463 lines
19 KiB
JSON
463 lines
19 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--58413594-c004-4860-8e70-46b9950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:13:09.000Z",
|
||
|
"modified": "2016-12-02T09:13:09.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--58413594-c004-4860-8e70-46b9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:13:09.000Z",
|
||
|
"modified": "2016-12-02T09:13:09.000Z",
|
||
|
"name": "OSINT - A PBot (PHP + Perl Backdoor IRC Bot + Network Attack Tool) Infection on hegeman.com",
|
||
|
"published": "2016-12-02T21:54:44Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--58413677-bf34-4123-abaf-412f950d210f",
|
||
|
"url--58413677-bf34-4123-abaf-412f950d210f",
|
||
|
"x-misp-attribute--584136a3-9dc4-4121-ae5f-46ba950d210f",
|
||
|
"indicator--584136d8-222c-4a76-af7b-51b1950d210f",
|
||
|
"indicator--584136d9-71bc-4d28-abb6-51b1950d210f",
|
||
|
"indicator--584136d9-a140-485f-a416-51b1950d210f",
|
||
|
"indicator--584136d9-1fc4-4381-bbed-51b1950d210f",
|
||
|
"indicator--584136d9-b114-4e57-8806-51b1950d210f",
|
||
|
"indicator--584136d9-65e8-4191-ae22-51b1950d210f",
|
||
|
"indicator--58413b0d-c384-4804-8d53-51b0950d210f",
|
||
|
"indicator--58413b0e-b418-4af9-8c3b-412d950d210f",
|
||
|
"indicator--58413b0e-b5cc-466d-a388-51b0950d210f",
|
||
|
"indicator--58413b0e-e1a0-43ca-b7ce-412d950d210f",
|
||
|
"indicator--58413b0e-f3cc-4215-b0b1-51b0950d210f",
|
||
|
"indicator--58413b0f-e870-4506-b587-412d950d210f",
|
||
|
"indicator--58413b0f-8a0c-4175-aaf4-51b0950d210f",
|
||
|
"indicator--58413b0f-77b0-4c58-aabf-412d950d210f",
|
||
|
"indicator--58413b0f-79f8-4692-938e-51b0950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58413677-bf34-4123-abaf-412f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:53:11.000Z",
|
||
|
"modified": "2016-12-02T08:53:11.000Z",
|
||
|
"first_observed": "2016-12-02T08:53:11Z",
|
||
|
"last_observed": "2016-12-02T08:53:11Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58413677-bf34-4123-abaf-412f950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58413677-bf34-4123-abaf-412f950d210f",
|
||
|
"value": "http://blog.malwaremustdie.org/2013/01/a-pbot-php-perl-backdoor-irc-bot.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--584136a3-9dc4-4121-ae5f-46ba950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:53:55.000Z",
|
||
|
"modified": "2016-12-02T08:53:55.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "PBot is a remote IRC Protocol Bot for usually used for taking over the infected machine into network malicious tool for PortScanning, DoS + etc acts.\r\nIt has been a long time for analyzing an active PBot, our previous post abut Pbot are here>>http://malwaremustdie.blogspot.jp/2012/09/cracking-of-strong-encrypted-phpirc-bot.html. This new one just spotted accidentally in my watch this new year. I trailed back infection started from before Christmas and noted its activities until yesterday. There's nothing special about this infection instead the ignorance of the domain owner which I informed him by severeal times, without getting response nor removal act.\r\nThis PBot is a plain textual script, camouflage its filename with a JPEG file extension, yes it contains some severe malicious functionalities of PBot which people should know about."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584136d8-222c-4a76-af7b-51b1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:56:16.000Z",
|
||
|
"modified": "2016-12-02T08:56:16.000Z",
|
||
|
"description": "Infected/Injected URL",
|
||
|
"pattern": "[url:value = 'http://hegeman.com/configs.jpg']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:56:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584136d9-71bc-4d28-abb6-51b1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:56:16.000Z",
|
||
|
"modified": "2016-12-02T08:56:16.000Z",
|
||
|
"description": "Infected/Injected URL",
|
||
|
"pattern": "[url:value = 'http://hegeman.com/images/configs.jpg']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:56:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584136d9-a140-485f-a416-51b1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:56:16.000Z",
|
||
|
"modified": "2016-12-02T08:56:16.000Z",
|
||
|
"description": "Infected/Injected URL",
|
||
|
"pattern": "[file:name = 'http://hegeman.com/tmp/configs.jpg\u00ef\u00bc\u0178']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:56:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584136d9-1fc4-4381-bbed-51b1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:56:16.000Z",
|
||
|
"modified": "2016-12-02T08:56:16.000Z",
|
||
|
"description": "Infected/Injected URL",
|
||
|
"pattern": "[url:value = 'http://www.hegeman.com/configs.jpg']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:56:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584136d9-b114-4e57-8806-51b1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:56:16.000Z",
|
||
|
"modified": "2016-12-02T08:56:16.000Z",
|
||
|
"description": "Infected/Injected URL",
|
||
|
"pattern": "[url:value = 'http://www.hegeman.com/images/configs.jpg']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:56:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584136d9-65e8-4191-ae22-51b1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:56:16.000Z",
|
||
|
"modified": "2016-12-02T08:56:16.000Z",
|
||
|
"description": "Infected/Injected URL",
|
||
|
"pattern": "[url:value = 'http://www.hegeman.com/tmp/configs.jpg']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:56:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58413b0d-c384-4804-8d53-51b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:13:00.000Z",
|
||
|
"modified": "2016-12-02T09:13:00.000Z",
|
||
|
"description": "infected url",
|
||
|
"pattern": "[file:name = 'http://eskipazari.com/images/products/large/rabot.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T09:13:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58413b0e-b418-4af9-8c3b-412d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:13:09.000Z",
|
||
|
"modified": "2016-12-02T09:13:09.000Z",
|
||
|
"description": "infected url",
|
||
|
"pattern": "[file:name = 'http://www.bohmans.ru/netcat/modules/forum2/images/pbbb.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T09:13:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58413b0e-b5cc-466d-a388-51b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:12:46.000Z",
|
||
|
"modified": "2016-12-02T09:12:46.000Z",
|
||
|
"description": "infected url",
|
||
|
"pattern": "[file:name = 'http://asiandogs.\u00e3\u0192\u00bbu/dog/crime/byroe.jpg']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T09:12:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58413b0e-e1a0-43ca-b7ce-412d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:12:46.000Z",
|
||
|
"modified": "2016-12-02T09:12:46.000Z",
|
||
|
"description": "infected url",
|
||
|
"pattern": "[file:name = 'http://agefocus\u00e3\u0192\u00bbnet/wp-includes/js/jcrop/six/star.jpg']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T09:12:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58413b0e-f3cc-4215-b0b1-51b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:12:46.000Z",
|
||
|
"modified": "2016-12-02T09:12:46.000Z",
|
||
|
"description": "infected url",
|
||
|
"pattern": "[file:name = 'http://myghost.myqr\u00e3\u0192\u00bbsg/bbs/logs/rabot.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T09:12:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58413b0f-e870-4506-b587-412d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:12:47.000Z",
|
||
|
"modified": "2016-12-02T09:12:47.000Z",
|
||
|
"description": "infected url",
|
||
|
"pattern": "[file:name = 'http://www.nenskinder\u00e3\u0192\u00bbcom/wp-content/rabot.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T09:12:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58413b0f-8a0c-4175-aaf4-51b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:12:47.000Z",
|
||
|
"modified": "2016-12-02T09:12:47.000Z",
|
||
|
"description": "infected url",
|
||
|
"pattern": "[file:name = 'http://www.airsoftpark\u00e3\u0192\u00bbcom/custompatchimg/pa.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T09:12:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58413b0f-77b0-4c58-aabf-412d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:12:47.000Z",
|
||
|
"modified": "2016-12-02T09:12:47.000Z",
|
||
|
"description": "infected url",
|
||
|
"pattern": "[file:name = 'http://neverbeentobali\u00e3\u0192\u00bbcom/wp-content/rabot.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T09:12:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58413b0f-79f8-4692-938e-51b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T09:12:47.000Z",
|
||
|
"modified": "2016-12-02T09:12:47.000Z",
|
||
|
"description": "infected url",
|
||
|
"pattern": "[file:name = 'http://flickr.com.oyun-max\u00e3\u0192\u00bbcom/bot.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T09:12:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|