Gootkit Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (260)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en226
ru12
de8
sv6
zh4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us164
ru46
cn22
de8
se6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Gootkit8
SharkBot7
Gozi7
Conti5
Cobalt Strike4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined66
Content Management System16
Web Server12
Programming Language Software10
Connectivity Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined64
Microsoft12
Oracle8
Delta Electronics6
Siemens6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

OpenSSH8
PHP8
Microsoft Exchange Server6
nginx6
WordPress6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1SugarCRM sql injection5.85.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.002480.02CVE-2020-17373
2SourceCodester Alphaware Simple E-Commerce System sql injection7.06.8$0-$5k$0-$5kProof-of-ConceptNot Defined0.001710.00CVE-2023-1504
3nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002411.81CVE-2020-12440
4SugarCRM Emails sql injection7.57.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000870.00CVE-2019-17319
5DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.38CVE-2010-0966
6SugarCRM Configurator input validation5.95.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000900.00CVE-2019-17306
7SugarCRM Administration sql injection7.57.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000870.00CVE-2019-17298
8Fortinet FortiOS SSL-VPN out-of-bounds write9.89.6$25k-$100k$25k-$100kHighOfficial Fix0.018420.04CVE-2024-21762
9Palo Alto Networks PAN-OS GlobalProtect command injection8.98.7$0-$5k$0-$5kHighOfficial Fix0.953590.08CVE-2024-3400
10jQuery Property extend Pollution cross site scripting6.66.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.035350.19CVE-2019-11358
11OpenSSH scp scp.c os command injection6.46.4$25k-$100k$5k-$25kNot DefinedUnavailable0.002890.04CVE-2020-15778
12jQuery html cross site scripting5.85.1$0-$5k$0-$5kNot DefinedOfficial Fix0.019000.11CVE-2020-11023
13Microweber controller.php information disclosure6.46.1$0-$5k$0-$5kNot DefinedOfficial Fix0.010020.00CVE-2020-13405
14Naviwebs Navigate CMS File Upload navigate_upload.php unrestricted upload7.16.9$0-$5k$0-$5kHighOfficial Fix0.897490.03CVE-2018-17553
15Sunny WebBox cross-site request forgery7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.001500.02CVE-2019-13529
16Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.008170.26CVE-2014-4078
17AlienVault Open Source Security Information Management radar-iso27001-potential.php sql injection7.37.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.001480.00CVE-2013-5967
18WordPress WP_Query class-wp-query.php sql injection8.58.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.003180.00CVE-2017-5611
19Siemens SIMATIC Drive Controller Service Port 102 memory corruption7.37.1$5k-$25k$0-$5kNot DefinedWorkaround0.005260.05CVE-2020-15782
20Siemens SIMATIC S7-1200 PLC memory corruption7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.002610.00CVE-2013-0700

IOC - Indicator of Compromise (14)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
131.214.157.14dev.neto-svedberg.comGootkit04/28/2022verifiedHigh
231.214.157.162crm.tuxexpert.comGootkit04/28/2022verifiedHigh
3109.230.199.13sw1-wg.celo.netGootkit04/28/2022verifiedHigh
4XXX.XXX.XXX.XXXXxxxxxx04/28/2022verifiedHigh
5XXX.XXX.XXX.XXXXxxxxxx04/28/2022verifiedHigh
6XXX.XX.XXX.XXXxxxxxx04/28/2022verifiedHigh
7XXX.XXX.XXX.XXXxxxxxxxxxxxxx.xxxxxxxx.xxxXxxxxxx04/28/2022verifiedHigh
8XXX.XXX.XXX.XXxxxxxxxx.xxxxXxxxxxx04/28/2022verifiedHigh
9XXX.XXX.XXX.XXXXxxxxxx04/28/2022verifiedHigh
10XXX.XXX.XX.XXXXxxxxxx04/28/2022verifiedHigh
11XXX.XXX.XX.XXXxxxxxx04/28/2022verifiedHigh
12XXX.XX.XXX.XXxxxx.xxxxxxxxxxx.xxxXxxxxxx04/28/2022verifiedHigh
13XXX.XX.XXX.XXXxxxxxxxx.xxxxxxxxxxxxxx.xxxXxxxxxx04/28/2022verifiedHigh
14XXX.XX.XXX.XXXxxxxxx04/28/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXXCAPEC-50CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-116CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXX.XXXCAPEC-CWE-XXXxxxxxxxxxxxxpredictiveHigh
17TXXXXCAPEC-157CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (77)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/addnews.htmlpredictiveHigh
3File/api/runs/search/run/predictiveHigh
4File/cgi-bin/supervisor/PwdGrp.cgipredictiveHigh
5File/downloadpredictiveMedium
6File/secure/admin/ImporterFinishedPage.jspapredictiveHigh
7File/uncpath/predictiveMedium
8File/_errorpredictiveLow
9File/_nextpredictiveLow
10Filexxx.xpredictiveLow
11Filexxxxx/xxxx.xxx?xxxx=xxxxxx_x&xxxx_xxxxpredictiveHigh
12Filexxxx-xxxx.xpredictiveMedium
13Filexxxx_xxx.xxxpredictiveMedium
14Filexxxxx.xxxpredictiveMedium
15Filexxxxxxxxxx/xxxxxx/xxxxxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
16Filexxxx/xxxxxx/xxxx/xxxx_xxxxxxxx_xxxxx/xxxx_xxxxxxxx_xxxx_xxxx_xxxxxx/xxxx_xxxxxxxx_xxxx_xxxx_xxxxxx.xxxpredictiveHigh
17Filexxxxxxxx.xxxpredictiveMedium
18Filexxx/xxxxx/xxxxx.xpredictiveHigh
19Filexxxxxx_xxxx.xxxpredictiveHigh
20Filexx-xxxxxxx/xxxxxxxpredictiveHigh
21Filexxxx.xxxpredictiveMedium
22Filexxx/xxxxxx.xxxpredictiveHigh
23Filexxxxx.xxxpredictiveMedium
24Filexxxxxxxx/xxxxxx-xxxx-xxxxxxxxx-xxxpredictiveHigh
25Filexxx?xxxx.xxxpredictiveMedium
26Filex_xxxxxxxx_xxxxxpredictiveHigh
27Filexxxxx/xxx_xxxxxxxxpredictiveHigh
28Filexxxxx/xxxxxxxxxpredictiveHigh
29Filexxxxxxxxxxx/xxxxx.xpredictiveHigh
30Filexxxx.xpredictiveLow
31Filexxxx.xxxpredictiveMedium
32Filexxxxxxxxxxxx.xxxxpredictiveHigh
33Filexxxxxxx/xxxxxxxxxxxxxxxxxx/xxxx_xxxxxx.xxxpredictiveHigh
34Filexxxxxxxx_xxxxxx.xxxpredictiveHigh
35Filexxx/xxxx/xxxxxxxxx/xx_xxx_xxxx_xxxxx_xxxx.xpredictiveHigh
36Filexxx_xxxxx.xpredictiveMedium
37Filexxxxx.xxxpredictiveMedium
38Filexxxxxxxx/xxx/xxxx_xxxxxxxxx/xxxx_xxxxxx_xxxxxxx/xxxx_xxxxxx_xxxxxxx.xxxpredictiveHigh
39Filexxxxxx.xpredictiveMedium
40Filexxxxxxxxxxxxx.xpredictiveHigh
41Filexxxxx-xxxxxxxx-xxxxxxxxx.xxxpredictiveHigh
42Filexxx_xxxxx_xxxxxxx.xpredictiveHigh
43Filexxxxxx_xxxx.xpredictiveHigh
44Filexxx.xpredictiveLow
45Filexxxx-xxxxxx.xpredictiveHigh
46Filexxxxx-xxxx.xxxpredictiveHigh
47Filexxxxxx.xxxpredictiveMedium
48Filexxxxxxxxx/xxxxxxx/xxxxx/xxxxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
49Filexxxx.xxxpredictiveMedium
50Filexxxxxx.xxxpredictiveMedium
51Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
52Filexx-xxxxx/xxxxx.xxxpredictiveHigh
53Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
54Filexxxxxxx.xxxxpredictiveMedium
55Argument$xxxxx_xxxxxxxxxxpredictiveHigh
56ArgumentxxxxxxxxpredictiveMedium
57ArgumentxxxxxxxxxxpredictiveMedium
58ArgumentxxxpredictiveLow
59ArgumentxxxxxxxxxxxxxxxpredictiveHigh
60Argumentxxxx_xxxxpredictiveMedium
61ArgumentxxxxxxxxxxxpredictiveMedium
62Argumentxxxxx/xxxxxxxxpredictiveHigh
63Argumentxxx_xxxxx_xxxx_xxxxxxxpredictiveHigh
64ArgumentxxpredictiveLow
65Argumentx_xxxxxxxxpredictiveMedium
66Argumentxxxx_xxxxpredictiveMedium
67ArgumentxxxxxxxxpredictiveMedium
68ArgumentxxxxxxxpredictiveLow
69ArgumentxxxxpredictiveLow
70Argumentxxxxx_xxxx/xxxxx_xxxxxx/xxx_xxxx/xxx_xxxxxx/xxxxxxxxpredictiveHigh
71ArgumentxxxxxpredictiveLow
72Argumentxxxx-xxxxx/xxxxxxxpredictiveHigh
73Argumentxxxx/xx/xxxxpredictiveMedium
74ArgumentxxxxxpredictiveLow
75Input Valuexxx?xxxx.xxxpredictiveMedium
76Input Valuexxxxx%xxxxxx.xxx ' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxxpredictiveHigh
77Network Portxxx/xxpredictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!