Sodinokibi Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (92)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en80
ru4
fr4
pl2
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us20
ru10
il4
gb4
pw2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Sodinokibi11
Emotet1
Cobalt Strike1
Crimeware1
Nanocore1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined22
Operating System20
Programming Language Software6
Web Browser6
Firewall Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined24
Microsoft18
Apple6
Sophos4
Oracle4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows12
Oracle Java SE4
Google Chrome4
Linux Kernel4
Sophos Cyberoam Firewall2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1FLDS redir.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.002030.03CVE-2008-5928
2Debian fuse Package cuse access control7.87.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2016-1233
3OpenEMR sl_eob_search.php os command injection7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.001810.00CVE-2018-15154
4Pandao editor.md Markdown cross site scripting4.84.8$0-$5k$0-$5kNot DefinedNot Defined0.000580.04CVE-2023-29641
5LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable0.000001.99
6OpenX adclick.php redirect5.34.7$0-$5k$0-$5kUnprovenUnavailable0.004400.18CVE-2014-2230
7Apple Mac OS X Server Wiki Server sql injection5.34.6$5k-$25k$0-$5kUnprovenOfficial Fix0.003391.40CVE-2015-5911
8SAP 3D Visual Enterprise Viewer GIF File denial of service3.83.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.000610.00CVE-2021-27593
9Apple macOS IOMobileFrameBuffer memory corruption7.87.5$5k-$25k$0-$5kHighOfficial Fix0.002630.00CVE-2022-22587
10Apple iOS/iPadOS IOMobileFrameBuffer memory corruption7.87.5$25k-$100k$5k-$25kHighOfficial Fix0.002630.04CVE-2022-22587
11Apple Safari WebKit resource management7.37.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.008560.00CVE-2014-4452
12HPE Ezmeral Data Fabric TEZ MapR Ecosystem access control6.36.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.001970.00CVE-2021-29215
13nginx ngx_http_mp4_module information disclosure5.95.8$0-$5k$0-$5kNot DefinedOfficial Fix0.001980.05CVE-2018-16845
14SonarQube values missing encryption5.95.9$0-$5k$0-$5kNot DefinedNot Defined0.368800.01CVE-2020-27986
15Bitnami Docker Container .env random values3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.001170.00CVE-2021-21979
16Google Android System permission7.06.3$25k-$100k$0-$5kProof-of-ConceptOfficial Fix0.003060.07CVE-2017-13209
17PHP addcslashe numeric error8.58.1$5k-$25k$0-$5kUnprovenOfficial Fix0.005390.00CVE-2016-4344
18Sophos XG Firewall HTTPS Bookmark buffer overflow8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.007730.00CVE-2020-15069
19Marvin Minsky Universal Turing Machine input validation4.64.4$0-$5k$0-$5kProof-of-ConceptNot Defined0.000480.00CVE-2021-32471
20Sophos Cyberoam Firewall SSL VPN Console injection8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.006420.03CVE-2019-17059

IOC - Indicator of Compromise (28)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.55.211.79Sodinokibi05/02/2019verifiedHigh
246.30.215.77webcluster1.webpod6-cph3.one.comSodinokibi04/14/2022verifiedHigh
346.45.134.70server-46.45.134.70.as42926.netSodinokibi04/14/2022verifiedHigh
450.116.71.86box6146.bluehost.comSodinokibi04/14/2022verifiedHigh
552.9.200.151www.drvoip.comSodinokibi04/14/2022verifiedHigh
652.28.116.69ec2-52-28-116-69.eu-central-1.compute.amazonaws.comSodinokibi04/14/2022verifiedMedium
7XX.XXX.XX.XXxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
8XX.XXX.X.XXxxx-xx-xxx-x-xx.xxxxxxx.xxxx-xxxxxxx-xxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
9XX.XXX.XX.XXXXxxxxxxxxx04/14/2022verifiedHigh
10XX.XX.XXX.XXXxxxxxxxxxx.xxxxxxx.xxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
11XXX.XXX.XX.XXxx-xxx-xxx-xx-xx.xx.xxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
12XXX.XX.XXX.XXXxx-xxx-xx-xxx-xxx.xxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
13XXX.XXX.XXX.XXxxxxxx.xxxx.xxXxxxxxxxxx04/14/2022verifiedHigh
14XXX.XX.XX.XXXXxxxxxxxxx05/02/2019verifiedHigh
15XXX.XXX.XXX.XXXxxxx.xxxxxxxxxxxxxxxx.xxXxxxxxxxxx04/14/2022verifiedHigh
16XXX.XXX.XX.XXxxxxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
17XXX.XX.X.XXXxxx.xxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
18XXX.XXX.XX.XXXxxxxxx.xxxxxxxxxxxx.xxXxxxxxxxxx04/14/2022verifiedHigh
19XXX.XXX.XXX.XXxx-xxx-xxx-xxx-xx.xxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
20XXX.XXX.XX.XXXxxxxxxxxxx.xxxxxxx.xxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
21XXX.XXX.XX.XXXXxxxxxxxxx05/02/2019verifiedHigh
22XXX.XXX.XX.XXXxxxx.xxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
23XXX.XX.XXX.XXxxxx.xxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
24XXX.XXX.XXX.XXxxxxx-xx.xxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
25XXX.XX.XXX.XXXxx-xxx-xx-xxx-xxx.xx.xxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
26XXX.XX.XXX.XXXxxx-xx-xxx-xxx.xx.xxxxxxxxxxxxxxxxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
27XXX.XXX.XX.Xxxxxxxxxxx.xxx.xxxXxxxxxxxxx04/14/2022verifiedHigh
28XXX.XXX.XX.XXxxxxxxxxxx.xxx.xxxXxxxxxxxxx04/14/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (16)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294, CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-1CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCAPEC-112CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-157CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
16TXXXX.XXXCAPEC-112CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh

IOA - Indicator of Attack (34)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/dev/cusepredictiveMedium
2File/dev/snd/seqpredictiveMedium
3File/forum/away.phppredictiveHigh
4File/tmp/app/.envpredictiveHigh
5File/xxx/xxxxx/xxxxxxxxxxxxxxxxxxxx/xxx/predictiveHigh
6Filexxxxxxx.xxxpredictiveMedium
7Filexxxxx/xxxxxxxx.xxxpredictiveHigh
8Filexxx/xxxxxxxx/xxxxxxpredictiveHigh
9Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
10Filexxxxxxx.xxxpredictiveMedium
11Filexxxxxxx.xxxxpredictiveMedium
12Filexx/xxxxx.xpredictiveMedium
13Filexxxxxxx.xpredictiveMedium
14Filexxxxx.xxpredictiveMedium
15Filexxxxxxxxx/xxxxxxx/xx_xxx_xxxxxx.xxxpredictiveHigh
16Filexxxxxxx_xxxxxxxxxxxx.xpredictiveHigh
17Filexxxx.xpredictiveLow
18Filexxx_xxxxx.xpredictiveMedium
19Filexxx_xxxx.xpredictiveMedium
20Filexxx_xxxxx.xpredictiveMedium
21Filexxxxxx/xxxxxxxxxxxxxxxxx.xxpredictiveHigh
22Filexxxxx.xxxpredictiveMedium
23Filexxxx-xxxxxx.xpredictiveHigh
24Filexxxxxxxxx_xxxpredictiveHigh
25Filexxxx/xxx/xxxx-xxxxx.xxxpredictiveHigh
26Argumentxxx_xxxpredictiveLow
27ArgumentxxxxpredictiveLow
28ArgumentxxpredictiveLow
29ArgumentxxxxxxxxxxxxxxpredictiveHigh
30Argumentxxxxx_xxxxxxxpredictiveHigh
31ArgumentxxxxxxpredictiveLow
32ArgumentxxxxxxxxxpredictiveMedium
33Input Value.%xx.../.%xx.../predictiveHigh
34Input Valuexxxxx/xxxxxxxxpredictiveHigh

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!