveMedium
181ArgumentxxxxxxxxxxxpredictiveMedium
182ArgumentxxxxxxxxxpredictiveMedium
183Argumentxxx_xxxxpredictiveMedium
184ArgumentxxxxxxxxpredictiveMedium
185ArgumentxxxpredictiveLow
186ArgumentxxxxxpredictiveLow
187Argumentxxxxxxxxxxxxx xxpredictiveHigh
188ArgumentxxxxxxxxpredictiveMedium
189Argumentxxxxxxxx_xxxpredictiveMedium
190ArgumentxxxxxxxxxpredictiveMedium
191ArgumentxxxxxxxpredictiveLow
192ArgumentxxxxxxpredictiveLow
193ArgumentxxxxxxpredictiveLow
194ArgumentxxxxxxxxxxpredictiveMedium
195Argumentxxxxxx_xxpredictiveMedium
196Argumentxxxx_xxxpredictiveMedium
197ArgumentxxxxpredictiveLow
198ArgumentxxpredictiveLow
199ArgumentxxxpredictiveLow
200Argumentxx_xxpredictiveLow
201ArgumentxxxxxpredictiveLow
202ArgumentxxxxxxpredictiveLow
203ArgumentxxxxxxxxxpredictiveMedium
204ArgumentxxxxxxpredictiveLow
205Argumentxx_xxpredictiveLow
206ArgumentxxxxxxxxpredictiveMedium
207ArgumentxxxxxxxxpredictiveMedium
208ArgumentxxxxxxpredictiveLow
209Argumentxxxxxx[]predictiveMedium
210ArgumentxxxxxxxxxxxxxxxpredictiveHigh
211Argumentxxxx=xxxxxxxxpredictiveHigh
212Argumentxxxxxx_xxxpredictiveMedium
213ArgumentxxxpredictiveLow
214ArgumentxxxpredictiveLow
215ArgumentxxxxxxxxpredictiveMedium
216ArgumentxxxxxpredictiveLow
217Argumentxxx[xxxx_xx]predictiveMedium
218ArgumentxxxxxxpredictiveLow
219ArgumentxxxxxxxxxxxpredictiveMedium
220Argument_xxxxxxxpredictiveMedium
221Input Value'xx x=xpredictiveLow
222Input Value);<xxxxxx>xxxxx('xxx')</xxxxxx>predictiveHigh
223Input Value..%xxpredictiveLow
224Input Value../..predictiveLow
225Input Value/\xxxxxxx.xxxpredictiveHigh
226Input Valuex" xxxxxxxxxxx=xxxxxx(xxxxxx) xxx="predictiveHigh
227Input Valuexxxxxxx.xxx_xxx.xxxpredictiveHigh
228Input ValuexxxxxxpredictiveLow
229Input Value\xxx\xxx\xxx\xxx\xxxpredictiveHigh
230Network Portxxxxxxxxxxxxxx xxxxxxpredictiveHigh
231Network Portxxx/xxxxpredictiveMedium
232Network Portxxx/xxxx (xxxx) / xxx/xxxx (xxxxx)predictiveHigh
233Network Portxxx xxxxxx xxxxpredictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!