2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-06-14 17:31:25 +00:00
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--58e743e1-3008-4198-a310-4c82950d210f",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:20:28.000Z",
|
|
|
|
"modified": "2017-04-07T10:20:28.000Z",
|
|
|
|
"name": "CIRCL",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "report",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "report--58e743e1-3008-4198-a310-4c82950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:20:28.000Z",
|
|
|
|
"modified": "2017-04-07T10:20:28.000Z",
|
|
|
|
"name": "OSINT - Off-the-shelf Ransomware Used to Target the Healthcare Sector",
|
|
|
|
"published": "2017-04-07T10:20:47Z",
|
|
|
|
"object_refs": [
|
|
|
|
"observed-data--58e743f1-872c-4a07-bbfd-4cdd950d210f",
|
|
|
|
"url--58e743f1-872c-4a07-bbfd-4cdd950d210f",
|
|
|
|
"indicator--58e744b0-d9c8-434f-8e60-41ae950d210f",
|
|
|
|
"indicator--58e744b1-3374-4ccd-8bae-49d8950d210f",
|
|
|
|
"indicator--58e744b2-3a74-46e3-a772-4ab4950d210f",
|
|
|
|
"indicator--58e744b3-c92c-4f2c-b650-4242950d210f",
|
|
|
|
"indicator--58e744b4-8af0-4217-a0ea-49c1950d210f",
|
|
|
|
"indicator--58e76791-9968-48b8-a6fb-44bf02de0b81",
|
|
|
|
"indicator--58e76792-8910-4731-b851-427b02de0b81",
|
|
|
|
"observed-data--58e76793-77e8-406c-b283-409402de0b81",
|
|
|
|
"url--58e76793-77e8-406c-b283-409402de0b81",
|
|
|
|
"indicator--58e76794-df5c-430e-966c-467302de0b81",
|
|
|
|
"indicator--58e76795-6f78-481f-a454-4f9802de0b81",
|
|
|
|
"observed-data--58e76796-0eb0-4f71-8fd8-47fa02de0b81",
|
|
|
|
"url--58e76796-0eb0-4f71-8fd8-47fa02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"type:OSINT",
|
|
|
|
"malware_classification:malware-category=\"Ransomware\"",
|
|
|
|
"osint:source-type=\"blog-post\""
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e743f1-872c-4a07-bbfd-4cdd950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:20:07.000Z",
|
|
|
|
"modified": "2017-04-07T10:20:07.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:20:07Z",
|
|
|
|
"last_observed": "2017-04-07T10:20:07Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e743f1-872c-4a07-bbfd-4cdd950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\"",
|
|
|
|
"osint:source-type=\"blog-post\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e743f1-872c-4a07-bbfd-4cdd950d210f",
|
|
|
|
"value": "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e744b0-d9c8-434f-8e60-41ae950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:18:51.000Z",
|
|
|
|
"modified": "2017-04-07T10:18:51.000Z",
|
|
|
|
"description": "Download links",
|
|
|
|
"pattern": "[url:value = 'https://kaspersky.dattodrive.com/index.php/s/lhodbNAIcoNF6yb/download']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:18:51Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e744b1-3374-4ccd-8bae-49d8950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:18:51.000Z",
|
|
|
|
"modified": "2017-04-07T10:18:51.000Z",
|
|
|
|
"description": "Download links",
|
|
|
|
"pattern": "[url:value = 'http://87i03clk4zcw06uy1cv5.nl/mass/hospital/spam/payload/WINWORD.exe']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:18:51Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e744b2-3a74-46e3-a772-4ab4950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:18:51.000Z",
|
|
|
|
"modified": "2017-04-07T10:18:51.000Z",
|
|
|
|
"description": "Ransomware C2",
|
|
|
|
"pattern": "[url:value = 'http://87i03clk4zcw06uy1cv5.nl/mass/hospital/spam/index.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:18:51Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e744b3-c92c-4f2c-b650-4242950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:18:51.000Z",
|
|
|
|
"modified": "2017-04-07T10:18:51.000Z",
|
|
|
|
"description": "DOCX file",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '0e53d65ecd1d6ae5f77500c535b8916f43a1da04b59efde63c1ca593d8363483']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:18:51Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e744b4-8af0-4217-a0ea-49c1950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:18:51.000Z",
|
|
|
|
"modified": "2017-04-07T10:18:51.000Z",
|
|
|
|
"description": "Philadelphia",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:18:51Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"malware_classification:malware-category=\"Ransomware\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76791-9968-48b8-a6fb-44bf02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:18:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:18:57.000Z",
|
|
|
|
"description": "Philadelphia - Xchecked via VT: 2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '448c93e79bf0741798ed99bb3108d1ceb90b6901']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:18:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"malware_classification:malware-category=\"Ransomware\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76792-8910-4731-b851-427b02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:18:58.000Z",
|
|
|
|
"modified": "2017-04-07T10:18:58.000Z",
|
|
|
|
"description": "Philadelphia - Xchecked via VT: 2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c",
|
|
|
|
"pattern": "[file:hashes.MD5 = '0a380f789a882f7c4e11a1b4f87bb4fd']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:18:58Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\"",
|
|
|
|
"malware_classification:malware-category=\"Ransomware\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e76793-77e8-406c-b283-409402de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:18:59.000Z",
|
|
|
|
"modified": "2017-04-07T10:18:59.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:18:59Z",
|
|
|
|
"last_observed": "2017-04-07T10:18:59Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e76793-77e8-406c-b283-409402de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\"",
|
|
|
|
"malware_classification:malware-category=\"Ransomware\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e76793-77e8-406c-b283-409402de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c/analysis/1491192472/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76794-df5c-430e-966c-467302de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:19:00.000Z",
|
|
|
|
"modified": "2017-04-07T10:19:00.000Z",
|
|
|
|
"description": "DOCX file - Xchecked via VT: 0e53d65ecd1d6ae5f77500c535b8916f43a1da04b59efde63c1ca593d8363483",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '7807eecce4b89564901caa1d3abd827f6438fcd5']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:19:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76795-6f78-481f-a454-4f9802de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:19:01.000Z",
|
|
|
|
"modified": "2017-04-07T10:19:01.000Z",
|
|
|
|
"description": "DOCX file - Xchecked via VT: 0e53d65ecd1d6ae5f77500c535b8916f43a1da04b59efde63c1ca593d8363483",
|
|
|
|
"pattern": "[file:hashes.MD5 = '9f86684abeb100455295a9a3f86e0d99']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:19:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e76796-0eb0-4f71-8fd8-47fa02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:19:02.000Z",
|
|
|
|
"modified": "2017-04-07T10:19:02.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:19:02Z",
|
|
|
|
"last_observed": "2017-04-07T10:19:02Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e76796-0eb0-4f71-8fd8-47fa02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e76796-0eb0-4f71-8fd8-47fa02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/0e53d65ecd1d6ae5f77500c535b8916f43a1da04b59efde63c1ca593d8363483/analysis/1491275798/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
|
|
|
}
|