Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update

This commit is contained in:
Marc Ruef 2022-01-27 15:47:14 +01:00
parent 0c11dcfc85
commit 22f05d0892
32 changed files with 534 additions and 384 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
APT28/README.md
View File

@ -57,7 +57,7 @@ ID | IP address | Hostname | Confidence
23 | 46.148.17.227 | - | High
24 | 46.166.162.90 | - | High
25 | 46.183.217.74 | ip-217-74.dataclub.info | High
26 | 51.38.128.110 | - | High
26 | 51.38.128.110 | vps-b7b05fc8.vps.ovh.net | High
27 | 51.254.76.54 | - | High
28 | 51.254.158.57 | - | High
29 | 54.37.104.106 | piber.connectedlists.com | High

70
APT33/README.md
View File

@ -1,6 +1,6 @@
# APT33 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT33](https://vuldb.com/?actor.apt33). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT33](https://vuldb.com/?actor.apt33). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt33](https://vuldb.com/?actor.apt33)
@ -16,12 +16,12 @@ The following campaigns are known and can be associated with APT33:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT33:
* SV
* FR
* DE
* ES
* PL
* ...
There are 18 more country items available. Please use our online service to access the data.
There are 4 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -44,14 +44,9 @@ ID | IP address | Hostname | Confidence
13 | 8.26.21.223 | mail5.boldinbox.com | High
14 | 31.7.62.48 | - | High
15 | 37.48.105.178 | - | High
16 | 45.32.186.33 | 45.32.186.33.vultr.com | Medium
17 | 45.76.32.252 | 45.76.32.252.vultr.com | Medium
18 | 51.77.11.46 | ip46.ip-51-77-11.eu | High
19 | 51.254.71.223 | ip223.ip-51-254-71.eu | High
20 | 54.36.73.108 | mail.snap-status.com | High
21 | ... | ... | ...
16 | ... | ... | ...
There are 55 more IOC items available. Please use our online service to access the data.
There are 60 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -59,14 +54,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1008 | Algorithm Downgrade | High
2 | T1040 | Authentication Bypass by Capture-replay | High
3 | T1059.007 | Cross Site Scripting | High
4 | T1068 | Execution with Unnecessary Privileges | High
5 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
6 | ... | ... | ...
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 11 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -74,19 +67,32 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
2 | File | `%PROGRAMDATA%\1E\Client` | High
3 | File | `%PROGRAMDATA%\ASUS\GamingCenterLib` | High
4 | File | `%PROGRAMDATA%\WrData\PKG` | High
5 | File | `%PROGRAMFILES(X86)%/Aternity Information Systems/Assistant/plugins` | High
6 | File | `.folder` | Low
7 | File | `.forward` | Medium
8 | File | `.git/hooks/post-update` | High
9 | File | `.gitlab-ci.yml` | High
10 | File | `.htaccess` | Medium
11 | ... | ... | ...
1 | File | `/admin/upload.php` | High
2 | File | `/api/ZRMesh/set_ZRMesh` | High
3 | File | `/appliance/shiftmgn.php` | High
4 | File | `/damicms-master/admin.php?s=/Article/doedit` | High
5 | File | `/etc/quagga` | Medium
6 | File | `/fw/index2.do` | High
7 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
8 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
9 | File | `/jerry-core/jmem/jmem-heap.c` | High
10 | File | `/moddable/xs/sources/xsScript.c` | High
11 | File | `/parser/js/js-parser-expr.c` | High
12 | File | `/preferences/tags` | High
13 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
14 | File | `/thruk/#cgi-bin/status.cgi?style=combined` | High
15 | File | `/transmission/web/` | High
16 | File | `/uploads/exam_question/` | High
17 | File | `/usr/bin/pkexec` | High
18 | File | `AccessPoint.java` | High
19 | File | `acknow.php` | Medium
20 | File | `acropora/app/identity/ic.c` | High
21 | File | `acropora/app/identity/identity_support.c` | High
22 | File | `actions.php` | Medium
23 | File | `admin/bad.php` | High
24 | ... | ... | ...
There are 4716 more IOA items available. Please use our online service to access the data.
There are 199 more IOA items available. Please use our online service to access the data.
## References
@ -103,9 +109,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

3
APT34/README.md
View File

@ -92,7 +92,8 @@ ID | Type | Indicator | Confidence
32 | File | `admin/index.php` | High
33 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
34 | File | `admin/system_manage/save.html` | High
35 | ... | ... | ...
35 | File | `ajax.php` | Medium
36 | ... | ... | ...
There are 304 more IOA items available. Please use our online service to access the data.

11
BelialDemon/README.md
View File

@ -1,6 +1,6 @@
# BelialDemon - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [BelialDemon](https://vuldb.com/?actor.belialdemon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BelialDemon](https://vuldb.com/?actor.belialdemon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.belialdemon](https://vuldb.com/?actor.belialdemon)
@ -46,8 +46,9 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `include/ajax.draft.php` | High
2 | Argument | `request` | Low
1 | File | `AdminBaseController.class.php` | High
2 | File | `include/ajax.draft.php` | High
3 | Argument | `request` | Low
## References
@ -59,9 +60,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
Charming Kitten/README.md
View File

@ -97,7 +97,7 @@ ID | Type | Indicator | Confidence
30 | File | `ActiveServices.java` | High
31 | ... | ... | ...
There are 260 more IOA items available. Please use our online service to access the data.
There are 262 more IOA items available. Please use our online service to access the data.
## References

6
DeathClick/README.md
View File

@ -1,6 +1,6 @@
# DeathClick - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [DeathClick](https://vuldb.com/?actor.deathclick). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DeathClick](https://vuldb.com/?actor.deathclick). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.deathclick](https://vuldb.com/?actor.deathclick)
@ -28,9 +28,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

13
Desert Falcons/README.md
View File

@ -1,6 +1,6 @@
# Desert Falcons - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Desert Falcons](https://vuldb.com/?actor.desert_falcons). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Desert Falcons](https://vuldb.com/?actor.desert_falcons). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.desert_falcons](https://vuldb.com/?actor.desert_falcons)
@ -37,10 +37,9 @@ ID | Type | Indicator | Confidence
1 | File | `ftpcmd.c` | Medium
2 | File | `kernel/events/core.c` | High
3 | File | `PresentSpace.jsp` | High
4 | File | `staff/register.php` | High
5 | Argument | `ConnPoolName/GroupId` | High
6 | Argument | `cpfr/cpto` | Medium
7 | Argument | `First Name/Last Name` | High
4 | ... | ... | ...
There are 4 more IOA items available. Please use our online service to access the data.
## References
@ -52,9 +51,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

32
Emotet/README.md
View File

@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Emotet:
* VN
* CN
* US
* CN
* ...
There are 5 more country items available. Please use our online service to access the data.
There are 7 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -36,7 +36,7 @@ ID | IP address | Hostname | Confidence
13 | 5.89.33.136 | net-5-89-33-136.cust.vodafonedsl.it | High
14 | 5.196.35.138 | vps10.open-techno.net | High
15 | 5.230.193.41 | casagarcia-web.sys.netzfabrik.eu | High
16 | 8.4.9.137 | host-8-4-9-137.onlinehorizons.net | High
16 | 8.4.9.137 | onlinehorizons.net | High
17 | 12.32.68.154 | mail.sealscoinc.com | High
18 | 12.149.72.170 | - | High
19 | 12.162.84.2 | - | High
@ -141,7 +141,7 @@ ID | Technique | Description | Confidence
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 9 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -149,28 +149,28 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `./clients/client` | High
2 | File | `/?ajax-request=jnews` | High
3 | File | `/assets/ctx` | Medium
4 | File | `/config/getuser` | High
1 | File | `/?ajax-request=jnews` | High
2 | File | `/ajax_crud` | Medium
3 | File | `/appliance/users?action=edit` | High
4 | File | `/assets/ctx` | Medium
5 | File | `/core/table/query` | High
6 | File | `/dev/ion` | Medium
7 | File | `/ecma/operations/ecma-objects.c` | High
8 | File | `/enduserreg` | Medium
9 | File | `/forum/away.php` | High
10 | File | `/GetCopiedFile` | High
11 | File | `/goform/activate_process` | High
12 | File | `/hdf5/src/H5T.c` | High
8 | File | `/forum/away.php` | High
9 | File | `/GetCopiedFile` | High
10 | File | `/goform/activate_process` | High
11 | File | `/hdf5/src/H5T.c` | High
12 | File | `/include/chart_generator.php` | High
13 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
14 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
15 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
16 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
17 | File | `/jerry-core/vm/vm.c` | High
18 | File | `/mobile/SelectUsers.jsp` | High
19 | File | `/ms/mdiy/model/importJson.do` | High
18 | File | `/ms/mdiy/model/importJson.do` | High
19 | File | `/ms/template/writeFileContent.do` | High
20 | ... | ... | ...
There are 166 more IOA items available. Please use our online service to access the data.
There are 167 more IOA items available. Please use our online service to access the data.
## References

22
EvilBunny/README.md
View File

@ -1,6 +1,6 @@
# EvilBunny - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [EvilBunny](https://vuldb.com/?actor.evilbunny). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EvilBunny](https://vuldb.com/?actor.evilbunny). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.evilbunny](https://vuldb.com/?actor.evilbunny)
@ -25,12 +25,9 @@ ID | IP address | Hostname | Confidence
2 | 8.5.1.34 | - | High
3 | 64.15.136.137 | - | High
4 | 66.45.225.11 | - | High
5 | 67.19.22.234 | ip1.brainstemprojects.com | High
6 | 67.19.84.46 | 2e.54.1343.static.theplanet.com | High
7 | 68.178.232.99 | parkwebwin-v02.prod.mesa1.secureserver.net | High
8 | ... | ... | ...
5 | ... | ... | ...
There are 13 more IOC items available. Please use our online service to access the data.
There are 16 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -56,14 +53,9 @@ ID | Type | Indicator | Confidence
3 | File | `/etc/passwd` | Medium
4 | File | `/getcfg.php` | Medium
5 | File | `forumrunner/includes/moderation.php` | High
6 | File | `fs/inode.c` | Medium
7 | File | `includes/class.rest-api.php` | High
8 | File | `index.cgi` | Medium
9 | File | `index.php` | Medium
10 | File | `libavcodec/gif.c` | High
11 | ... | ... | ...
6 | ... | ... | ...
There are 31 more IOA items available. Please use our online service to access the data.
There are 38 more IOA items available. Please use our online service to access the data.
## References
@ -75,9 +67,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

54
FIN7/README.md
View File

@ -20,7 +20,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* FR
* ...
There are 27 more country items available. Please use our online service to access the data.
There are 28 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -37,7 +37,7 @@ ID | IP address | Hostname | Confidence
7 | 5.61.32.118 | - | High
8 | 5.61.38.52 | - | High
9 | 5.135.73.113 | - | High
10 | 5.149.250.235 | snigist.co.uk | High
10 | 5.149.250.235 | quoll.tellfex.com | High
11 | 5.149.250.241 | flipveranda.co.uk | High
12 | 5.149.252.144 | - | High
13 | 5.149.253.126 | - | High
@ -116,33 +116,33 @@ ID | Type | Indicator | Confidence
20 | File | `/tmp` | Low
21 | File | `/type.php` | Medium
22 | File | `/uncpath/` | Medium
23 | File | `/wp-json/wc/v3/webhooks` | High
24 | File | `4.2.0.CP09` | Medium
25 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
26 | File | `actions/CompanyDetailsSave.php` | High
27 | File | `ActiveServices.java` | High
28 | File | `admin.color.php` | High
29 | File | `admin.cropcanvas.php` | High
30 | File | `admin.joomlaradiov5.php` | High
31 | File | `admin.php` | Medium
32 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
33 | File | `admin/add-glossary.php` | High
34 | File | `admin/conf_users_edit.php` | High
35 | File | `admin/edit-comments.php` | High
36 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
37 | File | `admin/write-post.php` | High
38 | File | `administrator/components/com_media/helpers/media.php` | High
39 | File | `admin_events.php` | High
40 | File | `AjaxApplication.java` | High
41 | File | `akocomments.php` | High
42 | File | `allopass-error.php` | High
43 | File | `AllowBindAppWidgetActivity.java` | High
44 | File | `AndroidManifest.xml` | High
45 | File | `AnnotateActivity.java` | High
46 | File | `announcement.php` | High
23 | File | `/usr/bin/pkexec` | High
24 | File | `/wp-json/wc/v3/webhooks` | High
25 | File | `4.2.0.CP09` | Medium
26 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
27 | File | `actions/CompanyDetailsSave.php` | High
28 | File | `ActiveServices.java` | High
29 | File | `admin.color.php` | High
30 | File | `admin.cropcanvas.php` | High
31 | File | `admin.joomlaradiov5.php` | High
32 | File | `admin.php` | Medium
33 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
34 | File | `admin/add-glossary.php` | High
35 | File | `admin/conf_users_edit.php` | High
36 | File | `admin/edit-comments.php` | High
37 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
38 | File | `admin/write-post.php` | High
39 | File | `administrator/components/com_media/helpers/media.php` | High
40 | File | `admin_events.php` | High
41 | File | `AjaxApplication.java` | High
42 | File | `akocomments.php` | High
43 | File | `allopass-error.php` | High
44 | File | `AllowBindAppWidgetActivity.java` | High
45 | File | `AndroidManifest.xml` | High
46 | File | `AnnotateActivity.java` | High
47 | ... | ... | ...
There are 404 more IOA items available. Please use our online service to access the data.
There are 406 more IOA items available. Please use our online service to access the data.
## References

32
Gaza Cybergang/README.md
View File

@ -1,6 +1,6 @@
# Gaza Cybergang - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Gaza Cybergang](https://vuldb.com/?actor.gaza_cybergang). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gaza Cybergang](https://vuldb.com/?actor.gaza_cybergang). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gaza_cybergang](https://vuldb.com/?actor.gaza_cybergang)
@ -28,12 +28,11 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 45.63.97.44 | 45.63.97.44.vultr.com | Medium
2 | 82.211.30.186 | cud3.newyparkingspaces.com | High
3 | 82.211.30.192 | cud9.newyparkingspaces.com | High
4 | 82.211.30.212 | cud29.newyparkingspaces.com | High
5 | ... | ... | ...
2 | 82.211.30.186 | - | High
3 | 82.211.30.192 | - | High
4 | ... | ... | ...
There are 6 more IOC items available. Please use our online service to access the data.
There are 7 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -54,19 +53,12 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `api_poller.php` | High
2 | File | `crossdomain.xml` | High
3 | File | `diy/module/member/controllers/Api.php` | High
4 | File | `Forms/tools_admin_1` | High
5 | File | `install/page_dbsettings.php` | High
6 | File | `register/check/username?username` | High
7 | File | `rzpnk.sys` | Medium
8 | File | `wp-includes/class-wp-query.php` | High
9 | Library | `C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_4592475aca2acf83\Amd64\printconfig.dll` | High
10 | Library | `mshtml.dll` | Medium
11 | ... | ... | ...
1 | File | `/index.php/newsletter/subscriber/new/` | High
2 | File | `api_poller.php` | High
3 | File | `crossdomain.xml` | High
4 | ... | ... | ...
There are 6 more IOA items available. Please use our online service to access the data.
There are 14 more IOA items available. Please use our online service to access the data.
## References
@ -79,9 +71,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

13
Gorgon Group/README.md
View File

@ -1,6 +1,6 @@
# Gorgon Group - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Gorgon Group](https://vuldb.com/?actor.gorgon_group). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gorgon Group](https://vuldb.com/?actor.gorgon_group). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gorgon_group](https://vuldb.com/?actor.gorgon_group)
@ -37,10 +37,9 @@ ID | Type | Indicator | Confidence
1 | File | `/uncpath/` | Medium
2 | File | `app/controllers/frontend/PostController.php` | High
3 | File | `www/soap/application/MCSoap/Logs.php` | High
4 | Argument | `score` | Low
5 | Input Value | `%00` | Low
6 | Input Value | `::$Index_Allocation` | High
7 | Network Port | `Web Server Port` | High
4 | ... | ... | ...
There are 4 more IOA items available. Please use our online service to access the data.
## References
@ -52,9 +51,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

173
Grizzly Steppe/README.md
View File

@ -1,6 +1,6 @@
# Grizzly Steppe - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Grizzly Steppe](https://vuldb.com/?actor.grizzly_steppe). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Grizzly Steppe](https://vuldb.com/?actor.grizzly_steppe). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.grizzly_steppe](https://vuldb.com/?actor.grizzly_steppe)
@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Grizzly Steppe:
* CN
* RU
* US
* LU
* NO
* ...
There are 59 more country items available. Please use our online service to access the data.
There are 18 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -41,9 +41,113 @@ ID | IP address | Hostname | Confidence
18 | 5.77.47.142 | - | High
19 | 5.133.8.152 | vendorcool.com | High
20 | 5.133.8.162 | d8162.artnet.gda.pl | High
21 | ... | ... | ...
21 | 5.133.179.243 | better-support4u.com | High
22 | 5.134.1.250 | 5.134.1.250.hosted.by.stone-is.net | High
23 | 5.135.65.145 | - | High
24 | 5.135.65.146 | - | High
25 | 5.135.186.35 | ns3291871.ip-5-135-186.eu | High
26 | 5.135.199.28 | - | High
27 | 5.149.249.172 | - | High
28 | 5.149.254.114 | mail1.auditoriavanzada.info | High
29 | 5.153.233.58 | - | High
30 | 5.153.234.90 | - | High
31 | 5.157.38.34 | - | High
32 | 5.189.188.111 | vmd78384.contaboserver.net | High
33 | 5.196.1.129 | vps-3d93b08b.vps.ovh.net | High
34 | 5.196.58.96 | ip96.ip-5-196-58.eu | High
35 | 5.199.171.58 | - | High
36 | 5.199.172.147 | hst-172-147.cloudlix.com | High
37 | 5.212.1.1 | - | High
38 | 5.249.145.164 | host164-145-249-5.serverdedicati.aruba.it | High
39 | 5.255.80.27 | srv23.mylady8.com | High
40 | 8.39.147.120 | - | High
41 | 23.239.10.144 | tor.shamm.as | High
42 | 23.254.211.232 | hwsrv-930953.hostwindsdns.com | High
43 | 27.24.190.240 | - | High
44 | 27.50.94.251 | - | High
45 | 31.16.91.237 | ip1f105bed.dynamic.kabel-deutschland.de | High
46 | 31.31.72.43 | - | High
47 | 31.132.0.11 | no.rdns.ukservers.com | High
48 | 31.132.0.12 | no.rdns.ukservers.com | High
49 | 31.148.219.50 | - | High
50 | 31.148.219.166 | - | High
51 | 31.148.219.168 | - | High
52 | 31.148.219.176 | - | High
53 | 31.168.172.147 | 31-168-172-147.telavivwifi.com | High
54 | 31.186.96.19 | diburo.ru | High
55 | 31.186.96.20 | test.diburo.ru | High
56 | 31.192.228.185 | 31-192-228-185-static.glesys.net | High
57 | 31.210.111.154 | . | High
58 | 31.210.117.131 | . | High
59 | 31.210.118.89 | . | High
60 | 31.210.123.213 | . | High
61 | 31.210.123.214 | . | High
62 | 31.210.125.99 | . | High
63 | 31.210.125.100 | . | High
64 | 31.220.43.99 | - | High
65 | 35.0.127.52 | tor-exit.eecs.umich.edu | High
66 | 37.0.127.44 | bidder-quail.fellnear.net | High
67 | 37.48.93.246 | 3906-others.noaaonline.com | High
68 | 37.59.42.55 | dev.upyourbizz.com | High
69 | 37.59.63.190 | ns3100645.ip-37-59-63.eu | High
70 | 37.59.123.142 | 142.ip-37-59-123.eu | High
71 | 37.123.130.176 | h-37-123-130-176.A183.corp.bahnhof.se | High
72 | 37.123.130.186 | h-37-123-130-186.A183.corp.bahnhof.se | High
73 | 37.139.52.47 | coachrobbo.com | High
74 | 37.146.14.44 | 37-146-14-44.broadband.corbina.ru | High
75 | 37.187.7.74 | ns3372567.ip-37-187-7.eu | High
76 | 37.187.239.8 | 8.ip-37-187-239.eu | High
77 | 37.187.247.3 | 3.ip-37-187-247.eu | High
78 | 37.220.35.36 | - | High
79 | 37.233.99.157 | - | High
80 | 37.235.53.237 | 237.53.235.37.in-addr.arpa | High
81 | 37.247.54.157 | - | High
82 | 38.110.220.169 | - | High
83 | 41.77.136.250 | - | High
84 | 41.212.1.1 | po-0-0-0.edge1.uk-ln-TH-E.wananchi.com | High
85 | 41.215.241.147 | - | High
86 | 42.1.1.1 | - | High
87 | 42.51.11.66 | - | High
88 | 42.112.33.43 | - | High
89 | 43.1.1.1 | - | High
90 | 45.32.239.246 | 45.32.239.246.vultr.com | Medium
91 | 45.55.178.34 | - | High
92 | 45.56.90.85 | 45-56-90-85.ip.linodeusercontent.com | High
93 | 45.62.255.94 | notassigned.cloudatcost.com | High
94 | 45.79.85.112 | li1184-112.members.linode.com | High
95 | 46.4.193.146 | server.netica.pl | High
96 | 46.17.100.14 | - | High
97 | 46.28.68.158 | a.prohoster.info | High
98 | 46.28.110.136 | - | High
99 | 46.28.111.122 | - | High
100 | 46.29.248.238 | - | High
101 | 46.73.164.160 | ip-46-73-164-160.bb.netbynet.ru | High
102 | 46.148.17.98 | - | High
103 | 46.148.17.99 | - | High
104 | 46.148.17.100 | - | High
105 | 46.148.17.210 | - | High
106 | 46.148.26.78 | stb.fox-tv.info | High
107 | 46.165.196.229 | - | High
108 | 46.165.197.1 | - | High
109 | 46.165.223.217 | - | High
110 | 46.165.228.119 | - | High
111 | 46.165.230.5 | tor-exit.dhalgren.org | High
112 | 46.166.137.224 | - | High
113 | 46.166.137.240 | - | High
114 | 46.166.137.245 | - | High
115 | 46.166.138.129 | - | High
116 | 46.166.138.141 | - | High
117 | 46.166.138.142 | - | High
118 | 46.166.138.147 | - | High
119 | 46.166.186.243 | tsn46-166-168-243.dyn.nltelcom.net | High
120 | 46.166.188.228 | - | High
121 | 46.166.190.182 | - | High
122 | 46.166.190.192 | - | High
123 | 46.166.190.223 | - | High
124 | 46.242.66.240 | broadband-46-242-66-240.ip.moscow.rt.ru | High
125 | ... | ... | ...
There are 600 more IOC items available. Please use our online service to access the data.
There are 496 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -51,14 +155,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1008 | Algorithm Downgrade | High
2 | T1040 | Authentication Bypass by Capture-replay | High
3 | T1059.007 | Cross Site Scripting | High
4 | T1068 | Execution with Unnecessary Privileges | High
5 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
6 | ... | ... | ...
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | ... | ... | ...
There are 11 more TTP items available. Please use our online service to access the data.
There are 10 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -66,19 +168,36 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `#!/system` | Medium
2 | File | `$HOME/.forward` | High
3 | File | `$JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups` | High
4 | File | `%2a` | Low
5 | File | `%APPDATA%` | Medium
6 | File | `%PROGRAMDATA%\1E\Client` | High
7 | File | `%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10` | High
8 | File | `%PROGRAMDATA%\Psyprax32\PPScreen.ini` | High
9 | File | `%PROGRAMFILES%\Cylance\Desktop\log` | High
10 | File | `%PROGRAMFILES(X86)%/Aternity Information Systems/Assistant/plugins` | High
11 | ... | ... | ...
1 | File | `/admin/index.php?lfj=mysql&action=del` | High
2 | File | `/authen/start/` | High
3 | File | `/cgi-bin/luci/rc` | High
4 | File | `/cms/ajax.php` | High
5 | File | `/context/%2e/WEB-INF/web.xml` | High
6 | File | `/domain/service/.ewell-known/caldav` | High
7 | File | `/download` | Medium
8 | File | `/etc/hosts` | Medium
9 | File | `/formWlanSetup` | High
10 | File | `/include/chart_generator.php` | High
11 | File | `/modules/profile/index.php` | High
12 | File | `/monitoring` | Medium
13 | File | `/music/ajax.php` | High
14 | File | `/new` | Low
15 | File | `/pandora_console/ajax.php` | High
16 | File | `/plugins/servlet/audit/resource` | High
17 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
18 | File | `/proc/<pid>/status` | High
19 | File | `/public/plugins/` | High
20 | File | `/rest/api/1.0/render` | High
21 | File | `/RestAPI` | Medium
22 | File | `/secure/QueryComponent!Default.jspa` | High
23 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
24 | File | `/tmp` | Low
25 | File | `/uncpath/` | Medium
26 | File | `/var/log/nginx` | High
27 | File | `account.php` | Medium
28 | ... | ... | ...
There are 25121 more IOA items available. Please use our online service to access the data.
There are 240 more IOA items available. Please use our online service to access the data.
## References
@ -91,9 +210,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

36
Inception/README.md
View File

@ -14,8 +14,8 @@ The following campaigns are known and can be associated with Inception:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Inception:
* PL
* SV
* IT
* FR
* ...
@ -61,25 +61,25 @@ ID | Type | Indicator | Confidence
6 | File | `/domain/service/.ewell-known/caldav` | High
7 | File | `/etc/passwd` | Medium
8 | File | `/formAdvFirewall` | High
9 | File | `/goods/getGoodsListByConditions/` | High
10 | File | `/home/user/dir` | High
11 | File | `/master/article.php` | High
12 | File | `/mobile/SelectUsers.jsp` | High
13 | File | `/ProteinArraySignificanceTest.json` | High
14 | File | `/Videos/Id/hls/PlaylistId/SegmentId.SegmentContainer` | High
15 | File | `/web` | Low
16 | File | `4.edu.php\conn\function.php` | High
17 | File | `abc.c` | Low
18 | File | `admin/bad.php` | High
19 | File | `admin/dl_sendmail.php` | High
20 | File | `admin/edit.php` | High
21 | File | `admin/pages/useredit.php` | High
22 | File | `AdminBaseController.class.php` | High
23 | File | `AlertReceiver.java` | High
24 | File | `AndroidManifest.xml` | High
9 | File | `/home/user/dir` | High
10 | File | `/master/article.php` | High
11 | File | `/mobile/SelectUsers.jsp` | High
12 | File | `/ProteinArraySignificanceTest.json` | High
13 | File | `/Videos/Id/hls/PlaylistId/SegmentId.SegmentContainer` | High
14 | File | `/web` | Low
15 | File | `4.edu.php\conn\function.php` | High
16 | File | `abc.c` | Low
17 | File | `admin/bad.php` | High
18 | File | `admin/dl_sendmail.php` | High
19 | File | `admin/edit.php` | High
20 | File | `admin/pages/useredit.php` | High
21 | File | `AdminBaseController.class.php` | High
22 | File | `AlertReceiver.java` | High
23 | File | `AndroidManifest.xml` | High
24 | File | `apc.php` | Low
25 | ... | ... | ...
There are 213 more IOA items available. Please use our online service to access the data.
There are 212 more IOA items available. Please use our online service to access the data.
## References

13
KryptoCibule/README.md
View File

@ -1,9 +1,16 @@
# KryptoCibule - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [KryptoCibule](https://vuldb.com/?actor.kryptocibule). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [KryptoCibule](https://vuldb.com/?actor.kryptocibule). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.kryptocibule](https://vuldb.com/?actor.kryptocibule)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with KryptoCibule:
* CN
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of KryptoCibule.
@ -22,9 +29,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

13
Lazarus/README.md
View File

@ -242,12 +242,15 @@ ID | Type | Indicator | Confidence
5 | File | `/ecma/operations/ecma-objects.c` | High
6 | File | `/GetCopiedFile` | High
7 | File | `/hdf5/src/H5T.c` | High
8 | File | `/leave_system/classes/Login.php` | High
9 | File | `/risque/administration/referentiel/json/create/categorie` | High
10 | File | `/rsms/` | Low
11 | ... | ... | ...
8 | File | `/jerry-core/ecma/operations/ecma-get-put-value.c` | High
9 | File | `/jerry-core/ecma/operations/ecma-typedarray-object.c` | High
10 | File | `/leave_system/classes/Login.php` | High
11 | File | `/plugin` | Low
12 | File | `/rest/collectors/1.0/template/custom` | High
13 | File | `/risque/administration/referentiel/json/create/categorie` | High
14 | ... | ... | ...
There are 80 more IOA items available. Please use our online service to access the data.
There are 115 more IOA items available. Please use our online service to access the data.
## References

81
Lokibot/README.md
View File

@ -1,12 +1,12 @@
# Lokibot - Cyber Threat Intelligence
# LokiBot - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lokibot](https://vuldb.com/?actor.lokibot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LokiBot](https://vuldb.com/?actor.lokibot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.lokibot](https://vuldb.com/?actor.lokibot)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lokibot:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiBot:
* ES
* US
@ -17,7 +17,7 @@ There are 12 more country items available. Please use our online service to acce
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Lokibot.
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of LokiBot.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
@ -38,46 +38,75 @@ ID | IP address | Hostname | Confidence
15 | 54.225.78.40 | ec2-54-225-78-40.compute-1.amazonaws.com | Medium
16 | 54.225.165.85 | ec2-54-225-165-85.compute-1.amazonaws.com | Medium
17 | 54.225.245.108 | ec2-54-225-245-108.compute-1.amazonaws.com | Medium
18 | 54.235.88.121 | ec2-54-235-88-121.compute-1.amazonaws.com | Medium
19 | 63.141.228.141 | mxrotation8.rotationmarketingssl.com.br | High
20 | 63.250.40.204 | house-including.quarantine-pnap-vlan51.web-hosting.com | High
21 | ... | ... | ...
18 | ... | ... | ...
There are 65 more IOC items available. Please use our online service to access the data.
There are 68 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Lokibot. This data is unique as it uses our predictive model for actor profiling.
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by LokiBot. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lokibot. This data is unique as it uses our predictive model for actor profiling.
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LokiBot. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `%SYSTEMDRIVE%\ProgramData\exclusions.dat` | High
2 | File | `.htaccess` | Medium
3 | File | `/.htpasswd` | Medium
4 | File | `/1/?type=productinfo&S_id=140` | High
5 | File | `/?module=metadata&section=cpanel&page=list_filetypes` | High
6 | File | `/academico/aluno/esqueci-minha-senha/` | High
7 | File | `/adm/syscmd.asp` | High
8 | File | `/admin/` | Low
9 | File | `/admin/config.php?display=disa&view=form` | High
10 | File | `/admin/loginc.php` | High
11 | ... | ... | ...
1 | File | `/.htpasswd` | Medium
2 | File | `/1/?type=productinfo&S_id=140` | High
3 | File | `/academico/aluno/esqueci-minha-senha/` | High
4 | File | `/admin/config.php?display=disa&view=form` | High
5 | File | `/admin/syslog` | High
6 | File | `/api/blade-log/api/list` | High
7 | File | `/api/resource/Item?fields` | High
8 | File | `/aterm_httpif.cgi/negotiate` | High
9 | File | `/attachments.php` | High
10 | File | `/category_view.php` | High
11 | File | `/cgi-bin/wapopen` | High
12 | File | `/cms?section=manage_settings&action=edit` | High
13 | File | `/contingency/servlet/ServletFileDownload` | High
14 | File | `/data/inc/images.php` | High
15 | File | `/docs/captcha_(number).jpeg` | High
16 | File | `/etc/keystone/user-project-map.json` | High
17 | File | `/etc/sysctl.d/10-ptrace.conf` | High
18 | File | `/forum/` | Low
19 | File | `/goform/SystemCommand` | High
20 | File | `/index.php/admin/admin_manage/add.html` | High
21 | File | `/index.php/newsletter/subscriber/new/` | High
22 | File | `/knowage/restful-services/documentnotes/saveNote` | High
23 | File | `/magnoliaAuthor/.magnolia/` | High
24 | File | `/main.php` | Medium
25 | File | `/newsDia.php` | Medium
26 | File | `/objects/getSpiritsFromVideo.php` | High
27 | File | `/owa/auth/logon.aspx` | High
28 | File | `/product` | Medium
29 | File | `/reports-viewScriptReport.view` | High
30 | File | `/restapi/v1/certificates/FFM-SSLInspect` | High
31 | File | `/romfile.cfg` | Medium
32 | File | `/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet` | High
33 | File | `/system/WCore/WHelper.php` | High
34 | File | `/tmp` | Low
35 | File | `/tmp/speedtest_urls.xml` | High
36 | File | `/uncpath/` | Medium
37 | File | `/var/www/xms/cleanzip.sh` | High
38 | File | `/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php` | High
39 | File | `/webconsole/APIController` | High
40 | File | `/webconsole/Controller` | High
41 | File | `AACExtractor.cpp` | High
42 | File | `add_comment.php` | High
43 | File | `admin.htm` | Medium
44 | ... | ... | ...
There are 1133 more IOA items available. Please use our online service to access the data.
There are 384 more IOA items available. Please use our online service to access the data.
## References
@ -103,4 +132,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

12
Moafee/README.md
View File

@ -1,6 +1,6 @@
# Moafee - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Moafee](https://vuldb.com/?actor.moafee). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Moafee](https://vuldb.com/?actor.moafee). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.moafee](https://vuldb.com/?actor.moafee)
@ -25,11 +25,9 @@ ID | IP address | Hostname | Confidence
1 | 58.64.201.229 | - | High
2 | 98.126.91.66 | - | High
3 | 113.65.22.148 | - | High
4 | 113.65.41.28 | - | High
5 | 113.65.43.42 | - | High
6 | ... | ... | ...
4 | ... | ... | ...
There are 10 more IOC items available. Please use our online service to access the data.
There are 12 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -59,9 +57,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

16
Monarchy/README.md
View File

@ -1,6 +1,6 @@
# Monarchy - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Monarchy](https://vuldb.com/?actor.monarchy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Monarchy](https://vuldb.com/?actor.monarchy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.monarchy](https://vuldb.com/?actor.monarchy)
@ -16,13 +16,21 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 45.76.47.218 | - | High
1 | 45.76.47.218 | 45.76.47.218.vultr.com | Medium
2 | 134.122.87.198 | - | High
3 | 178.128.163.233 | gpsurgerydatabase-staging.assura.uk | High
4 | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Monarchy. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `ContactSelectionActivity.java` | High
## References
The following list contains external sources which discuss the actor and the associated activities:
@ -33,9 +41,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
Moses Staff/README.md
View File

@ -28,4 +28,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

52
MuddyWater/README.md
View File

@ -1,6 +1,6 @@
# MuddyWater - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [MuddyWater](https://vuldb.com/?actor.muddywater). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MuddyWater](https://vuldb.com/?actor.muddywater). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.muddywater](https://vuldb.com/?actor.muddywater)
@ -34,13 +34,9 @@ ID | IP address | Hostname | Confidence
4 | 38.132.99.167 | - | High
5 | 46.99.148.96 | - | High
6 | 66.219.22.235 | core96.hostingmadeeasy.com | High
7 | 78.129.139.134 | der134.creditloanlenders.com | High
8 | 78.129.139.147 | - | High
9 | 78.129.139.148 | - | High
10 | 78.129.222.56 | - | High
11 | ... | ... | ...
7 | ... | ... | ...
There are 18 more IOC items available. Please use our online service to access the data.
There are 22 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -51,10 +47,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -64,17 +59,30 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `%PROGRAMFILES%\MyQ\PHP\Sessions\` | High
2 | File | `/.env` | Low
3 | File | `/etc/ajenti/config.yml` | High
4 | File | `/etc/passwd` | Medium
5 | File | `/login` | Low
6 | File | `/movie.php` | Medium
7 | File | `/nagiosxi/admin/graphtemplates.php` | High
8 | File | `/phppath/php` | Medium
9 | File | `/search_events.php` | High
10 | File | `/StartingPage/link_req_2.php` | High
11 | ... | ... | ...
3 | File | `/.flatpak-info` | High
4 | File | `/etc/ajenti/config.yml` | High
5 | File | `/etc/passwd` | Medium
6 | File | `/login` | Low
7 | File | `/movie.php` | Medium
8 | File | `/nagiosxi/admin/graphtemplates.php` | High
9 | File | `/phppath/php` | Medium
10 | File | `/search_events.php` | High
11 | File | `/StartingPage/link_req_2.php` | High
12 | File | `/usr/bin/pkexec` | High
13 | File | `/ViewUserHover.jspa` | High
14 | File | `abook_database.php` | High
15 | File | `admin.php` | Medium
16 | File | `admin/admin.shtml` | High
17 | File | `admin/AJAX_lookup_handler.php` | High
18 | File | `admin/bitrix.xscan_worker.php` | High
19 | File | `admin/config.php` | High
20 | File | `admin/general.php` | High
21 | File | `admin/login.asp` | High
22 | File | `admin/movieedit.php` | High
23 | File | `affich.php` | Medium
24 | ... | ... | ...
There are 197 more IOA items available. Please use our online service to access the data.
There are 196 more IOA items available. Please use our online service to access the data.
## References
@ -92,9 +100,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
MyKings/README.md
View File

@ -87,7 +87,7 @@ ID | Type | Indicator | Confidence
19 | File | `ajax/api/hook/decodeArguments` | High
20 | ... | ... | ...
There are 164 more IOA items available. Please use our online service to access the data.
There are 165 more IOA items available. Please use our online service to access the data.
## References

15
NightScout/README.md
View File

@ -1,6 +1,6 @@
# NightScout - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [NightScout](https://vuldb.com/?actor.nightscout). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NightScout](https://vuldb.com/?actor.nightscout). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nightscout](https://vuldb.com/?actor.nightscout)
@ -48,12 +48,9 @@ ID | Type | Indicator | Confidence
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/cgi-bin/wapopen` | High
3 | File | `iesfootprint.jsp` | High
4 | File | `login_meeting.cgi` | High
5 | Library | `ContentStore/Base/CVDataPipe.dll` | High
6 | Argument | `FILECAMERA` | Medium
7 | Argument | `src` | Low
8 | Input Value | `../..` | Low
9 | Input Value | `11' AND utl_http.request('http://attackers_host/lalal')='1' GROUP BY panel_name)) --` | High
4 | ... | ... | ...
There are 6 more IOA items available. Please use our online service to access the data.
## References
@ -65,9 +62,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

18
PakistanChatMessenger/README.md
View File

@ -1,6 +1,6 @@
# PakistanChatMessenger - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [PakistanChatMessenger](https://vuldb.com/?actor.pakistanchatmessenger). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PakistanChatMessenger](https://vuldb.com/?actor.pakistanchatmessenger). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.pakistanchatmessenger](https://vuldb.com/?actor.pakistanchatmessenger)
@ -9,6 +9,7 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PakistanChatMessenger:
* US
* CN
* DE
## IOC - Indicator of Compromise
@ -50,12 +51,13 @@ ID | Type | Indicator | Confidence
5 | File | `/list_temp_photo_pin_upload.php` | High
6 | File | `/searchpin.php` | High
7 | File | `/show_group_members.php` | High
8 | File | `admin/adduser.php` | High
9 | File | `admin\model\catalog\download.php` | High
10 | File | `authcfg.cgi` | Medium
11 | ... | ... | ...
8 | File | `/sqfs/bin/sccd` | High
9 | File | `admin/adduser.php` | High
10 | File | `admin\model\catalog\download.php` | High
11 | File | `authcfg.cgi` | Medium
12 | ... | ... | ...
There are 91 more IOA items available. Please use our online service to access the data.
There are 94 more IOA items available. Please use our online service to access the data.
## References
@ -67,9 +69,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

28
PittyTiger/README.md
View File

@ -1,6 +1,6 @@
# PittyTiger - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [PittyTiger](https://vuldb.com/?actor.pittytiger). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PittyTiger](https://vuldb.com/?actor.pittytiger). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.pittytiger](https://vuldb.com/?actor.pittytiger)
@ -29,17 +29,9 @@ ID | IP address | Hostname | Confidence
10 | 58.61.40.5 | 5.40.61.58.broad.sz.gd.dynamic.163data.com.cn | High
11 | 58.64.175.191 | - | High
12 | 58.64.175.255 | - | High
13 | 58.64.177.60 | - | High
14 | 58.64.185.200 | - | High
15 | 58.64.185.255 | - | High
16 | 59.53.91.33 | - | High
17 | 59.120.84.230 | 59-120-84-230.hinet-ip.hinet.net | High
18 | 59.123.255.255 | 59-123-255-255.dynamic-ip.hinet.net | High
19 | 61.145.112.78 | - | High
20 | 61.220.44.244 | 61-220-44-244.hinet-ip.hinet.net | High
21 | ... | ... | ...
13 | ... | ... | ...
There are 40 more IOC items available. Please use our online service to access the data.
There are 48 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -48,6 +40,8 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1499 | Resource Consumption | High
3 | T1587.003 | Improper Certificate Validation | High
## IOA - Indicator of Attack
@ -57,10 +51,10 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/cgi-bin/go` | Medium
2 | File | `/cgi-bin/portal` | High
3 | File | `kbdint.c` | Medium
4 | File | `wp-admin/admin-post.php?swp_debug=load_options` | High
5 | Argument | `ACTION` | Low
6 | Argument | `swp_url` | Low
3 | File | `admin/conf_users_edit.php` | High
4 | ... | ... | ...
There are 5 more IOA items available. Please use our online service to access the data.
## References
@ -73,9 +67,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

55
Redline/README.md
View File

@ -1,6 +1,6 @@
# Redline - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Redline](https://vuldb.com/?actor.redline). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Redline](https://vuldb.com/?actor.redline). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.redline](https://vuldb.com/?actor.redline)
@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* TR
* ...
There are 9 more country items available. Please use our online service to access the data.
There are 10 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -31,19 +31,14 @@ ID | IP address | Hostname | Confidence
8 | 23.23.104.250 | ec2-23-23-104-250.compute-1.amazonaws.com | Medium
9 | 23.46.238.194 | a23-46-238-194.deploy.static.akamaitechnologies.com | High
10 | 34.76.8.115 | 115.8.76.34.bc.googleusercontent.com | Medium
11 | 37.46.150.90 | redflower.bar | High
11 | 37.46.150.90 | - | High
12 | 45.33.89.196 | li1035-196.members.linode.com | High
13 | 45.67.231.50 | licher.lone.example.com | High
14 | 45.84.0.108 | pangeransosmed.vip | High
15 | 45.84.0.200 | 1c.capricorn.md | High
16 | 45.128.150.68 | dok.com | High
17 | 45.130.147.55 | - | High
18 | 45.139.184.124 | vps150027.vpsville.ru | High
19 | 45.146.164.230 | - | High
20 | 46.29.114.16 | pointer.vps.house | High
21 | ... | ... | ...
16 | ... | ... | ...
There are 57 more IOC items available. Please use our online service to access the data.
There are 62 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -54,10 +49,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 9 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -73,11 +67,34 @@ ID | Type | Indicator | Confidence
6 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
7 | File | `/Config/SaveUploadedHotspotLogoFile` | High
8 | File | `/dev/shm` | Medium
9 | File | `/getcfg.php` | Medium
10 | File | `/goform/RgUrlBlock.asp` | High
11 | ... | ... | ...
9 | File | `/dl/dl_print.php` | High
10 | File | `/getcfg.php` | Medium
11 | File | `/goform/RgUrlBlock.asp` | High
12 | File | `/index.php` | Medium
13 | File | `/info.asp` | Medium
14 | File | `/info.xml` | Medium
15 | File | `/jeecg-boot/sys/common/upload` | High
16 | File | `/mc-admin/post.php?state=delete&delete` | High
17 | File | `/product_list.php` | High
18 | File | `/see_more_details.php` | High
19 | File | `/ucms/chk.php` | High
20 | File | `5.2.9\syscrb.exe` | High
21 | File | `abc-pcie.c` | Medium
22 | File | `adclick.php` | Medium
23 | File | `addentry.php` | Medium
24 | File | `addmember.php` | High
25 | File | `addtocart.asp` | High
26 | File | `addtomylist.asp` | High
27 | File | `admin.php/admin/configset/index/group/upload.html` | High
28 | File | `admin.x-shop.php` | High
29 | File | `admin/auth.php` | High
30 | File | `admin/category.inc.php` | High
31 | File | `admin/config/confmgr.php` | High
32 | File | `admin/import/class-import-settings.php` | High
33 | File | `admin/user/group/update` | High
34 | ... | ... | ...
There are 310 more IOA items available. Please use our online service to access the data.
There are 292 more IOA items available. Please use our online service to access the data.
## References
@ -93,9 +110,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Roaming Tiger/README.md
View File

@ -1,6 +1,6 @@
# Roaming Tiger - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Roaming Tiger](https://vuldb.com/?actor.roaming_tiger). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Roaming Tiger](https://vuldb.com/?actor.roaming_tiger). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.roaming_tiger](https://vuldb.com/?actor.roaming_tiger)
@ -41,9 +41,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

20
Shell Crew/README.md
View File

@ -1,6 +1,6 @@
# Shell Crew - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Shell Crew](https://vuldb.com/?actor.shell_crew). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Shell Crew](https://vuldb.com/?actor.shell_crew). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.shell_crew](https://vuldb.com/?actor.shell_crew)
@ -21,12 +21,9 @@ ID | IP address | Hostname | Confidence
2 | 43.249.81.210 | - | High
3 | 50.115.138.215 | 50-115-138-215.genericreverse.com | High
4 | 92.242.144.2 | - | High
5 | 118.193.153.5 | - | High
6 | 119.57.196.30 | - | High
7 | 122.10.9.154 | - | High
8 | ... | ... | ...
5 | ... | ... | ...
There are 12 more IOC items available. Please use our online service to access the data.
There are 15 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -46,10 +43,9 @@ ID | Type | Indicator | Confidence
1 | File | `fs/aio.c` | Medium
2 | File | `index.php?mod=main&opt=personal` | High
3 | File | `pkg/tool/path.go` | High
4 | File | `receiver.c` | Medium
5 | File | `routes/api/v1/api.go` | High
6 | Argument | `avatar_file` | Medium
7 | Argument | `m1_idlist` | Medium
4 | ... | ... | ...
There are 4 more IOA items available. Please use our online service to access the data.
## References
@ -62,9 +58,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

18
South Asia Unknown/README.md
View File

@ -1,6 +1,6 @@
# South Asia Unknown - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [South Asia Unknown](https://vuldb.com/?actor.south_asia_unknown). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [South Asia Unknown](https://vuldb.com/?actor.south_asia_unknown). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.south_asia_unknown](https://vuldb.com/?actor.south_asia_unknown)
@ -21,7 +21,7 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 91.92.136.239 | - | High
1 | 91.92.136.239 | osca.gotdns.ch | High
2 | 139.28.38.231 | 139.28.38.231.deltahost-ptr | High
3 | 139.28.38.236 | 139.28.38.236.deltahost-ptr | High
4 | ... | ... | ...
@ -51,15 +51,9 @@ ID | Type | Indicator | Confidence
2 | File | `/uncpath/` | Medium
3 | File | `category.php` | Medium
4 | File | `classified_right.php` | High
5 | File | `courier/1000@/oauth/playground/callback.html` | High
6 | File | `data/gbconfiguration.dat` | High
7 | File | `Form2File.htm` | High
8 | File | `home/seos/courier/web/wmProgressstat.html.php` | High
9 | File | `html/install.php` | High
10 | File | `index.php` | Medium
11 | ... | ... | ...
5 | ... | ... | ...
There are 27 more IOA items available. Please use our online service to access the data.
There are 33 more IOA items available. Please use our online service to access the data.
## References
@ -71,9 +65,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

16
TA551/README.md
View File

@ -34,14 +34,9 @@ ID | IP address | Hostname | Confidence
5 | 43.128.232.152 | - | High
6 | 43.129.239.78 | - | High
7 | 43.133.160.144 | - | High
8 | 45.95.11.151 | vm220095.pq.hosting | High
9 | 45.95.11.153 | vm284420.pq.hosting | High
10 | 45.95.11.154 | l-universe.com | High
11 | 45.95.11.155 | kuhtin.com | High
12 | 45.95.11.157 | mail.hottiesforums.com | High
13 | ... | ... | ...
8 | ... | ... | ...
There are 24 more IOC items available. Please use our online service to access the data.
There are 29 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -71,10 +66,9 @@ ID | Type | Indicator | Confidence
7 | File | `/uncpath/` | Medium
8 | File | `adclick.php` | Medium
9 | File | `admin/getparam.cgi` | High
10 | File | `admin/infoclass_update.php` | High
11 | ... | ... | ...
10 | ... | ... | ...
There are 71 more IOA items available. Please use our online service to access the data.
There are 72 more IOA items available. Please use our online service to access the data.
## References
@ -93,4 +87,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

36
njRAT/README.md
View File

@ -1,6 +1,6 @@
# njRAT - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [njRAT](https://vuldb.com/?actor.njrat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [njRAT](https://vuldb.com/?actor.njrat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.njrat](https://vuldb.com/?actor.njrat)
@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* FR
* ...
There are 1 more country items available. Please use our online service to access the data.
There are 2 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -24,12 +24,9 @@ ID | IP address | Hostname | Confidence
1 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
2 | 23.3.13.154 | a23-3-13-154.deploy.static.akamaitechnologies.com | High
3 | 41.200.44.39 | - | High
4 | 41.200.143.212 | - | High
5 | 46.243.150.150 | - | High
6 | 52.128.23.153 | - | High
7 | ... | ... | ...
4 | ... | ... | ...
There are 10 more IOC items available. Please use our online service to access the data.
There are 13 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -40,6 +37,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
4 | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -47,19 +47,13 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `books.php` | Medium
2 | File | `data/gbconfiguration.dat` | High
3 | File | `devices.inc.php` | High
4 | File | `ecrire/inc/filtres.php` | High
5 | File | `goform/AdvSetDns?GO=wan_dns.asp` | High
6 | File | `guestbook.cgi` | High
7 | File | `html/config` | Medium
8 | File | `inc/config.php` | High
9 | File | `index.js` | Medium
10 | File | `index.php` | Medium
11 | ... | ... | ...
1 | File | `/uncpath/` | Medium
2 | File | `/var/log/nginx` | High
3 | File | `books.php` | Medium
4 | File | `data/gbconfiguration.dat` | High
5 | ... | ... | ...
There are 18 more IOA items available. Please use our online service to access the data.
There are 28 more IOA items available. Please use our online service to access the data.
## References
@ -75,9 +69,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

46
xHunt/README.md
View File

@ -87,31 +87,31 @@ ID | Type | Indicator | Confidence
28 | File | `/uncpath/` | Medium
29 | File | `/Upload/admin/index.php?module=forum-management&action=add` | High
30 | File | `/uploads/dede` | High
31 | File | `/var/log/messages` | High
32 | File | `/WEB-INF/web.xml` | High
33 | File | `/webman/info.cgi` | High
34 | File | `/wp-json/wc/v3/webhooks` | High
35 | File | `/_next` | Low
36 | File | `AccessPoint.aspx` | High
37 | File | `actions.hsp` | Medium
38 | File | `activateuser.aspx` | High
39 | File | `AdHocQuery_Processor.aspx` | High
40 | File | `admin.asp` | Medium
41 | File | `admin.php?m=admin&c=site&a=save` | High
42 | File | `admin/admin.asp` | High
43 | File | `admin/backupdb.php` | High
44 | File | `admin/bitrix.mpbuilder_step2.php` | High
45 | File | `admin/bitrix.xscan_worker.php` | High
46 | File | `admin/gb-dashboard-widget.php` | High
47 | File | `admin/images.aspx` | High
48 | File | `admin/login.asp` | High
49 | File | `admin/mcart_xls_import.php` | High
50 | File | `admin/modules/tools/ip_history_logs.php` | High
51 | File | `admin/orion.extfeedbackform_efbf_forms.php` | High
52 | File | `admin/ueditor/uploadFile` | High
31 | File | `/usr/bin/pkexec` | High
32 | File | `/var/log/messages` | High
33 | File | `/WEB-INF/web.xml` | High
34 | File | `/webman/info.cgi` | High
35 | File | `/wp-json/wc/v3/webhooks` | High
36 | File | `/_next` | Low
37 | File | `AccessPoint.aspx` | High
38 | File | `actions.hsp` | Medium
39 | File | `activateuser.aspx` | High
40 | File | `AdHocQuery_Processor.aspx` | High
41 | File | `admin.asp` | Medium
42 | File | `admin.php?m=admin&c=site&a=save` | High
43 | File | `admin/admin.asp` | High
44 | File | `admin/backupdb.php` | High
45 | File | `admin/bitrix.mpbuilder_step2.php` | High
46 | File | `admin/bitrix.xscan_worker.php` | High
47 | File | `admin/gb-dashboard-widget.php` | High
48 | File | `admin/images.aspx` | High
49 | File | `admin/login.asp` | High
50 | File | `admin/mcart_xls_import.php` | High
51 | File | `admin/modules/tools/ip_history_logs.php` | High
52 | File | `admin/orion.extfeedbackform_efbf_forms.php` | High
53 | ... | ... | ...
There are 458 more IOA items available. Please use our online service to access the data.
There are 459 more IOA items available. Please use our online service to access the data.
## References