SparkRAT Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (224)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en216
ja2
fr2
pt2
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

sc122
us20
cn2
pt2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

SparkRAT4
Cobalt Strike3
WatchDog1
IcedID1
Candiru1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined104
WordPress Plugin12
Chip Software10
Operating System10
Network Attached Storage Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined90
Qualcomm10
Apache6
Apple6
Synology6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Qualcomm Snapdragon Auto10
Qualcomm Snapdragon Industrial IOT10
Qualcomm Snapdragon Compute8
Qualcomm Snapdragon Consumer IOT8
Qualcomm Snapdragon Mobile8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1vu Mass Mailer Login Page redir.asp sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.002380.09CVE-2007-6138
2Micro Focus Solutions Business Manager session fixiation5.95.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000440.00CVE-2019-18946
3Qualcomm Snapdragon Auto NFC use after free6.56.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.000440.00CVE-2019-14024
4c-blosc2 ndlz8x8.c ndlz8_decompress heap-based overflow7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.000450.09CVE-2024-3203
5Linux Kernel ext4 kill_bdev memory allocation5.75.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.000450.00CVE-2021-47119
6Schoolbox Calendar cross site scripting5.45.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2024-28097
7Cisco IOS/IOS XE SSH exceptional condition7.37.2$25k-$100k$0-$5kNot DefinedOfficial Fix0.001100.04CVE-2022-20920
8Progress Sitefinity Page Editing Area cross site scripting5.75.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2024-1636
9Starbox Plugin resource injection4.94.8$0-$5k$0-$5kNot DefinedNot Defined0.000530.04CVE-2024-0366
10WooCommerce Product Enquiry Plugin cross site scripting4.84.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000460.04CVE-2023-7151
11Cainor Calendarinho redirect5.05.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000520.00CVE-2023-49281
12GoDaddy Email Marketing Plugin authorization6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.000000.02CVE-2023-49156
13Apache HTTP Server FilesMatch input validation7.77.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.961630.04CVE-2017-15715
14Tracker Software PDF-XChange Editor EMF File Parser use after free4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000000.00CVE-2023-42050
15Apache Guacamole RDP Audio use after free6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.002150.04CVE-2023-30576
16LG LED Assistant path traversal8.58.4$5k-$25k$5k-$25kNot DefinedNot Defined0.018540.00CVE-2023-4613
17HTTP Auth Plugin cross-site request forgery4.34.2$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2023-27435
18Onepage Builder Plugin sql injection4.34.2$0-$5k$0-$5kNot DefinedNot Defined0.000500.00CVE-2023-38391
19Metform Elementor Contact Form Builder Plugin Shortcode information disclosure5.45.3$0-$5k$0-$5kNot DefinedNot Defined0.000640.00CVE-2023-0688
20XWiki Platform authorization8.38.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000960.00CVE-2023-32069

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • CVE-2024-27198 / CVE-2024-27199

IOC - Indicator of Compromise (6)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
138.54.94.13SparkRATCVE-2024-27198 / CVE-2024-2719904/02/2024verifiedHigh
243.140.252.169SparkRAT09/07/2023verifiedHigh
3XX.XXX.XX.XXxxx-xx-xxx-xx-xx.xx-xxxxxxxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxxxxx05/31/2023verifiedMedium
4XX.XX.XXX.XXXXxxxxxxx03/18/2024verifiedHigh
5XX.XX.XX.XXXxxx.xx.xx.xx.xx.xxx.xxXxxxxxxxXxx-xxxx-xxxxx / Xxx-xxxx-xxxxx04/02/2024verifiedHigh
6XXX.XXX.XXX.XXXxx.xxxxxxxxxx.xxxXxxxxxxx05/08/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (20)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-104CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-1CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCAPEC-102CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-37CWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-154CWE-XXXXxxxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
18TXXXXCAPEC-116CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
19TXXXXCAPEC-157CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
20TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (97)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/.vnc/sesman_${username}_passwdpredictiveHigh
2File/asms/classes/Master.php?f=delete_transactionpredictiveHigh
3File/cgi-bin/editBookmarkpredictiveHigh
4File/goform/addressNatpredictiveHigh
5File/goform/aspFormpredictiveHigh
6File/include/menu_v.inc.phppredictiveHigh
7File/librarian/lab.phppredictiveHigh
8File/omos/admin/?page=user/listpredictiveHigh
9File/opt/zimbra/jetty/webapps/zimbra/publicpredictiveHigh
10File/panel/fields/addpredictiveHigh
11File/patient/settings.phppredictiveHigh
12File/xxxx/*/xxxxxxx"predictiveHigh
13File/xxxx/xxx/xxxxxxxpredictiveHigh
14File/xxxx/xxxx_xxxxxxxpredictiveHigh
15File/xxx/x-xxxxxx/xxxxxxx/xxxxxx/xxxx/xxxxxxx.xpredictiveHigh
16File/xxxxxxx/predictiveMedium
17File/xxx/xxx/xxx/xxxxxxx.xxpredictiveHigh
18Filexxxxx/xxxxxx.xxxpredictiveHigh
19Filexxx.xxxpredictiveLow
20Filexxx/xxxxx/xxxxxxxxxx/xxxx.xxxpredictiveHigh
21Filexxx\xxxxxxxxxx_xxxxxxxx\xxxxxxxxxx_xxxxxxx_xxxxxxx.xxxpredictiveHigh
22Filexxx-xxxxxx-xxxxxx.xpredictiveHigh
23Filex:\xxxxxxpredictiveMedium
24Filex:\xxxxxxxxpredictiveMedium
25Filex:\xxxxxxx\xxxxxxxx.xxxpredictiveHigh
26Filexxxxxxxxxxxxxxxx.xxxxpredictiveHigh
27Filexxxxxxxxxx/xxxxxxx/xxxxxxxx.xxxpredictiveHigh
28Filexxxxxxx/xxxxxxxxxx/xx/xxxx/xxxx.xpredictiveHigh
29Filexxx.xpredictiveLow
30Filexxxxx_xxxxxx.xxxx.xxxpredictiveHigh
31Filexxxxxxx.xpredictiveMedium
32Filexxxxx_xxxx.xxxpredictiveHigh
33Filexxxxxxxx.xpredictiveMedium
34Filexxxxxxx.xxxpredictiveMedium
35Filexxxxxxxx.xxxpredictiveMedium
36Filexxxxxxxxxx/xxxxxxxxx.xpredictiveHigh
37Filexxxxxxx/xxxxx/xx/xxxxxx/xxxxx.xxxxx.xxxpredictiveHigh
38Filexxxxx.xxxpredictiveMedium
39Filexxx-xxxxxxx.xxxpredictiveHigh
40Filexxxxxxxxx.xxx.xxxpredictiveHigh
41Filexxxxxxx.xxxpredictiveMedium
42Filexxxxxx.xxxpredictiveMedium
43Filexxxxxxx-xxxxxxxxx-xxxxxxxx.xxxpredictiveHigh
44Filexxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
45Filexxxxx.xxxpredictiveMedium
46Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveHigh
47Filexxxx-xxxxxx.xpredictiveHigh
48Filexxxxxxxxxxxxxxx/xxxxxxxxxxxx.xxxpredictiveHigh
49Filexx_xxxx/xx_xxxx.xpredictiveHigh
50Filexxxxxxx.xxxpredictiveMedium
51Filexxx_xxxxxxxx.xpredictiveHigh
52Filexxxxxx_xxxxxx.xpredictiveHigh
53Filexxx/xxxxx/xxxxxx.xxx?xxxxxxx=xxxxxxxpredictiveHigh
54Filexxxxx/xxxx.xxpredictiveHigh
55Filexxxxxx/xxxxxxxxx.xxxpredictiveHigh
56Filexxxxxxxxxxxxxx.xxxpredictiveHigh
57Libraryxxxxxxxx.xxxpredictiveMedium
58Libraryxxx/xxx/xxx_xxxxxx_xxx.xpredictiveHigh
59Libraryxxxxxxxxxxxxxxxx.xxxpredictiveHigh
60Libraryxxx/xx_xxx.xpredictiveMedium
61Argument-xxpredictiveLow
62Argument/.xxx/xxxxxx_${xxxxxxxx}_xxxxxxpredictiveHigh
63Argumentxxxxxxxx_xxx_xxx/xxxxxxxx_xxxxxxxx_xxxpredictiveHigh
64ArgumentxxxpredictiveLow
65ArgumentxxxpredictiveLow
66Argumentxxxxxx/xxxxxxxxxxxxpredictiveHigh
67Argumentxxxxx xxxx/xxxxxx xxxx/xxxx xxxxpredictiveHigh
68ArgumentxxpredictiveLow
69ArgumentxxxxxxpredictiveLow
70ArgumentxxxxxxxpredictiveLow
71ArgumentxxxpredictiveLow
72ArgumentxxxxxpredictiveLow
73ArgumentxxxxxxpredictiveLow
74Argumentxxxxx_xxxxx_xxpredictiveHigh
75ArgumentxxxxpredictiveLow
76ArgumentxxxxpredictiveLow
77ArgumentxxxxpredictiveLow
78Argumentxxx.xxxxxxxxxxxxxxx.xxx.xxxxxxx.xxxx.xxxxxxxxxxxxxxxxxxxx.xxxxxxpredictiveHigh
79ArgumentxxxxxxxpredictiveLow
80ArgumentxxxxpredictiveLow
81ArgumentxxxxxxxxpredictiveMedium
82ArgumentxxxxxxxxpredictiveMedium
83ArgumentxxxxxxxxxpredictiveMedium
84ArgumentxxxxxxxpredictiveLow
85Argumentxxxxxxx_xxxxxpredictiveHigh
86ArgumentxxxxxxxxxpredictiveMedium
87ArgumentxxxxxxpredictiveLow
88ArgumentxxxxxpredictiveLow
89ArgumentxxxxxxpredictiveLow
90ArgumentxxxxxpredictiveLow
91ArgumentxxxxpredictiveLow
92ArgumentxxxxxxxxxpredictiveMedium
93Argument_xxxxxxxpredictiveMedium
94Input Value//////////...predictiveHigh
95Input Value<xxxx<xxxxxx>xx>xxxxx(x)</xxxx</xxxxxx>xx>predictiveHigh
96Pattern|xx xx xx|predictiveMedium
97Network Portxxx/xxxxpredictiveMedium

References (6)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!