Sodinokibi Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (92)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en84
es2
pt2
ru2
zh2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us14
gb6
il6
ru6
es4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Sodinokibi9
Cobalt Strike1
Emotet1
Crimeware1
Nanocore1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined28
Operating System14
Web Browser14
Programming Language Software6
Content Management System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined18
Microsoft16
Google8
Apple6
Oracle4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows8
Google Chrome6
Microsoft Edge4
Oracle Java SE4
PHP2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1FLDS redir.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.060.00203CVE-2008-5928
2Debian fuse Package cuse access control7.87.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00042CVE-2016-1233
3OpenEMR sl_eob_search.php os command injection7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00181CVE-2018-15154
4Pandao editor.md Markdown cross site scripting4.84.8$0-$5k$0-$5kNot DefinedNot Defined0.040.00055CVE-2023-29641
5LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable5.270.00000
6OpenX adclick.php redirect5.34.7$0-$5k$0-$5kUnprovenUnavailable0.610.00440CVE-2014-2230
7Apple Mac OS X Server Wiki Server sql injection5.34.6$5k-$25k$0-$5kUnprovenOfficial Fix0.060.00339CVE-2015-5911
8SAP 3D Visual Enterprise Viewer GIF File denial of service3.83.7$5k-$25kCalculatingNot DefinedOfficial Fix0.000.00061CVE-2021-27593
9Apple macOS IOMobileFrameBuffer memory corruption7.87.2$5k-$25k$0-$5kFunctionalOfficial Fix0.000.00263CVE-2022-22587
10Apple iOS/iPadOS IOMobileFrameBuffer memory corruption7.87.2$25k-$100k$5k-$25kFunctionalOfficial Fix0.020.00263CVE-2022-22587
11Apple Safari WebKit resource management7.37.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00856CVE-2014-4452
12HPE Ezmeral Data Fabric TEZ MapR Ecosystem access control6.36.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00197CVE-2021-29215
13nginx ngx_http_mp4_module information disclosure5.95.8$0-$5k$0-$5kNot DefinedOfficial Fix0.050.00198CVE-2018-16845
14SonarQube values missing encryption5.95.9$0-$5k$0-$5kNot DefinedNot Defined0.010.36880CVE-2020-27986
15Bitnami Docker Container .env random values3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00117CVE-2021-21979
16Google Android System permission7.06.3$25k-$100k$0-$5kProof-of-ConceptOfficial Fix0.070.00306CVE-2017-13209
17PHP addcslashe numeric error8.58.1$5k-$25k$0-$5kUnprovenOfficial Fix0.000.00539CVE-2016-4344
18Sophos XG Firewall HTTPS Bookmark buffer overflow8.58.2$0-$5kCalculatingNot DefinedOfficial Fix0.000.00782CVE-2020-15069
19Marvin Minsky Universal Turing Machine input validation4.64.4$0-$5k$0-$5kProof-of-ConceptNot Defined0.000.00048CVE-2021-32471
20Sophos Cyberoam Firewall SSL VPN Console injection8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00642CVE-2019-17059

IOC - Indicator of Compromise (28)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.55.211.79Sodinokibi05/02/2019verifiedHigh
246.30.215.77webcluster1.webpod6-cph3.one.comSodinokibi04/14/2022verifiedHigh
346.45.134.70server-46.45.134.70.as42926.netSodinokibi04/14/2022verifiedHigh
450.116.71.86box6146.bluehost.comSodinokibi04/14/2022verifiedHigh
552.9.200.151www.drvoip.comSodinokibi04/14/2022verifiedHigh
652.28.116.69ec2-52-28-116-69.eu-central-1.compute.amazonaws.comSodinokibi04/14/2022verifiedMedium
7XX.XXX.XX.XXxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
8XX.XXX.X.XXxxx-xx-xxx-x-xx.xxxxxxx.xxxx-xxxxxxx-xxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
9XX.XXX.XX.XXXXxxxxxxxxx04/14/2022verifiedHigh
10XX.XX.XXX.XXXxxxxxxxxxx.xxxxxxx.xxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
11XXX.XXX.XX.XXxx-xxx-xxx-xx-xx.xx.xxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
12XXX.XX.XXX.XXXxx-xxx-xx-xxx-xxx.xxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
13XXX.XXX.XXX.XXxxxxxx.xxxx.xxXxxxxxxxxx04/14/2022verifiedHigh
14XXX.XX.XX.XXXXxxxxxxxxx05/02/2019verifiedHigh
15XXX.XXX.XXX.XXXxxxx.xxxxxxxxxxxxxxxx.xxXxxxxxxxxx04/14/2022verifiedHigh
16XXX.XXX.XX.XXxxxxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
17XXX.XX.X.XXXxxx.xxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
18XXX.XXX.XX.XXXxxxxxx.xxxxxxxxxxxx.xxXxxxxxxxxx04/14/2022verifiedHigh
19XXX.XXX.XXX.XXxx-xxx-xxx-xxx-xx.xxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
20XXX.XXX.XX.XXXxxxxxxxxxx.xxxxxxx.xxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
21XXX.XXX.XX.XXXXxxxxxxxxx05/02/2019verifiedHigh
22XXX.XXX.XX.XXXxxxx.xxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
23XXX.XX.XXX.XXxxxx.xxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
24XXX.XXX.XXX.XXxxxxx-xx.xxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
25XXX.XX.XXX.XXXxx-xxx-xx-xxx-xxx.xx.xxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
26XXX.XX.XXX.XXXxxx-xx-xxx-xxx.xx.xxxxxxxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
27XXX.XXX.XX.Xxxxxxxxxxx.xxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
28XXX.XXX.XX.XXxxxxxxxxxx.xxx.xxxXxxxxxxxxx04/14/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (16)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Path TraversalpredictiveHigh
2T1040CWE-294, CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
15TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
16TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh

IOA - Indicator of Attack (34)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/dev/cusepredictiveMedium
2File/dev/snd/seqpredictiveMedium
3File/forum/away.phppredictiveHigh
4File/tmp/app/.envpredictiveHigh
5File/xxx/xxxxx/xxxxxxxxxxxxxxxxxxxx/xxx/predictiveHigh
6Filexxxxxxx.xxxpredictiveMedium
7Filexxxxx/xxxxxxxx.xxxpredictiveHigh
8Filexxx/xxxxxxxx/xxxxxxpredictiveHigh
9Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
10Filexxxxxxx.xxxpredictiveMedium
11Filexxxxxxx.xxxxpredictiveMedium
12Filexx/xxxxx.xpredictiveMedium
13Filexxxxxxx.xpredictiveMedium
14Filexxxxx.xxpredictiveMedium
15Filexxxxxxxxx/xxxxxxx/xx_xxx_xxxxxx.xxxpredictiveHigh
16Filexxxxxxx_xxxxxxxxxxxx.xpredictiveHigh
17Filexxxx.xpredictiveLow
18Filexxx_xxxxx.xpredictiveMedium
19Filexxx_xxxx.xpredictiveMedium
20Filexxx_xxxxx.xpredictiveMedium
21Filexxxxxx/xxxxxxxxxxxxxxxxx.xxpredictiveHigh
22Filexxxxx.xxxpredictiveMedium
23Filexxxx-xxxxxx.xpredictiveHigh
24Filexxxxxxxxx_xxxpredictiveHigh
25Filexxxx/xxx/xxxx-xxxxx.xxxpredictiveHigh
26Argumentxxx_xxxpredictiveLow
27ArgumentxxxxpredictiveLow
28ArgumentxxpredictiveLow
29ArgumentxxxxxxxxxxxxxxpredictiveHigh
30Argumentxxxxx_xxxxxxxpredictiveHigh
31ArgumentxxxxxxpredictiveLow
32ArgumentxxxxxxxxxpredictiveMedium
33Input Value.%xx.../.%xx.../predictiveHigh
34Input Valuexxxxx/xxxxxxxxpredictiveHigh

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!