2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2013-01-04" ,
"extends_uuid" : "" ,
"info" : "OSINT - A PBot (PHP + Perl Backdoor IRC Bot + Network Attack Tool) Infection on hegeman.com" ,
"publish_timestamp" : "1480715684" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1480669989" ,
"uuid" : "58413594-c004-4860-8e70-46b9950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480668791" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58413677-bf34-4123-abaf-412f950d210f" ,
"value" : "http://blog.malwaremustdie.org/2013/01/a-pbot-php-perl-backdoor-irc-bot.html"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480668835" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "584136a3-9dc4-4121-ae5f-46ba950d210f" ,
"value" : "PBot is a remote IRC Protocol Bot for usually used for taking over the infected machine into network malicious tool for PortScanning, DoS + etc acts.\r\nIt has been a long time for analyzing an active PBot, our previous post abut Pbot are here>>http://malwaremustdie.blogspot.jp/2012/09/cracking-of-strong-encrypted-phpirc-bot.html. This new one just spotted accidentally in my watch this new year. I trailed back infection started from before Christmas and noted its activities until yesterday. There's nothing special about this infection instead the ignorance of the domain owner which I informed him by severeal times, without getting response nor removal act.\r\nThis PBot is a plain textual script, camouflage its filename with a JPEG file extension, yes it contains some severe malicious functionalities of PBot which people should know about."
} ,
{
"category" : "Network activity" ,
"comment" : "Infected/Injected URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480668976" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "584136d8-222c-4a76-af7b-51b1950d210f" ,
"value" : "http://hegeman.com/configs.jpg"
} ,
{
"category" : "Network activity" ,
"comment" : "Infected/Injected URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480668976" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "584136d9-71bc-4d28-abb6-51b1950d210f" ,
"value" : "http://hegeman.com/images/configs.jpg"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Infected/Injected URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480668976" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "584136d9-a140-485f-a416-51b1950d210f" ,
"value" : "http://hegeman.com/tmp/configs.jpg\u00ef\u00bc\u0178"
} ,
{
"category" : "Network activity" ,
"comment" : "Infected/Injected URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480668976" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "584136d9-1fc4-4381-bbed-51b1950d210f" ,
"value" : "http://www.hegeman.com/configs.jpg"
} ,
{
"category" : "Network activity" ,
"comment" : "Infected/Injected URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480668976" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "584136d9-b114-4e57-8806-51b1950d210f" ,
"value" : "http://www.hegeman.com/images/configs.jpg"
} ,
{
"category" : "Network activity" ,
"comment" : "Infected/Injected URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480668976" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "584136d9-65e8-4191-ae22-51b1950d210f" ,
"value" : "http://www.hegeman.com/tmp/configs.jpg"
} ,
{
"category" : "Payload delivery" ,
"comment" : "infected url" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480669980" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "58413b0d-c384-4804-8d53-51b0950d210f" ,
"value" : "http://eskipazari.com/images/products/large/rabot.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "infected url" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480669989" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "58413b0e-b418-4af9-8c3b-412d950d210f" ,
"value" : "http://www.bohmans.ru/netcat/modules/forum2/images/pbbb.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "infected url" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480669966" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "58413b0e-b5cc-466d-a388-51b0950d210f" ,
"value" : "http://asiandogs.\u00e3\u0192\u00bbu/dog/crime/byroe.jpg"
} ,
{
"category" : "Payload delivery" ,
"comment" : "infected url" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480669966" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "58413b0e-e1a0-43ca-b7ce-412d950d210f" ,
"value" : "http://agefocus\u00e3\u0192\u00bbnet/wp-includes/js/jcrop/six/star.jpg"
} ,
{
"category" : "Payload delivery" ,
"comment" : "infected url" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480669966" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "58413b0e-f3cc-4215-b0b1-51b0950d210f" ,
"value" : "http://myghost.myqr\u00e3\u0192\u00bbsg/bbs/logs/rabot.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "infected url" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480669967" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "58413b0f-e870-4506-b587-412d950d210f" ,
"value" : "http://www.nenskinder\u00e3\u0192\u00bbcom/wp-content/rabot.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "infected url" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480669967" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "58413b0f-8a0c-4175-aaf4-51b0950d210f" ,
"value" : "http://www.airsoftpark\u00e3\u0192\u00bbcom/custompatchimg/pa.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "infected url" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480669967" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "58413b0f-77b0-4c58-aabf-412d950d210f" ,
"value" : "http://neverbeentobali\u00e3\u0192\u00bbcom/wp-content/rabot.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "infected url" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1480669967" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "58413b0f-79f8-4692-938e-51b0950d210f" ,
"value" : "http://flickr.com.oyun-max\u00e3\u0192\u00bbcom/bot.txt"
}
]
}
}