Ozone RAT Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (45)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en46

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us40

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Meterpreter6
Ozone RAT3

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined26
Operating System10
Smartphone Operating System4
Medical Device Software2
Web Browser2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Linux8
Not Defined6
Apple4
sjqzhang2
Vastal2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Linux Kernel8
Apple iOS4
Apple iPadOS4
sjqzhang go-fastdfs2
Check_MK2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Oracle Middleware Common Libraries and Tools Third Party denial of service7.57.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.000640.03CVE-2022-45688
2sjqzhang go-fastdfs File Upload uploa upload path traversal8.17.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.001970.18CVE-2023-1800
3M-Files Server resource consumption6.56.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000730.00CVE-2023-0382
4Siemens Tecnomatix Plant Simulation SPP File out-of-bounds write7.06.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.000990.03CVE-2023-24995
5SourceCodester Clinics Patient Management System update_user.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.001130.09CVE-2023-1035
6Vastal phpVID browse_videos.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.017620.04CVE-2013-5312
7Check_MK Failed-Log Save race condition4.84.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.015100.00CVE-2017-14955
8Chris92de AdminServ adminserv.php cross site scripting4.44.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000730.18CVE-2020-36637
9Chris92de AdminServ adminserv.php cross site scripting4.44.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000730.23CVE-2020-36638
10tcpdump CFM Parser print-cfm.c cfm_print memory corruption8.07.9$0-$5k$0-$5kNot DefinedOfficial Fix0.008530.00CVE-2017-13052
11Synology DiskStation Manager Webapi path traversal6.46.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000620.04CVE-2022-27610
12jserv cross site scripting4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000000.00
13Cisco AsyncOS ZIP Archive Spam input validation7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.001440.00CVE-2016-1438
14Microsoft Windows LPC Request denial of service7.87.0$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.000000.02
15Microsoft Windows Guest Account privileges management7.37.1$25k-$100k$5k-$25kNot DefinedWorkaround0.000000.04
16Apple iOS/iPadOS Audio information disclosure3.33.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000800.03CVE-2022-32825
17InterWorx SiteWorx httpd.php cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.004180.00CVE-2007-4588
18InterWorx SiteWorx ftp.php cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.004180.00CVE-2007-4588
19phpHtmlLib NavTable.php privileges management7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.175070.00CVE-2006-4287
20Apple iOS/iPadOS WebRTC memory corruption7.57.4$25k-$100k$5k-$25kHighOfficial Fix0.011520.06CVE-2022-2294

IOC - Indicator of Compromise (12)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
13.13.191.225ec2-3-13-191-225.us-east-2.compute.amazonaws.comOzone RAT05/04/2021verifiedMedium
23.14.182.203ec2-3-14-182-203.us-east-2.compute.amazonaws.comOzone RAT05/04/2021verifiedMedium
33.22.53.161ec2-3-22-53-161.us-east-2.compute.amazonaws.comOzone RAT04/07/2021verifiedMedium
4X.XXX.XXX.XXXxxx-x-xxx-xxx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx07/17/2021verifiedMedium
5X.XXX.XXX.XXXxxx-x-xxx-xxx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx05/04/2021verifiedMedium
6X.XXX.XXX.Xxxx-x-xxx-xxx-x.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx07/17/2021verifiedMedium
7X.XXX.XXX.XXxxx-x-xxx-xxx-xx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx06/19/2021verifiedMedium
8XX.XX.XX.XXXxxx-xx-xx-xx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx04/07/2021verifiedMedium
9XX.XXX.XXX.XXxxx-xx-xxx-xxx-xx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx06/19/2021verifiedMedium
10XX.XX.XX.XXXxxx-xx-xx-xx-xxx.xx-xxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxx Xxx04/07/2021verifiedMedium
11XXX.XX.XXX.XXXxxx.xxxxxxxxxx.xxxxxXxxxx Xxx03/28/2021verifiedHigh
12XXX.XXX.XXX.XXXxxxx Xxx03/22/2021verifiedHigh

TTP - Tactics, Techniques, Procedures (5)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22, CWE-23, CWE-24Path TraversalpredictiveHigh
2TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
3TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
4TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (22)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/group1/uploapredictiveHigh
2File/vicidial/AST_agent_time_sheet.phppredictiveHigh
3Filearch/powerpc/mm/mmu_context_book3s64.cpredictiveHigh
4Filexxxx/xxxxx/xxxxxx/xxxxx.xpredictiveHigh
5Filexxxxxx_xxxxxx.xxxpredictiveHigh
6Filexxxxxxx/xxx/xxx/xxxx/xxxx_xxx_xxxxxxx.xpredictiveHigh
7Filexxx.xxxpredictiveLow
8Filexxxxx.xxxpredictiveMedium
9Filexxxxxx/xxxxxx.xpredictiveHigh
10Filexxxxxxxx.xxxpredictiveMedium
11Filexxxxx-xxx.xpredictiveMedium
12Filexxxxxxxxx/xxxx/xxxxxxxxx.xxxpredictiveHigh
13Filexxxxxx_xxxx.xxxpredictiveHigh
14Libraryxxxx/xxx/xxx/xxxx-xxxx.xpredictiveHigh
15Libraryxxx/xxx.xpredictiveMedium
16ArgumentxxxxxpredictiveLow
17ArgumentxxxpredictiveLow
18ArgumentxxxxxpredictiveLow
19Argumentxxxx_xxxxpredictiveMedium
20ArgumentxxxxxxxxxxpredictiveMedium
21ArgumentxxxxpredictiveLow
22Argumentxxxx_xxpredictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!