BadBazaar Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (260)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en172
zh74
fr8
de4
ru2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn112
us96
ca10
fr8
de8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

BadBazaar11
Cobalt Strike7
pupy3
Curious Gorge2
Sliver2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined62
Content Management System12
Operating System10
Router Operating System8
Groupware Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined52
Microsoft16
Cisco8
Oracle6
VMware4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows8
VMware Cloud Director4
Cisco ASA4
WordPress4
Google Chrome4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Tiki Admin Password tiki-login.php improper authentication8.07.7$0-$5k$0-$5kNot DefinedOfficial Fix0.009362.02CVE-2020-15906
2Ignite Realtime Openfire Administration Console improper authentication7.87.7$0-$5k$0-$5kHighOfficial Fix0.974090.04CVE-2023-32315
3Synacor Zimbra Collaboration mboximport pathname traversal4.74.5$0-$5k$0-$5kHighOfficial Fix0.961420.00CVE-2022-27925
4Google Chrome WebGPU use after free6.36.0$25k-$100k$5k-$25kNot DefinedOfficial Fix0.004650.03CVE-2022-2007
5Google Chrome Compositing out-of-bounds6.36.0$25k-$100k$5k-$25kNot DefinedOfficial Fix0.002330.03CVE-2022-2010
6Google Chrome WebGL out-of-bounds6.36.0$25k-$100k$5k-$25kNot DefinedOfficial Fix0.002400.02CVE-2022-2008
7Apple Mac OS X TCP Timestamp information disclosure5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.002430.00CVE-2003-0882
8cPanel Filter API input validation7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000940.00CVE-2017-18433
9OpenVPN Access Server Web Portal entropy5.65.5$0-$5k$0-$5kNot DefinedOfficial Fix0.001510.05CVE-2022-33738
10Essential Addons for Elementor Plugin password recovery8.07.9$0-$5k$0-$5kNot DefinedNot Defined0.038930.02CVE-2023-32243
11WordPress WP_Query sql injection6.36.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.935360.05CVE-2022-21661
12Nginx Autoindex Module integer overflow5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.008450.04CVE-2017-20005
13Liferay Portal Velocity Template access control7.57.5$0-$5k$0-$5kNot DefinedOfficial Fix0.003300.02CVE-2010-5327
14Freeware Advanced Audio Decoder sbr_hfadj.c calculate_gain memory corruption6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.002460.00CVE-2018-20196
15WordPress WP_Query class-wp-query.php sql injection8.58.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.003180.04CVE-2017-5611
16Linksys E2000 position.js improper authentication6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.000530.02CVE-2024-27497
17phpMyAdmin SearchController sql injection8.07.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.007450.00CVE-2020-26935
18Atlassian JIRA Server/Data Center QueryComponent!Default.jspa information disclosure5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.006280.03CVE-2020-14179
19Microsoft Windows Cloud Files Mini Filter Driver Local Privilege Escalation7.87.5$25k-$100k$5k-$25kHighOfficial Fix0.000430.05CVE-2023-36036
20Freemius SDK Plugin fs_request_get cross site scripting3.53.4$0-$5k$0-$5kNot DefinedNot Defined0.000000.03CVE-2023-33999

IOC - Indicator of Compromise (15)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.63.89.23845.63.89.238.vultrusercontent.comBadBazaar09/20/2023verifiedHigh
245.133.238.92BadBazaar09/20/2023verifiedHigh
345.154.12.132BadBazaar09/20/2023verifiedHigh
4XX.XXX.XX.XXXXxxxxxxxx09/20/2023verifiedHigh
5XX.XXX.XX.XXXXxxxxxxxx09/20/2023verifiedHigh
6XX.XXX.XX.XXXxx-xx.xxxxxxxxxxxxxxx.xxxXxxxxxxxx09/20/2023verifiedHigh
7XX.XXX.XXX.XXXXxxxxxxxx09/20/2023verifiedHigh
8XX.XXX.XXX.XXXxx.xxx.xxx.xxx.xxxxxx.xxxx.xxxXxxxxxxxx09/20/2023verifiedHigh
9XXX.XX.XXX.XXXXxxxxxxxx09/20/2023verifiedHigh
10XXX.XX.XXX.XXXXxxxxxxxx09/20/2023verifiedHigh
11XXX.XXX.XX.XXXxxxxxx.xxx.xx.xxx.xxx.xxxxxxx.xxxx-xxxxxx.xxXxxxxxxxx09/20/2023verifiedHigh
12XXX.XXX.XX.XXXXxxxxxxxx09/20/2023verifiedHigh
13XXX.XX.XX.XXXxxxxxxxx09/20/2023verifiedHigh
14XXX.XXX.XXX.XXXxxxxxxxx09/20/2023verifiedHigh
15XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxxxxxxxxxxxxx.xxxXxxxxxxxx09/20/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (15)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXXCAPEC-102CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-112CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-59CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
15TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (78)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/ajax/device_entities.php?entity_type=netscalervsvrpredictiveHigh
2File/cgi-bin/supervisor/PwdGrp.cgipredictiveHigh
3File/current_action.php?action=rebootpredictiveHigh
4File/etc/postfix/sender_loginpredictiveHigh
5File/file/upload/1predictiveHigh
6File/filemanager/ajax_calls.phppredictiveHigh
7File/Items/*/RemoteImages/DownloadpredictiveHigh
8File/login.phppredictiveMedium
9File/opt/zimbra/jetty/webapps/zimbra/publicpredictiveHigh
10File/xxxxxx/xxxxxxxxxxxxxx!xxxxxxx.xxxxpredictiveHigh
11Filexxxxxxx/xxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
12Filexxxxxx.xxxpredictiveMedium
13Filexxxxxxx/xxxxxxx/xxxxxx.xxxpredictiveHigh
14Filexxxx_xxxx.xxxpredictiveHigh
15Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
16Filexxxx/xxxxxxxx.xxxx.xxxxxxx.xxxpredictiveHigh
17Filexxxxxx.xxxpredictiveMedium
18Filexxx/xxxxxx/xxxxxx/xxxxxxxxxxx/xxx.xxxpredictiveHigh
19Filexxxxxxx_x.xpredictiveMedium
20Filexxxxxxxxx.xxx.xxxpredictiveHigh
21Filexx_xxx_xx.xpredictiveMedium
22Filexxxxxxxxxx.xxxxpredictiveHigh
23Filexxx/xxxxxx.xxxpredictiveHigh
24Filexxxxx.xxxpredictiveMedium
25Filexxxxxxxxxx.xxxpredictiveHigh
26Filexxxxxxxxxx/xxx/xxxxxx_xxxx.xxxpredictiveHigh
27Filexxxxxxxx_xxxxxxx.xxxxx.xxxpredictiveHigh
28Filexxxxxxx/xxx_xxxxx.xpredictiveHigh
29Filexxxxxxxx.xpredictiveMedium
30Filexxxxx_xx.xxxxpredictiveHigh
31Filexxx/xxxx/xx_xxxxxxxx.xpredictiveHigh
32Filexxxxx.xpredictiveLow
33Filexxxxxxxx.xxxpredictiveMedium
34Filexxxxxx.xpredictiveMedium
35Filexxxxxxxxx_xxxxx.xxxxx.xxxpredictiveHigh
36Filexxxxxxxxx/xxxxxxxxxxxxpredictiveHigh
37Filexxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
38Filexxxxxxxx.xxpredictiveMedium
39Filexxxx.xxxpredictiveMedium
40Filexxxxxxx_xxxxxxx.xxxpredictiveHigh
41Filexxxx-xxxxx.xxxpredictiveHigh
42Filexxxxx_xxxxx.xxxpredictiveHigh
43Filexxxxx.xxxxpredictiveMedium
44Filexxxx.xxxpredictiveMedium
45Filexxxxxxx.xxxpredictiveMedium
46Filexxxxxxx.xxxpredictiveMedium
47Filexx-xxxxx-xxxxxx.xxxpredictiveHigh
48Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
49Filexx-xxxxxxxx/xxxx.xxxpredictiveHigh
50Libraryxxx.xxxpredictiveLow
51ArgumentxxxxxxxxpredictiveMedium
52Argumentxxxxx_xxxxpredictiveMedium
53ArgumentxxxpredictiveLow
54ArgumentxxxpredictiveLow
55Argumentxxxxxx_xx[]predictiveMedium
56ArgumentxxxpredictiveLow
57ArgumentxxxxxxxxxxxxxxxxxpredictiveHigh
58ArgumentxxxpredictiveLow
59ArgumentxxxxxxxxpredictiveMedium
60ArgumentxxxxxxxxxxxxpredictiveMedium
61ArgumentxxxxpredictiveLow
62ArgumentxxpredictiveLow
63ArgumentxxxxxxxxpredictiveMedium
64ArgumentxxxxxpredictiveLow
65Argumentxxxxx_xxxpredictiveMedium
66Argumentxxxxx_xxxxxx_xxx/xxxxx_xxxx_xxxxxxxxpredictiveHigh
67ArgumentxxxxxxxxpredictiveMedium
68ArgumentxxxxxxpredictiveLow
69ArgumentxxpredictiveLow
70Argumentxxxxxx_xxxxpredictiveMedium
71Argumentxxxx_xxxxxpredictiveMedium
72Argumentxxxxx_xxxxpredictiveMedium
73ArgumentxxxxxxxxxxxxpredictiveMedium
74Argument\xxxxxx\predictiveMedium
75Input Value%xxxxxx+-x+x+xx.x.xx.xxx%xx%xxpredictiveHigh
76Input Value..predictiveLow
77Input Value\xxx\xxxpredictiveMedium
78Network Portxxx/xxx (xxxx)predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!