mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-07-03 08:58:21 +00:00

History

Marc Ruef 3899a47ea9 Update January 2023		2023-01-30 13:54:37 +01:00
..
README.md	Update January 2023	2023-01-30 13:54:37 +01:00

README.md

Kwampirs - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Kwampirs. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.kwampirs

Campaigns

The following campaigns are known and can be associated with Kwampirs:

Campaign 0
Campaign 1
Campaign A
...

There are 5 more campaign items available. Please use our online service to access the data.

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Kwampirs:

There are 7 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Kwampirs.

ID	IP address	Hostname	Campaign	Confidence
1	5.13.139.105	5-13-139-105.residential.rdsnet.ro	Campaign 0	High
2	5.16.10.25	5x16x10x25.static-business.spb.ertelecom.ru	Campaign E	High
3	5.27.122.119	-	Campaign B	High
4	5.59.65.104	-	Campaign 0	High
5	5.108.69.57	-	Campaign 0	High
6	5.141.117.26	-	Campaign F	High
7	6.70.116.102	-	Campaign 0	High
8	6.119.67.75	-	Campaign 0	High
9	7.81.81.41	-	Campaign E	High
10	8.47.71.43	-	Campaign 0	High
11	9.11.63.89	-	Campaign D	High
12	9.72.55.135	-	Campaign C	High
13	10.12.122.62	-	Campaign C	High
14	10.13.24.15	-	Campaign A	High
15	10.16.91.131	-	Campaign 1	High
16	10.33.44.94	-	Campaign 0	High
17	10.74.81.89	-	Campaign A	High
18	10.118.75.18	-	Campaign 0	High
19	10.143.48.52	-	Campaign 0	High
20	11.24.8.54	-	Campaign 1	High
21	11.25.41.114	-	Campaign 1	High
22	11.40.56.75	-	Campaign E	High
23	11.89.101.8	-	Campaign D	High
24	11.100.81.69	-	Campaign D	High
25	12.40.29.71	-	Campaign 0	High
26	12.52.19.59	-	Campaign B	High
27	13.33.26.95	server-13-33-26-95.phx50.r.cloudfront.net	Campaign 1	High
28	13.44.61.126	-	Campaign D	High
29	13.56.107.66	ec2-13-56-107-66.us-west-1.compute.amazonaws.com	Campaign 1	Medium
30	13.65.24.145	-	Campaign 0	High
31	13.89.86.129	-	Campaign E	High
32	14.40.57.104	-	Campaign 1	High
33	14.47.117.104	-	Campaign 0	High
34	15.23.61.42	-	Campaign E	High
35	15.50.42.142	-	Campaign C	High
36	15.85.30.84	atp467w084.sgp.hp.com	Campaign 1	High
37	16.9.79.28	-	Campaign 0	High
38	16.26.71.132	-	Campaign E	High
39	16.29.27.126	-	Campaign 0	High
40	16.48.37.37	-	Campaign A	High
41	16.52.54.140	-	Campaign B	High
42	16.58.49.129	-	Campaign B	High
43	16.61.28.46	-	Campaign C	High
44	16.95.70.136	-	Campaign 0	High
45	16.98.53.86	016-098-053-086.res.spectrum.com	Campaign F	High
46	16.127.81.67	-	Campaign 0	High
47	16.127.136.51	-	Campaign 0	High
48	16.137.46.91	-	Campaign F	High
49	17.104.36.5	-	Campaign A	High
50	17.125.84.121	-	Campaign F	High
51	17.129.132.89	-	Campaign C	High
52	18.14.32.60	-	Campaign A	High
53	18.25.62.70	-	Campaign A	High
54	18.42.73.26	-	Campaign C	High
55	18.50.115.97	-	Campaign B	High
56	19.54.98.87	-	Campaign E	High
57	19.106.38.64	-	Campaign A	High
58	19.131.135.14	-	Campaign E	High
59	19.140.51.9	-	Campaign 0	High
60	19.140.139.6	-	Campaign 1	High
61	20.26.32.106	-	Campaign F	High
62	20.38.100.106	-	Campaign B	High
63	20.93.133.52	-	Campaign C	High
64	20.143.69.60	-	Campaign 1	High
65	21.58.89.27	-	Campaign C	High
66	21.88.128.66	-	Campaign C	High
67	21.124.73.107	-	Campaign F	High
68	21.133.28.123	-	Campaign C	High
69	22.20.28.56	-	Campaign B	High
70	22.90.91.105	-	Campaign A	High
71	23.24.92.121	23-24-92-121-static.hfc.comcastbusiness.net	Campaign 0	High
72	23.26.60.60	-	Campaign 1	High
73	23.92.211.10	gramwide.net	Campaign 1	High
74	23.129.12.17	-	Campaign D	High
75	24.54.58.144	24-54-58-144.resi.cgocable.ca	Campaign 0	High
76	24.84.115.51	-	Campaign C	High
77	24.135.106.128	cable-24-135-106-128.dynamic.sbb.rs	Campaign 0	High
78	25.6.113.5	-	Campaign E	High
79	25.17.137.61	-	Campaign D	High
80	25.28.74.29	-	Campaign F	High
81	25.31.92.107	-	Campaign B	High
82	25.108.63.68	-	Campaign 1	High
83	25.116.135.131	-	Campaign 0	High
84	25.117.33.82	-	Campaign B	High
85	26.50.108.98	-	Campaign 1	High
86	26.57.67.114	-	Campaign D	High
87	26.79.14.142	-	Campaign D	High
88	26.87.49.124	-	Campaign A	High
89	26.119.92.7	-	Campaign B	High
90	26.128.82.46	-	Campaign F	High
91	27.22.41.133	-	Campaign 1	High
92	28.54.53.141	-	Campaign 0	High
93	28.138.127.117	-	Campaign 0	High
94	29.10.24.134	-	Campaign C	High
95	29.100.18.102	-	Campaign A	High
96	...	...	...	...

There are 379 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Kwampirs. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Weakness	Description	Confidence
1	T1006	CWE-21, CWE-22	Pathname Traversal	High
2	T1040	CWE-294	Authentication Bypass by Capture-replay	High
3	T1055	CWE-74	Injection	High
4	T1059	CWE-94	Cross Site Scripting	High
5	T1059.007	CWE-79, CWE-80	Cross Site Scripting	High
6	...	...	...	...

There are 18 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Kwampirs. This data is unique as it uses our predictive model for actor profiling.

ID	Type	Indicator	Confidence
1	File	`%PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe`	High
2	File	`.kss.pid`	Medium
3	File	`.qpopper-options`	High
4	File	`/api/v1/containers`	High
5	File	`/apply_noauth.cgi`	High
6	File	`/apps/`	Low
7	File	`/backupsettings.conf`	High
8	File	`/bin/sh`	Low
9	File	`/ctcprotocol/Protocol`	High
10	File	`/debug/pprof`	Medium
11	File	`/filemanager/upload.php`	High
12	File	`/forum/away.php`	High
13	File	`/menu.html`	Medium
14	File	`/modules/snf/index.php`	High
15	File	`/Online%20Course%20Registration/my-profile.php`	High
16	File	`/opt/mysql`	Medium
17	File	`/private/sessions`	High
18	File	`/resources//../`	High
19	File	`/root/*.db`	Medium
20	File	`/see_more_details.php`	High
21	File	`/subtitles.php`	High
22	File	`/sys/dict/queryTableData`	High
23	File	`/tmp`	Low
24	File	`/var/avamar/f_cache.dat`	High
25	File	`/views/directive/sys/SysConfigDataDirective.java`	High
26	File	`26.html`	Low
27	File	`add_postit.php`	High
28	File	`admin.php`	Medium
29	File	`admin/shophelp.php`	High
30	File	`admin/wp-security-blacklist-menu.php`	High
31	File	`administration.jsp`	High
32	File	`adminquery.php`	High
33	File	`ajaxRequest/methodCall.do`	High
34	File	`Alias.asmx`	Medium
35	File	`ansfaq.asp`	Medium
36	File	`APKINDEX.tar.gz`	High
37	File	`app/parameters/sipity/parameters/search_criteria_for_works_parameter.rb`	High
38	File	`appconfig.ini`	High
39	File	`appGet.cgi`	Medium
40	File	`archivejson.cgi`	High
41	File	`authpam.c`	Medium
42	File	`autocms.php`	Medium
43	File	`avahi-core/socket.c`	High
44	File	`AvailableApps.php`	High
45	File	`banner.php`	Medium
46	File	`Binder.java`	Medium
47	File	`boundary_rules.jsp`	High
48	File	`calendar.php`	Medium
49	File	`calendar_scheduler.php`	High
50	File	`cal_config.inc.php`	High
51	...	...	...

There are 439 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence: