EwDoor Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (237)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en226
ru10
jp2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

sc190
li18
us6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Bashlite2
EwDoor2
Cobalt Strike2
Mirai2
Miner1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined90
Firewall Software18
Bug Tracking Software10
Router Operating System8
SCADA Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined66
Cisco18
Microsoft12
Google12
Apple6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Cisco ASA10
Cisco Firepower Threat Defense8
Google Android8
Microsoft Windows6
F5 BIG-IP6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1spring-boot-actuator-logview LogViewEndpoint.view path traversal5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.000490.04CVE-2023-29986
2Apache HTTP Server response splitting5.35.1$5k-$25k$25k-$100kNot DefinedNot Defined0.000450.09CVE-2023-38709
3Jetty URI access control5.35.3$0-$5k$0-$5kNot DefinedOfficial Fix0.475550.00CVE-2021-34429
4portable SDK for UPnP unique_service_name memory corruption10.09.5$0-$5k$0-$5kHighOfficial Fix0.974140.05CVE-2012-5958
5CKFinder File Name unrestricted upload7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.001550.05CVE-2019-15862
6Asus RT-AC2900 input validation8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.085970.02CVE-2018-8826
7GitLab Community Edition/Enterprise Edition Permission permission assignment5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000540.04CVE-2019-18446
8phpMyAdmin PMA_safeUnserialize deserialization9.89.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.004330.00CVE-2016-9865
9phpMyAdmin Username sql injection7.57.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.003260.03CVE-2016-9864
10Red Hat JBoss Enterprise Application Platform Class deserialization3.53.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.003620.00CVE-2023-3171
11Red Hat JBoss Core Services httpd path traversal3.53.5$5k-$25k$0-$5kNot DefinedNot Defined0.000900.04CVE-2021-3688
12Ivanti Connect Secure/Policy Secure Web command injection8.68.6$0-$5k$0-$5kHighWorkaround0.973340.04CVE-2024-21887
13Ivanti Endpoint Manager sql injection9.29.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000530.02CVE-2023-39336
14Ivanti Sentry command injection9.29.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000530.03CVE-2023-41724
15Ivanti Connect Secure/Policy Secure IPSec heap-based overflow7.77.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000910.03CVE-2024-21894
16F5 BIG-IP Configuration Utility path traversal9.39.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.002300.05CVE-2023-41373
17F5 BIG-IP Configuration Utility improper authentication8.98.7$5k-$25k$0-$5kHighOfficial Fix0.972430.09CVE-2023-46747
18F5 BIG-IP iControl REST Endpoint command injection6.76.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2024-22093
19F5 BIG-IP/BIG-IQ scp os command injection7.06.8$5k-$25k$0-$5kNot DefinedOfficial Fix0.000430.04CVE-2024-21782
20F5 BIG-IP iControl REST session expiration7.27.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000430.04CVE-2024-22389

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.141.157.217ip-157-217.CN-GlobalEwDoor02/09/2022verifiedHigh
2XXX.XX.XX.XXxx.xx.xx.xxx.xx.xxx.xxXxxxxx02/09/2022verifiedHigh
3XXX.XXX.XX.XXXXxxxxx02/09/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCAPEC-1CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
9TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-55CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-37CWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-154CWE-XXXXxxxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXXCAPEC-116CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-112CWE-XXX, CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
18TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (59)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/sysmon.phppredictiveHigh
2File/api/content/posts/commentspredictiveHigh
3File/debug/pprofpredictiveMedium
4File/Home/GetAttachmentpredictiveHigh
5File/modules/projects/vw_files.phppredictiveHigh
6Fileadmin/limits.phppredictiveHigh
7Filecgi-bin/ddns_enc.cgipredictiveHigh
8Filexxx.xxxpredictiveLow
9Filexxxxxx.xpredictiveMedium
10Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
11Filexxxx/xxxxpredictiveMedium
12Filexxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxpredictiveHigh
13Filexxxxxx_xxx.xpredictiveMedium
14Filexxxxxxxxxxxxxx.xxpredictiveHigh
15Filexx/xxxxxxx/xxx.xpredictiveHigh
16Filexxx/xx/xxxx/xxxx.xxxxx.xxxpredictiveHigh
17Filexxxxx.xxxpredictiveMedium
18Filexxxxxx.xpredictiveMedium
19Filexxxxxxxx.xxxpredictiveMedium
20Filexxxxxxxxxxxx/xxx.xpredictiveHigh
21Filexxx_xxxxxxxxx.xpredictiveHigh
22Filexxxxxxx.xxxpredictiveMedium
23Filexxx_xxxxx_xxxx.xpredictiveHigh
24Filexxxxxxx/xxxxpredictiveMedium
25Filexxxxxxx.xxxpredictiveMedium
26Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
27Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
28Filexxxxxxxxxxxxx.xxxpredictiveHigh
29Filexxxxxxxx_xxxxxxxxxxxx_xxxxxx.xxpredictiveHigh
30Filexxx_xxxxx_xxxxxxxxx.xpredictiveHigh
31Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveHigh
32Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
33Filexxxxxxxx/xxxxxxxxxxxx-xxxxxxxxxxpredictiveHigh
34Filexxxxxx/xxxxxxx/xxxxxx/xxxxxxxx.xxxpredictiveHigh
35Filexxxx.xxxpredictiveMedium
36Filexxx xxxx xxxxxxxpredictiveHigh
37Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
38Libraryxxx-xx-xxx-xxxx-xxxx-xx-x-x.xxxpredictiveHigh
39Argument-xpredictiveLow
40ArgumentxxxxxxxxxxxxxxpredictiveHigh
41Argumentxxxxxx/xxxxxxxpredictiveHigh
42Argumentxxxxxxxx[xxxx_xxx]predictiveHigh
43Argumentxxxxxxxx xxxx/xxxxxxxx xxxxxxxx/xxxxxxxx xxxxxxx xx/xxxxxxx/xxxxpredictiveHigh
44Argumentxxxxxx xxxxxxpredictiveHigh
45Argumentxxxx_xxxxxxxpredictiveMedium
46ArgumentxxpredictiveLow
47ArgumentxxxxxxxxpredictiveMedium
48ArgumentxxxxxxxxxxpredictiveMedium
49Argumentxxxx_xxx_xxxxxxxx_xxxpredictiveHigh
50ArgumentxxxxxxxpredictiveLow
51Argumentxxxxx/xxxxxxxxpredictiveHigh
52ArgumentxxxxxpredictiveLow
53ArgumentxxxxpredictiveLow
54Argumentxx_xxx_xxxxxpredictiveMedium
55Input Value../predictiveLow
56Input Value\xpredictiveLow
57Network Portxxx/xxpredictiveLow
58Network Portxxx/xxxpredictiveLow
59Network Portxxx/xxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!