TheMoon Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (167)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en142
zh12
sv6
de4
fr2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us160
cn4
ro2
ru2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

TheMoon4
Royal1
Mirai1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined60
Operating System34
Content Management System14
Web Server6
Router Operating System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined54
Linux16
Microsoft16
Cisco6
Google4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Linux Kernel16
Microsoft Windows16
WordPress6
Adminer4
Cisco IOS4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Tiki Admin Password tiki-login.php improper authentication8.07.7$0-$5k$0-$5kNot DefinedOfficial Fix0.009365.77CVE-2020-15906
2SonicWALL SMA100 libSys.so stack-based overflow8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.003430.06CVE-2019-7482
3Juniper Junos SRX ICAP Redirect Service double free8.58.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.009320.00CVE-2020-1647
4Espruino jsvar.c jsvNewFromString stack-based overflow5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000740.00CVE-2022-25044
5Sophos Cyberoam Firewall SSL VPN Console injection8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.006420.03CVE-2019-17059
6VMware Tools race condition7.77.7$5k-$25k$0-$5kNot DefinedNot Defined0.000440.02CVE-2020-3941
7Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.05CVE-2017-0055
8Huawei SXXXX XML Parser input validation3.63.6$0-$5k$0-$5kNot DefinedNot Defined0.000560.03CVE-2017-15346
9Guo Xu Guos Posting System print.asp sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.022720.00CVE-2007-0554
10WiX Toolset Installer Temp permission assignment7.37.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000450.42CVE-2024-29187
11Microsoft Windows Privilege Escalation8.17.7$25k-$100k$5k-$25kHighOfficial Fix0.000540.05CVE-2023-36802
12Moment.js path traversal6.96.7$0-$5k$0-$5kNot DefinedOfficial Fix0.003300.05CVE-2022-24785
13Qualiteam X-Cart home.php sql injection7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.009580.00CVE-2005-1822
14SourceCodester Online Eyewear Shop sql injection7.17.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.001520.09CVE-2023-0673
15SourceCodester Online Food Ordering System manage_user.php sql injection8.17.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.005310.04CVE-2023-0332
16lirantal daloradius unknown vulnerability6.46.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000800.05CVE-2023-0046
17SnakeYAML YAML File stack-based overflow3.13.0$0-$5k$0-$5kNot DefinedNot Defined0.001520.03CVE-2022-41854
18Sonus SBC 1000/SBC 2000/SBC SWe Lite Web Interface access control9.89.8$0-$5k$0-$5kNot DefinedNot Defined0.002450.03CVE-2018-11541
19Sonus SBC 1000/SBC 2000/SBC SWe Lite Web Interface path traversal6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.001720.02CVE-2018-11543
20XenForo Admin Panel cross site scripting4.14.1$0-$5k$0-$5kNot DefinedNot Defined0.000580.03CVE-2021-43032

IOC - Indicator of Compromise (9)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.143.201.87colo21.ntup.netTheMoon03/27/2024verifiedHigh
291.215.158.0TheMoon03/27/2024verifiedHigh
3XXX.XXX.X.XXXxxxxxxxx.xx-xxx-xxx-x.xxXxxxxxx03/27/2024verifiedHigh
4XXX.XXX.XX.XXxxxxxxxx.xx-xxx-xxx-xx.xxXxxxxxx03/27/2024verifiedHigh
5XXX.XXX.XX.XXxxxxxx03/27/2024verifiedHigh
6XXX.XXX.XX.XXxxxx.xxxxxxxxxxxx.xxx.xxXxxxxxx03/27/2024verifiedHigh
7XXX.XXX.XX.XXxxxxxxxx.xx-xxx-xxx-xx.xxXxxxxxx03/27/2024verifiedHigh
8XXX.XXX.XXX.XXxxxxxx03/27/2024verifiedHigh
9XXX.X.XXX.XXXxxxxxx03/27/2024verifiedHigh

TTP - Tactics, Techniques, Procedures (14)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCAPEC-108CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
8TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
9TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXXCAPEC-50CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
12TXXXXCAPEC-116CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-20CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (73)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/bin/webserverpredictiveHigh
2File/cgi-bin/hi3510/param.cgipredictiveHigh
3File/cgi-bin/user/Config.cgipredictiveHigh
4File/forum/away.phppredictiveHigh
5File/htsrv/call_plugin.phppredictiveHigh
6File/uncpath/predictiveMedium
7File/var/avamar/f_cache.datpredictiveHigh
8File/webmail/predictiveMedium
9Fileadmin.asppredictiveMedium
10Filexxxxx.xxx?xxxxxx=xxxxxxxxpredictiveHigh
11Filexxxxx/xxxxxx_xxxx.xxxpredictiveHigh
12Filexxxxx/xxxxxxxxx.xxxpredictiveHigh
13Filexxxxxxx.xxxpredictiveMedium
14Filexxxxxx-xxxxxxxxx.xxxpredictiveHigh
15Filex:\xxxxxxx\xxxxpredictiveHigh
16Filexxxxxx.xxxpredictiveMedium
17Filex_xxxxxxpredictiveMedium
18Filexxxxxxx.xxxxx.xxxpredictiveHigh
19Filexxxxxxx/xxx/xxxxxxxx/xxx/xxx_xxx_xxx.xpredictiveHigh
20Filexxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
21Filexx-xxxxxxx/xxxxxxxpredictiveHigh
22Filexxxxxxx.xxxpredictiveMedium
23Filexxxx.xxxpredictiveMedium
24Filexxxxx.xxxpredictiveMedium
25Filexxxxx.xxxpredictiveMedium
26Filexxxxxx/xxxxxx.xpredictiveHigh
27Filexxxxxx.xxpredictiveMedium
28Filexxxxxxxxxxxxx.xxxpredictiveHigh
29Filexxx/xxxxxxxxx/xxxxx_xxxx.xpredictiveHigh
30Filexxx/xxxx/xxx_xxxxxx.xpredictiveHigh
31Filexxx/xxxxxpredictiveMedium
32Filexxx_xxxx_xxx_xxxxxxxxxx.xpredictiveHigh
33Filexxxx/?x=xxxxxxxx/xxxx_xxxxxxx.xxxpredictiveHigh
34Filexxxx/xxxxxxxx/xxxx_xxxxxxx.xxxpredictiveHigh
35Filexxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
36Filexxxxxx/xxxxxxxxxx/xxx/xxxx.xxxpredictiveHigh
37Filexxxxx.xxxpredictiveMedium
38Filexxxxxxxxx.xxxpredictiveHigh
39Filexxx/xxxxx.xpredictiveMedium
40Filexxxxxxx/xxxxx.xxxpredictiveHigh
41Filexxx.xxxpredictiveLow
42Filexxxx-xxxxx.xxxpredictiveHigh
43Filexx-xxxxxxxxx.xxxpredictiveHigh
44Filexxxxxxxxxx.xxxpredictiveHigh
45Libraryxx/xxx/xxxx_xxxxxx.xxxpredictiveHigh
46Libraryxxxxxxxxxxxxxxx.xxxpredictiveHigh
47Libraryxxxx.xxx.xxxpredictiveMedium
48Argumentxxx_xxxxx_xxxxpredictiveHigh
49ArgumentxxxxxxxxxxxpredictiveMedium
50ArgumentxxxxxxxpredictiveLow
51ArgumentxxxxxpredictiveLow
52ArgumentxxxxpredictiveLow
53ArgumentxxxxxxxpredictiveLow
54ArgumentxxpredictiveLow
55ArgumentxxxxxxxxpredictiveMedium
56ArgumentxxxxpredictiveLow
57Argumentx_x_xpredictiveLow
58Argumentxxxxxxxxxxxxx xxpredictiveHigh
59Argumentxxxx_xxxpredictiveMedium
60ArgumentxxxpredictiveLow
61ArgumentxxxxxxxpredictiveLow
62ArgumentxxxxxxxxxpredictiveMedium
63ArgumentxxxxxxxpredictiveLow
64Argumentxx_xxpredictiveLow
65ArgumentxxxxpredictiveLow
66ArgumentxxxxxxxxpredictiveMedium
67Argumentxxx_xxxxxxxxxxxx_xxxpredictiveHigh
68Argumentx-xxx-xx-xxpredictiveMedium
69Input Value..predictiveLow
70Input Value../predictiveLow
71Input Value/xxxxxx&xxxxxx=xxx&xxxxxxxx=xxxxxxx.*predictiveHigh
72Input Value<xxx xxx="xxxx://x"; xx xxxxxxx="$(’x').xxxx(’xxxxxx’)" />predictiveHigh
73Network Portxxx/xxx, xxx/xxx, xxx/xxxx, xxx/xxxxpredictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!