Grayling Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (100)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en92
de2
it2
ru2
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us92
ru2
cn2
gb2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Grayling3
Cobalt Strike2
PlugX1
Sliver1
TrickBot1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined8
Smartphone Operating System4
Content Management System4
Calendar Software2
Mail Server Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined6
Google4
Thomas R. Pasawicz2
Alt-N2
Stephen Adkins2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Google Android4
Thomas R. Pasawicz HyperBook Guestbook2
TeamCal2
Alt-N MDaemon2
Stephen Adkins Perl2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.30CVE-2010-0966
3MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.013020.59CVE-2007-0354
4PHPWind goto.php cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.002540.04CVE-2015-4135
5Google Android Qualcomm integer overflow9.89.6$100k and more$5k-$25kNot DefinedOfficial Fix0.003210.02CVE-2016-5344
6Microsoft Exchange Server Privilege Escalation8.87.7$25k-$100k$5k-$25kUnprovenOfficial Fix0.011920.02CVE-2023-21529
7Apple macOS unusual condition8.07.9$5k-$25k$0-$5kHighOfficial Fix0.000870.03CVE-2023-41993
8Google Android StorageManagerService.java information disclosure4.44.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2022-20219
9Spring Framework Incomplete Fix CVE-2018-1270 security check8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.249420.03CVE-2018-1275
10Alt-N MDaemon Worldclient injection4.94.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.000900.04CVE-2021-27182
11Fortinet FortiGate HTTP Header unknown vulnerability6.46.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000840.00CVE-2020-15938
12D-Link DIR-655 C apply_sec.cgi Blank credentials management8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.014220.00CVE-2019-13560
13DrayTek Vigor2960/Vigor3900/Vigor300B mainfunction.cgi injection9.89.8$25k-$100k$25k-$100kHighNot Defined0.970790.05CVE-2020-8515
14Woltlab Burning Board register.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.005460.00CVE-2007-1443
15Wheatblog add_comment.php cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.001540.00CVE-2006-7002
16TeamCal register.php path traversal3.33.3$0-$5k$0-$5kNot DefinedNot Defined0.000000.00
17Public Warehouse Light Blog add_comment.php cross site scripting4.34.1$0-$5k$0-$5kHighOfficial Fix0.010620.00CVE-2007-3131
18Drupal comment_form_add_preview input validation10.09.0$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.033910.00CVE-2007-0626
19Mail Masta Plugin campaign_save.php sql injection6.76.4$0-$5k$0-$5kProof-of-ConceptNot Defined0.003160.03CVE-2017-6098
20MantisBT Gravatar Plugin Content Security Policy cross site scripting4.54.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001730.00CVE-2016-7111

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
13.0.93.185ec2-3-0-93-185.ap-southeast-1.compute.amazonaws.comGrayling10/29/2023verifiedMedium
2XX.XXX.XXX.XXXxxxxxxx10/29/2023verifiedHigh
3XXX.XXX.XX.XXXxxx-xxx-xx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxx10/29/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (11)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
7TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
8TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
10TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (19)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/inc/campaign_save.phppredictiveHigh
2Fileadclick.phppredictiveMedium
3Fileadd_comment.phppredictiveHigh
4Fileapply_sec.cgipredictiveHigh
5Filexxx-xxx/xxxxxxxxxxxx.xxxpredictiveHigh
6Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
7Filexxxxx.xxxpredictiveMedium
8Filexxxx.xxxpredictiveMedium
9Filexxx/xxxxxx.xxxpredictiveHigh
10Filexxxxxxxx.xxxpredictiveMedium
11Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
12Argumentxxx::xxxxxxx::xxxxxx/xxx::xxxxxxx::xxxxxxxxxxpredictiveHigh
13ArgumentxxxxxxxxpredictiveMedium
14Argumentxxxxxxx=xxxxxxxxpredictiveHigh
15ArgumentxxpredictiveLow
16ArgumentxxxxpredictiveLow
17Argumentxxxx_xxpredictiveLow
18Argumentxxxxx_xxxxxxpredictiveMedium
19ArgumentxxxpredictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!