UAC-0118 Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (275)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en208
de28
ru26
fr4
pl2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us186
cn42
ru24
fr10
ir4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

RedLine Stealer9
Cobalt Strike9
UAC-01186
RecordBreaker4
IcedID3

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined74
Web Server24
Operating System22
Router Operating System20
Content Management System12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined94
Microsoft26
Apache14
Oracle10
TP-LINK8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Apache HTTP Server12
Microsoft Windows10
Microsoft Edge6
Microsoft ChakraCore6
WordPress4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.107370.29CVE-2016-6210
3Oracle MySQL Server InnoDB access control5.55.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.000980.00CVE-2018-3185
4ISC BIND named resolver.c input validation8.68.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.733300.03CVE-2016-1286
5Pallets Jinja Sandbox str.format_map access control8.48.2$0-$5k$0-$5kNot DefinedOfficial Fix0.003090.04CVE-2019-10906
6AWStats Config awstats.pl Privilege Escalation5.04.6$25k-$100k$0-$5kProof-of-ConceptOfficial Fix0.000000.04
7Microsoft Windows GDI Privilege Escalation7.26.5$25k-$100k$5k-$25kUnprovenOfficial Fix0.000430.00CVE-2022-21903
8XiongMai IP Camera/DVR NetSurveillance Web Interface memory corruption8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.003720.07CVE-2017-16725
9ONLYOFFICE Document Server WebSocket API sql injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.001740.00CVE-2020-11537
10nginx ngx_http_mp4_module information disclosure5.95.8$0-$5k$0-$5kNot DefinedOfficial Fix0.001980.05CVE-2018-16845
11GitLab cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000670.00CVE-2020-13345
12Nextcloud Server Access Control download access control5.45.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000940.00CVE-2020-8139
13Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.008170.26CVE-2014-4078
14Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.03CVE-2017-0055
15Web2py information disclosure6.46.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.006260.01CVE-2016-4806
16TP-LINK TL-WR1043N Authentication tmp cross-site request forgery5.55.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.002620.00CVE-2013-2645
17DD-WRT Web Interface cross-site request forgery7.56.9$0-$5k$0-$5kUnprovenNot Defined0.003120.04CVE-2012-6297
18Dasan GPON Home Router diag_Form command injection8.58.4$0-$5k$0-$5kHighWorkaround0.974230.04CVE-2018-10562
19MikroTik RouterOS confused deputy7.47.2$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.059230.00CVE-2019-3924
20pkexec escape output6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.000420.04CVE-2016-2568

IOC - Indicator of Compromise (13)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.252.22.96vm1070506.stark-industries.solutionsUAC-011803/20/2024verifiedHigh
294.232.41.105UAC-011803/20/2024verifiedHigh
395.217.244.218static.218.244.217.95.clients.your-server.deUAC-011803/20/2024verifiedHigh
4XXX.XX.XXX.XXXxx-xxxx03/20/2024verifiedHigh
5XXX.XX.XXX.XXxxxxxx.xxx.xxxxxxxXxx-xxxx03/20/2024verifiedHigh
6XXX.XX.XXX.XXXxx-xxxx03/20/2024verifiedHigh
7XXX.XX.XXX.XXXXxx-xxxx03/20/2024verifiedHigh
8XXX.XX.XXX.XXXXxx-xxxx03/20/2024verifiedHigh
9XXX.XX.XXX.XXXXxx-xxxx03/20/2024verifiedHigh
10XXX.XX.XXX.XXXxx-xxxxxxx-xxx.xxxxxXxx-xxxx03/20/2024verifiedHigh
11XXX.XXX.XXX.XXXXxx-xxxx03/20/2024verifiedHigh
12XXX.XX.XXX.XXxxxxxxxxx.xxxxx-xxxxxxxxxx.xxxxxxxxxXxx-xxxx03/20/2024verifiedHigh
13XXX.XX.XXX.XXXxx-xxxx03/20/2024verifiedHigh

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-16CWE-XXX, CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCAPEC-50CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
14TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
16TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh
17TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (99)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/.envpredictiveLow
2File/category.phppredictiveHigh
3File/cgi-bin/delete_CApredictiveHigh
4File/Config/SaveUploadedHotspotLogoFilepredictiveHigh
5File/downloadpredictiveMedium
6File/get_getnetworkconf.cgipredictiveHigh
7File/GponForm/device_Form?script/predictiveHigh
8File/includes/rrdtool.inc.phppredictiveHigh
9File/Main_AdmStatus_Content.asppredictiveHigh
10File/NAGErrorspredictiveMedium
11File/RestAPIpredictiveMedium
12File/xxxx/xxxxxxxxxxxpredictiveHigh
13File/xxxpredictiveLow
14File/xxxxxxx/predictiveMedium
15File/xxxxxx/xxxxxx.xxxpredictiveHigh
16File/xxx/xxx/xxxxxpredictiveHigh
17File/xx/xxxxx.xxxpredictiveHigh
18Filexxxxxxx.xxxpredictiveMedium
19Filexxxxx/xxxxxxx.xxxpredictiveHigh
20Filexxxxx/xxxx.xxxxxxx.xxxpredictiveHigh
21Filexxxxx/xxxx.xxxx.xxxpredictiveHigh
22Filexxxxx\xxxxxxxxxx\xxxxxxxxxx.xxxpredictiveHigh
23Filexxxx_xxxxx_xxxx.xxxpredictiveHigh
24Filexxxx_xxx_xxxx.xxxpredictiveHigh
25Filexxxxxxx.xxpredictiveMedium
26Filexxxxxxx/xxxxxxx/xxxxxxx.xxxx?xxxxpredictiveHigh
27Filexxx_xxxxxxxx.xxxpredictiveHigh
28Filexxx-xxx/xxxxxxx.xxpredictiveHigh
29Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
30Filexx.x/xxxxxxxx.xpredictiveHigh
31Filexxxxxxxxxxxxxxxx.xxxpredictiveHigh
32Filexxxxx.xxxpredictiveMedium
33Filexxxxxxxxxxxxxxxx/xxxxxxxxxxxxxx.xxpredictiveHigh
34Filexxxxxxx.xxxxpredictiveMedium
35Filexxxxxx/xxxxxxxxxxxpredictiveHigh
36Filexxxxxxxx/xxxx_xxxxpredictiveHigh
37Filexxxx_xxxx.xpredictiveMedium
38Filexxxxxxxxx/xxxxxx.xxx.xxxpredictiveHigh
39Filexxxxxxxx.xxxpredictiveMedium
40Filexxxxxxx.xxxpredictiveMedium
41Filexxx_xxxxxxxxx.xpredictiveHigh
42Filexxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
43Filexxxxxxxx.xxpredictiveMedium
44Filexxxxx.xpredictiveLow
45Filexxxxxxx.xxpredictiveMedium
46Filexxxxxxxx.xxxpredictiveMedium
47Filexxxxxx_xxxxxxx.xxxpredictiveHigh
48Filexxxxxxxxxxxxxxxxxxxxxxxxxx.xx/xxxxxxxxxx.xx/xxxxxxxxxxx.xxpredictiveHigh
49Filexxx/xxxxx.xpredictiveMedium
50Filexxxxxxxxxxx.xpredictiveHigh
51Filexxx/xx_xxx.xpredictiveMedium
52Filexx.xxxpredictiveLow
53Filexxxxxxx.xxxpredictiveMedium
54Filexxxxxxx.xxxpredictiveMedium
55Filexxx_xxxxx.xxx?xxxx=xxxxxxxxpredictiveHigh
56Filexxxxxxx.xxxpredictiveMedium
57Filexx-xxxxxxxx/xxxx-xxx/xxxxxxxxx/xxxxx-xx-xxxx-xxxxx-xxxxxxxxxx.xxxpredictiveHigh
58Filexx-xxxxx.xxxpredictiveMedium
59Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
60LibraryxxxxxxxxxpredictiveMedium
61Argument--xxxxxx/--xxxxxxxxpredictiveHigh
62Argumentxxxxxxxxxx xxx xxxxxxxpredictiveHigh
63ArgumentxxxpredictiveLow
64ArgumentxxxxxxxxpredictiveMedium
65ArgumentxxxxxxpredictiveLow
66ArgumentxxxxpredictiveLow
67Argumentxxxx_xxxxxx=xxxxpredictiveHigh
68ArgumentxxxxxpredictiveLow
69ArgumentxxxxxxxxpredictiveMedium
70ArgumentxxpredictiveLow
71ArgumentxxxxpredictiveLow
72Argumentxxxx_xxxxxxxpredictiveMedium
73ArgumentxxpredictiveLow
74ArgumentxxxxxxxxxxpredictiveMedium
75ArgumentxxxxxpredictiveLow
76ArgumentxxxxpredictiveLow
77ArgumentxxxxxpredictiveLow
78ArgumentxxxxpredictiveLow
79ArgumentxxxxxxxxpredictiveMedium
80Argumentxxxxxxx/xxxxpredictiveMedium
81ArgumentxxxxxpredictiveLow
82ArgumentxxxxxxxxpredictiveMedium
83ArgumentxxxxxxxxpredictiveMedium
84ArgumentxxxxpredictiveLow
85ArgumentxxxxxxxxxxpredictiveMedium
86ArgumentxxxxxxxpredictiveLow
87ArgumentxxxxxxxxxxxpredictiveMedium
88Argumentxxxxxx_xxxxpredictiveMedium
89ArgumentxxxpredictiveLow
90Argumentx_xxpredictiveLow
91ArgumentxxxxpredictiveLow
92Argumentxxxxxxxx/xxxxxxxxpredictiveHigh
93Argumentx-xxxxxxxxx-xxxpredictiveHigh
94Input Value%xxxxxx+-x+x+xx.x.xx.xxx%xx%xxpredictiveHigh
95Input Value-x+xxxxx+xxxxxx+x,x,xxxxxxx()predictiveHigh
96Input Value../predictiveLow
97Pattern|xx|xx|xx|predictiveMedium
98Network Portxxx/xxxxpredictiveMedium
99Network Portxxx/xxxx (xx-xxx)predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!