MirrorFace Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (196)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en136
zh24
ru10
jp6
es6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us82
cn62
ru32
jp8
es4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

MirrorFace4
Cobalt Strike2
RedLine Stealer2
xStart1
Tofsee1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined62
Content Management System16
Web Server12
Forum Software8
Bug Tracking Software6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined80
Apache10
Microsoft4
Google4
HP4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Apache HTTP Server6
Traefik6
Apache Tomcat4
ThinkPHP4
Jeesite4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Esoftpro Online Guestbook Pro ogp_show.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.001080.25CVE-2009-4935
2Microsoft Edge PDF Reader memory corruption6.05.7$25k-$100k$5k-$25kNot DefinedOfficial Fix0.482880.00CVE-2020-1568
3nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002411.82CVE-2020-12440
4Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
5Tiki Admin Password tiki-login.php improper authentication8.07.7$0-$5k$0-$5kNot DefinedOfficial Fix0.009362.88CVE-2020-15906
6MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.013020.72CVE-2007-0354
7Joomla CMS com_easyblog sql injection6.36.1$5k-$25k$5k-$25kNot DefinedNot Defined0.000000.38
8HP Router/Switch SNMP information disclosure3.73.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.002850.05CVE-2012-3268
9Esoftpro Online Guestbook Pro ogp_show.php cross site scripting4.34.2$0-$5k$0-$5kHighUnavailable0.002090.06CVE-2009-2441
10vBulletin redirector.php6.66.6$0-$5k$0-$5kNot DefinedNot Defined0.001060.21CVE-2018-6200
11OpenBB read.php sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.002480.05CVE-2005-1612
12Apache Struts ExceptionDelegator input validation8.88.4$5k-$25k$0-$5kHighOfficial Fix0.331270.04CVE-2012-0391
13Schneider Electric Vijeo Designer path traversal5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.002510.00CVE-2021-22704
14DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009432.03CVE-2010-0966
15Hscripts PHP File Browser Script index.php path traversal5.95.9$0-$5k$0-$5kNot DefinedNot Defined0.001510.00CVE-2018-16549
16Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.008170.25CVE-2014-4078
17Phplinkdirectory PHP Link Directory conf_users_edit.php cross-site request forgery6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.005260.13CVE-2011-0643
18Microsoft Windows Win32k Privilege Escalation8.37.8$25k-$100k$0-$5kHighOfficial Fix0.001480.03CVE-2021-40449
19OneLogin Ruby-saml XML DOM improper authentication8.38.3$0-$5k$0-$5kNot DefinedNot Defined0.010560.00CVE-2017-11428
20Sphinx missing authentication7.47.3$0-$5k$0-$5kNot DefinedWorkaround0.010380.03CVE-2019-14511

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • LiberalFace

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.8.95.174free.dsMirrorFaceLiberalFace12/20/2022verifiedHigh
2XX.XX.XX.XXXxx.xx.xx.xxx.xxxxxxxxxxxxxxxx.xxxXxxxxxxxxxXxxxxxxxxxx12/20/2022verifiedHigh
3XXX.XXX.XX.XXXxxxxxxxxxXxxxxxxxxxx12/20/2022verifiedHigh
4XXX.XXX.XXX.XXxxx.xxx.xxx.xx.xxxxxxxxxxxxxxxx.xxxXxxxxxxxxxXxxxxxxxxxx12/20/2022verifiedHigh
5XXX.XXX.XXX.XXXxxxxxx-xxx.xxxxxxx.xxxxxx.xxxXxxxxxxxxxXxxxxxxxxxx12/20/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (15)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94, CWE-1321Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-CWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-120CWE-XXXXxxxxxx Xxxxxxxxxx Xxx Xxxxxxxx Xxxxxxx Xx Xx-xxxx Xxxxxx XxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-CWE-XXXxxxxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-157CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (98)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/+CSCOE+/logon.htmlpredictiveHigh
2File/balance/service/listpredictiveHigh
3File/cgi-bin/nas_sharing.cgipredictiveHigh
4File/index.phppredictiveMedium
5File/members/view_member.phppredictiveHigh
6File/mhds/clinic/view_details.phppredictiveHigh
7File/owa/auth/logon.aspxpredictiveHigh
8File/rest/api/latest/projectvalidate/keypredictiveHigh
9File/secure/admin/InsightDefaultCustomFieldConfig.jspapredictiveHigh
10File/SSOPOST/metaAlias/%realm%/idpv2predictiveHigh
11File/uncpath/predictiveMedium
12FileActivityManagerService.javapredictiveHigh
13Filexxxxxxx.xxxpredictiveMedium
14Filexxxxx.xxxxxxxxx.xxxpredictiveHigh
15Filexxxxx/xxxx_xxxxx_xxxx.xxxpredictiveHigh
16Filexxx/xxxxxxxxxx/xx/xxxxxxxxxxxxxxxx.xxxpredictiveHigh
17Filexxxxxxx.xxpredictiveMedium
18Filexxx/xxx.xxxpredictiveMedium
19Filexxx-xxx/xxxxxxx.xxpredictiveHigh
20Filexxxxx.xxxpredictiveMedium
21Filexxxx/xxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxx/xxx/xxxxxx.xxxxxxxxx.xxxpredictiveHigh
22Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
23Filexxxxxxxxx/xxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
24Filexxxxx.xxxpredictiveMedium
25Filexxx/xxxx/xxxx.xpredictiveHigh
26Filexxxxxxxxxxx/xxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
27Filexxxxx.xxxxpredictiveMedium
28Filexxx/xxxxxx.xxxpredictiveHigh
29Filexxxxx.xxxpredictiveMedium
30Filexxxxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxxxxx/predictiveHigh
31Filexxxxxxxx/xx/xxxx.xxpredictiveHigh
32Filexxxxxxx/xxxxx/xx/xxxxxx/xxxxx.xxxxx.xxxpredictiveHigh
33Filexxxx.xxxpredictiveMedium
34Filexxxxxx_xxxxxxxxx.xxpredictiveHigh
35Filexxx_xxxxx_xxxx.xpredictiveHigh
36Filexxx/xxxxxpredictiveMedium
37Filexxx_xxxx.xxxpredictiveMedium
38Filexxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
39Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
40Filexxxx.xxxpredictiveMedium
41Filexxxxxxxxxx.xxxpredictiveHigh
42Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
43Filexxx/xxxx/xxxx/xxx.xxxxxxxx.xxxxxxx/xxxxxxx/xxx/xxxxxx.xxxxpredictiveHigh
44Filexxxx-xxxxx.xxxpredictiveHigh
45Filexxxx-xxxxxxxx.xxxpredictiveHigh
46Filexxx.xpredictiveLow
47Filexxxx_xxxxxxxx_xxxxxxx.xxxpredictiveHigh
48Filexxxxxxxxxx.xxxpredictiveHigh
49Filexxxx/xxxx_xxx_xxxxxx.xpredictiveHigh
50File~/xxxxxxxx/xxx-xxxxxxxxx/xxxxx/xxxxx-xxx-xxxxx-xxxxxxxx.xxxpredictiveHigh
51File~/xxxxx-xxxxxx/xxxxxx_xx.xxxpredictiveHigh
52Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
53Libraryxxx/xxxxxx.xpredictiveMedium
54ArgumentxxxxxxxxpredictiveMedium
55ArgumentxxxxxxxxxxpredictiveMedium
56Argumentxx_xxxxx_xxxxxx_xxxpredictiveHigh
57ArgumentxxxxxxxxxpredictiveMedium
58ArgumentxxxxxxpredictiveLow
59Argumentxxxx_xxxxxpredictiveMedium
60ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
61ArgumentxxxxpredictiveLow
62ArgumentxxxxxxxpredictiveLow
63ArgumentxxxxxpredictiveLow
64ArgumentxxxxpredictiveLow
65ArgumentxxxxxxxxpredictiveMedium
66Argumentxx_xxpredictiveLow
67Argumentxxxxxxxxx/xxxxxxpredictiveHigh
68ArgumentxxxxxxxxxpredictiveMedium
69ArgumentxxxxpredictiveLow
70ArgumentxxpredictiveLow
71ArgumentxxxxpredictiveLow
72ArgumentxxxpredictiveLow
73ArgumentxxxxpredictiveLow
74Argumentxxxxxx xxxxxxpredictiveHigh
75ArgumentxxxxxxxpredictiveLow
76ArgumentxxxxxxxxpredictiveMedium
77ArgumentxxxxpredictiveLow
78ArgumentxxxxxxxpredictiveLow
79Argumentxxxxx_xxxxxxpredictiveMedium
80ArgumentxxxxxxxxxxpredictiveMedium
81ArgumentxxxxxxpredictiveLow
82Argumentxxxxx/xxxxxxxpredictiveHigh
83ArgumentxxxxxxxxxxxpredictiveMedium
84ArgumentxxxxpredictiveLow
85ArgumentxxxpredictiveLow
86ArgumentxxxpredictiveLow
87ArgumentxxxpredictiveLow
88ArgumentxxxxpredictiveLow
89ArgumentxxxxxxxxpredictiveMedium
90ArgumentxxxxxpredictiveLow
91Argumentx-xxxxxxxxx-xxxxxxpredictiveHigh
92Input Value../predictiveLow
93Input Value.xxx?/../../xxxx.xxxpredictiveHigh
94Input Value/xxx/xxxxxxpredictiveMedium
95Input Valuexxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxxpredictiveHigh
96Input Valuex=xpredictiveLow
97Input ValuexxxxxxxxxxpredictiveMedium
98Network Portxxx/xxx (xxxx)predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!