SparklingGoblin Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (23)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en16
es4
zh2
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

ru10
us10
nl2
cn2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

SparklingGoblin1
Responder1
Meterpreter1
BazarBackdoor1
RedLine Stealer1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined10
Groupware Software2
Mail Client Software2
Bug Tracking Software2
SSH Server Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined4
Qt-cute2
Wired Community Software2
Microsoft2
RoundCube2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Laravel2
Qt-cute QuickTalk guestbook2
Wired Community Software WWWThreads2
Microsoft Exchange Server2
RoundCube Webmail2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1SSH SSH-1 Protocol cryptographic issues7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00258CVE-2001-1473
2Microsoft Exchange Server Privilege Escalation8.88.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.010.11112CVE-2023-32031
3IBM WebSphere Application Server Sequence code injection9.29.1$25k-$100k$5k-$25kNot DefinedOfficial Fix0.060.00399CVE-2023-23477
4EmpireCMS AdClass.php sql injection6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.030.00172CVE-2022-28585
5Veritas NetBackup denial of service6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.000.00081CVE-2022-36984
6Geeklog Media Gallery ftpmedia.php file inclusion7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.020.13104CVE-2007-2706
7Qt-cute QuickTalk guestbook qtg_msg_view.php sql injection7.37.1$0-$5k$0-$5kHighUnavailable0.000.00269CVE-2007-3538
8GitLab Community Edition/Enterprise Edition ipynb File cross site scripting6.16.1$0-$5k$0-$5kNot DefinedNot Defined0.000.00089CVE-2021-39906
9Microsoft Power BI Report Server Privilege Escalation7.06.1$5k-$25k$0-$5kUnprovenOfficial Fix0.030.01237CVE-2021-31984
10Laravel Image Upload ValidatesAttributes.php unrestricted upload5.55.1$0-$5k$0-$5kNot DefinedOfficial Fix0.020.01231CVE-2021-43617
11Apache HTTP Server mod_rewrite redirect6.76.7$25k-$100k$5k-$25kNot DefinedNot Defined0.000.00258CVE-2020-1927
12Request Tracker File Upload cross site scripting5.24.9$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00107CVE-2016-6127
13RoundCube Webmail Password Plugin access control7.56.6$0-$5k$0-$5kNot DefinedOfficial Fix0.010.00338CVE-2017-8114
14Gallarific PHP Photo Gallery script gallery.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.040.00112CVE-2011-0519
15SoftEther VPN Server See.sys Kernel 7pk security6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.020.00044CVE-2019-11868
16Typecho write-post.php cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.030.00057CVE-2017-16230
17D-Link DNS-345 Cookie improper authentication8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00561CVE-2014-7857
18Zoho ManageEngine ServiceDesk Plus FileDownload.jsp path traversal5.35.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.000.00556CVE-2011-2757
19Wired Community Software WWWThreads register.php sql injection6.56.2$0-$5k$0-$5kProof-of-ConceptUnavailable0.020.00471CVE-2006-1958
20Russcom Network Loginphp register.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptUnavailable0.040.00677CVE-2006-2160

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • SideWalk

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
166.42.103.22266.42.103.222.vultrusercontent.comSparklingGoblin10/05/2022verifiedHigh
2XX.XX.XXX.XXxxxx.xxxxxx.xx.x.xxxxx.xxxXxxxxxxxxxxxxxxXxxxxxxx03/05/2022verifiedHigh
3XXX.XX.XX.XXXXxxxxxxxxxxxxxxXxxxxxxx03/05/2022verifiedHigh
4XXX.XX.X.XXXxxxxxxxxxxxxxx10/05/2022verifiedHigh
5XXX.XX.XX.XXXxxxx-xxxxxxxxxx.xxxxxxx.xxXxxxxxxxxxxxxxxXxxxxxxx03/05/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Path TraversalpredictiveHigh
2T1059CWE-94Argument InjectionpredictiveHigh
3TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXXCWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
6TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
7TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
8TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (18)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1FileAdClass.phppredictiveMedium
2Fileadmin/write-post.phppredictiveHigh
3FileFileDownload.jsppredictiveHigh
4Filexxxxxxx.xxxpredictiveMedium
5Filexxxxxxxxxx/xxxxxxxxxx/xxxxxxxx/xxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
6Filexxxxx/xxxxxxxx.xxxpredictiveHigh
7Filexxx_xxx_xxxx.xxxpredictiveHigh
8Filexxxxxxxx.xxxpredictiveMedium
9Filexxxx.xxxpredictiveMedium
10Filexxxx-xxxxxxxx.xxxpredictiveHigh
11Libraryxxx.xxxpredictiveLow
12ArgumentxxxpredictiveLow
13ArgumentxxxxxxxxpredictiveMedium
14ArgumentxxpredictiveLow
15ArgumentxxxxxxxxpredictiveMedium
16ArgumentxxxxxxpredictiveLow
17ArgumentxxxxxpredictiveLow
18Argument_xx_xxxx[xxxx_xxxx]predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!