misp-circl-feed/feeds/circl/misp/58413594-c004-4860-8e70-46b9950d210f.json

220 lines
7.7 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2013-01-04",
"extends_uuid": "",
"info": "OSINT - A PBot (PHP + Perl Backdoor IRC Bot + Network Attack Tool) Infection on hegeman.com",
"publish_timestamp": "1480715684",
"published": true,
"threat_level_id": "3",
"timestamp": "1480669989",
"uuid": "58413594-c004-4860-8e70-46b9950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#00223b",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480668791",
"to_ids": false,
"type": "link",
"uuid": "58413677-bf34-4123-abaf-412f950d210f",
"value": "http://blog.malwaremustdie.org/2013/01/a-pbot-php-perl-backdoor-irc-bot.html"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480668835",
"to_ids": false,
"type": "comment",
"uuid": "584136a3-9dc4-4121-ae5f-46ba950d210f",
"value": "PBot is a remote IRC Protocol Bot for usually used for taking over the infected machine into network malicious tool for PortScanning, DoS + etc acts.\r\nIt has been a long time for analyzing an active PBot, our previous post abut Pbot are here>>http://malwaremustdie.blogspot.jp/2012/09/cracking-of-strong-encrypted-phpirc-bot.html. This new one just spotted accidentally in my watch this new year. I trailed back infection started from before Christmas and noted its activities until yesterday. There's nothing special about this infection instead the ignorance of the domain owner which I informed him by severeal times, without getting response nor removal act.\r\nThis PBot is a plain textual script, camouflage its filename with a JPEG file extension, yes it contains some severe malicious functionalities of PBot which people should know about."
},
{
"category": "Network activity",
"comment": "Infected/Injected URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480668976",
"to_ids": true,
"type": "url",
"uuid": "584136d8-222c-4a76-af7b-51b1950d210f",
"value": "http://hegeman.com/configs.jpg"
},
{
"category": "Network activity",
"comment": "Infected/Injected URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480668976",
"to_ids": true,
"type": "url",
"uuid": "584136d9-71bc-4d28-abb6-51b1950d210f",
"value": "http://hegeman.com/images/configs.jpg"
},
{
"category": "Payload delivery",
"comment": "Infected/Injected URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480668976",
"to_ids": true,
"type": "filename",
"uuid": "584136d9-a140-485f-a416-51b1950d210f",
"value": "http://hegeman.com/tmp/configs.jpg\u00ef\u00bc\u0178"
},
{
"category": "Network activity",
"comment": "Infected/Injected URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480668976",
"to_ids": true,
"type": "url",
"uuid": "584136d9-1fc4-4381-bbed-51b1950d210f",
"value": "http://www.hegeman.com/configs.jpg"
},
{
"category": "Network activity",
"comment": "Infected/Injected URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480668976",
"to_ids": true,
"type": "url",
"uuid": "584136d9-b114-4e57-8806-51b1950d210f",
"value": "http://www.hegeman.com/images/configs.jpg"
},
{
"category": "Network activity",
"comment": "Infected/Injected URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480668976",
"to_ids": true,
"type": "url",
"uuid": "584136d9-65e8-4191-ae22-51b1950d210f",
"value": "http://www.hegeman.com/tmp/configs.jpg"
},
{
"category": "Payload delivery",
"comment": "infected url",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480669980",
"to_ids": true,
"type": "filename",
"uuid": "58413b0d-c384-4804-8d53-51b0950d210f",
"value": "http://eskipazari.com/images/products/large/rabot.txt"
},
{
"category": "Payload delivery",
"comment": "infected url",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480669989",
"to_ids": true,
"type": "filename",
"uuid": "58413b0e-b418-4af9-8c3b-412d950d210f",
"value": "http://www.bohmans.ru/netcat/modules/forum2/images/pbbb.txt"
},
{
"category": "Payload delivery",
"comment": "infected url",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480669966",
"to_ids": true,
"type": "filename",
"uuid": "58413b0e-b5cc-466d-a388-51b0950d210f",
"value": "http://asiandogs.\u00e3\u0192\u00bbu/dog/crime/byroe.jpg"
},
{
"category": "Payload delivery",
"comment": "infected url",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480669966",
"to_ids": true,
"type": "filename",
"uuid": "58413b0e-e1a0-43ca-b7ce-412d950d210f",
"value": "http://agefocus\u00e3\u0192\u00bbnet/wp-includes/js/jcrop/six/star.jpg"
},
{
"category": "Payload delivery",
"comment": "infected url",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480669966",
"to_ids": true,
"type": "filename",
"uuid": "58413b0e-f3cc-4215-b0b1-51b0950d210f",
"value": "http://myghost.myqr\u00e3\u0192\u00bbsg/bbs/logs/rabot.txt"
},
{
"category": "Payload delivery",
"comment": "infected url",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480669967",
"to_ids": true,
"type": "filename",
"uuid": "58413b0f-e870-4506-b587-412d950d210f",
"value": "http://www.nenskinder\u00e3\u0192\u00bbcom/wp-content/rabot.txt"
},
{
"category": "Payload delivery",
"comment": "infected url",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480669967",
"to_ids": true,
"type": "filename",
"uuid": "58413b0f-8a0c-4175-aaf4-51b0950d210f",
"value": "http://www.airsoftpark\u00e3\u0192\u00bbcom/custompatchimg/pa.txt"
},
{
"category": "Payload delivery",
"comment": "infected url",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480669967",
"to_ids": true,
"type": "filename",
"uuid": "58413b0f-77b0-4c58-aabf-412d950d210f",
"value": "http://neverbeentobali\u00e3\u0192\u00bbcom/wp-content/rabot.txt"
},
{
"category": "Payload delivery",
"comment": "infected url",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480669967",
"to_ids": true,
"type": "filename",
"uuid": "58413b0f-79f8-4692-938e-51b0950d210f",
"value": "http://flickr.com.oyun-max\u00e3\u0192\u00bbcom/bot.txt"
}
]
}
}