adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/58413594-c004-4860-8e70-46b9950d210f.json

463 lines
No EOL
19 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--58413594-c004-4860-8e70-46b9950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:13:09.000Z",
"modified": "2016-12-02T09:13:09.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58413594-c004-4860-8e70-46b9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:13:09.000Z",
"modified": "2016-12-02T09:13:09.000Z",
"name": "OSINT - A PBot (PHP + Perl Backdoor IRC Bot + Network Attack Tool) Infection on hegeman.com",
"published": "2016-12-02T21:54:44Z",
"object_refs": [
"observed-data--58413677-bf34-4123-abaf-412f950d210f",
"url--58413677-bf34-4123-abaf-412f950d210f",
"x-misp-attribute--584136a3-9dc4-4121-ae5f-46ba950d210f",
"indicator--584136d8-222c-4a76-af7b-51b1950d210f",
"indicator--584136d9-71bc-4d28-abb6-51b1950d210f",
"indicator--584136d9-a140-485f-a416-51b1950d210f",
"indicator--584136d9-1fc4-4381-bbed-51b1950d210f",
"indicator--584136d9-b114-4e57-8806-51b1950d210f",
"indicator--584136d9-65e8-4191-ae22-51b1950d210f",
"indicator--58413b0d-c384-4804-8d53-51b0950d210f",
"indicator--58413b0e-b418-4af9-8c3b-412d950d210f",
"indicator--58413b0e-b5cc-466d-a388-51b0950d210f",
"indicator--58413b0e-e1a0-43ca-b7ce-412d950d210f",
"indicator--58413b0e-f3cc-4215-b0b1-51b0950d210f",
"indicator--58413b0f-e870-4506-b587-412d950d210f",
"indicator--58413b0f-8a0c-4175-aaf4-51b0950d210f",
"indicator--58413b0f-77b0-4c58-aabf-412d950d210f",
"indicator--58413b0f-79f8-4692-938e-51b0950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58413677-bf34-4123-abaf-412f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T08:53:11.000Z",
"modified": "2016-12-02T08:53:11.000Z",
"first_observed": "2016-12-02T08:53:11Z",
"last_observed": "2016-12-02T08:53:11Z",
"number_observed": 1,
"object_refs": [
"url--58413677-bf34-4123-abaf-412f950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58413677-bf34-4123-abaf-412f950d210f",
"value": "http://blog.malwaremustdie.org/2013/01/a-pbot-php-perl-backdoor-irc-bot.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--584136a3-9dc4-4121-ae5f-46ba950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T08:53:55.000Z",
"modified": "2016-12-02T08:53:55.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "PBot is a remote IRC Protocol Bot for usually used for taking over the infected machine into network malicious tool for PortScanning, DoS + etc acts.\r\nIt has been a long time for analyzing an active PBot, our previous post abut Pbot are here>>http://malwaremustdie.blogspot.jp/2012/09/cracking-of-strong-encrypted-phpirc-bot.html. This new one just spotted accidentally in my watch this new year. I trailed back infection started from before Christmas and noted its activities until yesterday. There's nothing special about this infection instead the ignorance of the domain owner which I informed him by severeal times, without getting response nor removal act.\r\nThis PBot is a plain textual script, camouflage its filename with a JPEG file extension, yes it contains some severe malicious functionalities of PBot which people should know about."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584136d8-222c-4a76-af7b-51b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T08:56:16.000Z",
"modified": "2016-12-02T08:56:16.000Z",
"description": "Infected/Injected URL",
"pattern": "[url:value = 'http://hegeman.com/configs.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T08:56:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584136d9-71bc-4d28-abb6-51b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T08:56:16.000Z",
"modified": "2016-12-02T08:56:16.000Z",
"description": "Infected/Injected URL",
"pattern": "[url:value = 'http://hegeman.com/images/configs.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T08:56:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584136d9-a140-485f-a416-51b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T08:56:16.000Z",
"modified": "2016-12-02T08:56:16.000Z",
"description": "Infected/Injected URL",
"pattern": "[file:name = 'http://hegeman.com/tmp/configs.jpg\u00ef\u00bc\u0178']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T08:56:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584136d9-1fc4-4381-bbed-51b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T08:56:16.000Z",
"modified": "2016-12-02T08:56:16.000Z",
"description": "Infected/Injected URL",
"pattern": "[url:value = 'http://www.hegeman.com/configs.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T08:56:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584136d9-b114-4e57-8806-51b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T08:56:16.000Z",
"modified": "2016-12-02T08:56:16.000Z",
"description": "Infected/Injected URL",
"pattern": "[url:value = 'http://www.hegeman.com/images/configs.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T08:56:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584136d9-65e8-4191-ae22-51b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T08:56:16.000Z",
"modified": "2016-12-02T08:56:16.000Z",
"description": "Infected/Injected URL",
"pattern": "[url:value = 'http://www.hegeman.com/tmp/configs.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T08:56:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58413b0d-c384-4804-8d53-51b0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:13:00.000Z",
"modified": "2016-12-02T09:13:00.000Z",
"description": "infected url",
"pattern": "[file:name = 'http://eskipazari.com/images/products/large/rabot.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T09:13:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58413b0e-b418-4af9-8c3b-412d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:13:09.000Z",
"modified": "2016-12-02T09:13:09.000Z",
"description": "infected url",
"pattern": "[file:name = 'http://www.bohmans.ru/netcat/modules/forum2/images/pbbb.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T09:13:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58413b0e-b5cc-466d-a388-51b0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:12:46.000Z",
"modified": "2016-12-02T09:12:46.000Z",
"description": "infected url",
"pattern": "[file:name = 'http://asiandogs.\u00e3\u0192\u00bbu/dog/crime/byroe.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T09:12:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58413b0e-e1a0-43ca-b7ce-412d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:12:46.000Z",
"modified": "2016-12-02T09:12:46.000Z",
"description": "infected url",
"pattern": "[file:name = 'http://agefocus\u00e3\u0192\u00bbnet/wp-includes/js/jcrop/six/star.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T09:12:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58413b0e-f3cc-4215-b0b1-51b0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:12:46.000Z",
"modified": "2016-12-02T09:12:46.000Z",
"description": "infected url",
"pattern": "[file:name = 'http://myghost.myqr\u00e3\u0192\u00bbsg/bbs/logs/rabot.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T09:12:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58413b0f-e870-4506-b587-412d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:12:47.000Z",
"modified": "2016-12-02T09:12:47.000Z",
"description": "infected url",
"pattern": "[file:name = 'http://www.nenskinder\u00e3\u0192\u00bbcom/wp-content/rabot.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T09:12:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58413b0f-8a0c-4175-aaf4-51b0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:12:47.000Z",
"modified": "2016-12-02T09:12:47.000Z",
"description": "infected url",
"pattern": "[file:name = 'http://www.airsoftpark\u00e3\u0192\u00bbcom/custompatchimg/pa.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T09:12:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58413b0f-77b0-4c58-aabf-412d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:12:47.000Z",
"modified": "2016-12-02T09:12:47.000Z",
"description": "infected url",
"pattern": "[file:name = 'http://neverbeentobali\u00e3\u0192\u00bbcom/wp-content/rabot.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T09:12:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58413b0f-79f8-4692-938e-51b0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-02T09:12:47.000Z",
"modified": "2016-12-02T09:12:47.000Z",
"description": "infected url",
"pattern": "[file:name = 'http://flickr.com.oyun-max\u00e3\u0192\u00bbcom/bot.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-02T09:12:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink