{ "type": "bundle", "id": "bundle--58e743e1-3008-4198-a310-4c82950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:20:28.000Z", "modified": "2017-04-07T10:20:28.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58e743e1-3008-4198-a310-4c82950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:20:28.000Z", "modified": "2017-04-07T10:20:28.000Z", "name": "OSINT - Off-the-shelf Ransomware Used to Target the Healthcare Sector", "published": "2017-04-07T10:20:47Z", "object_refs": [ "observed-data--58e743f1-872c-4a07-bbfd-4cdd950d210f", "url--58e743f1-872c-4a07-bbfd-4cdd950d210f", "indicator--58e744b0-d9c8-434f-8e60-41ae950d210f", "indicator--58e744b1-3374-4ccd-8bae-49d8950d210f", "indicator--58e744b2-3a74-46e3-a772-4ab4950d210f", "indicator--58e744b3-c92c-4f2c-b650-4242950d210f", "indicator--58e744b4-8af0-4217-a0ea-49c1950d210f", "indicator--58e76791-9968-48b8-a6fb-44bf02de0b81", "indicator--58e76792-8910-4731-b851-427b02de0b81", "observed-data--58e76793-77e8-406c-b283-409402de0b81", "url--58e76793-77e8-406c-b283-409402de0b81", "indicator--58e76794-df5c-430e-966c-467302de0b81", "indicator--58e76795-6f78-481f-a454-4f9802de0b81", "observed-data--58e76796-0eb0-4f71-8fd8-47fa02de0b81", "url--58e76796-0eb0-4f71-8fd8-47fa02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e743f1-872c-4a07-bbfd-4cdd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:20:07.000Z", "modified": "2017-04-07T10:20:07.000Z", "first_observed": "2017-04-07T10:20:07Z", "last_observed": "2017-04-07T10:20:07Z", "number_observed": 1, "object_refs": [ "url--58e743f1-872c-4a07-bbfd-4cdd950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e743f1-872c-4a07-bbfd-4cdd950d210f", "value": "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e744b0-d9c8-434f-8e60-41ae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:18:51.000Z", "modified": "2017-04-07T10:18:51.000Z", "description": "Download links", "pattern": "[url:value = 'https://kaspersky.dattodrive.com/index.php/s/lhodbNAIcoNF6yb/download']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:18:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e744b1-3374-4ccd-8bae-49d8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:18:51.000Z", "modified": "2017-04-07T10:18:51.000Z", "description": "Download links", "pattern": "[url:value = 'http://87i03clk4zcw06uy1cv5.nl/mass/hospital/spam/payload/WINWORD.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:18:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e744b2-3a74-46e3-a772-4ab4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:18:51.000Z", "modified": "2017-04-07T10:18:51.000Z", "description": "Ransomware C2", "pattern": "[url:value = 'http://87i03clk4zcw06uy1cv5.nl/mass/hospital/spam/index.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:18:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e744b3-c92c-4f2c-b650-4242950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:18:51.000Z", "modified": "2017-04-07T10:18:51.000Z", "description": "DOCX file", "pattern": "[file:hashes.SHA256 = '0e53d65ecd1d6ae5f77500c535b8916f43a1da04b59efde63c1ca593d8363483']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:18:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e744b4-8af0-4217-a0ea-49c1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:18:51.000Z", "modified": "2017-04-07T10:18:51.000Z", "description": "Philadelphia", "pattern": "[file:hashes.SHA256 = '2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:18:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76791-9968-48b8-a6fb-44bf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:18:57.000Z", "modified": "2017-04-07T10:18:57.000Z", "description": "Philadelphia - Xchecked via VT: 2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c", "pattern": "[file:hashes.SHA1 = '448c93e79bf0741798ed99bb3108d1ceb90b6901']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:18:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76792-8910-4731-b851-427b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:18:58.000Z", "modified": "2017-04-07T10:18:58.000Z", "description": "Philadelphia - Xchecked via VT: 2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c", "pattern": "[file:hashes.MD5 = '0a380f789a882f7c4e11a1b4f87bb4fd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:18:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e76793-77e8-406c-b283-409402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:18:59.000Z", "modified": "2017-04-07T10:18:59.000Z", "first_observed": "2017-04-07T10:18:59Z", "last_observed": "2017-04-07T10:18:59Z", "number_observed": 1, "object_refs": [ "url--58e76793-77e8-406c-b283-409402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e76793-77e8-406c-b283-409402de0b81", "value": "https://www.virustotal.com/file/2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c/analysis/1491192472/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76794-df5c-430e-966c-467302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:19:00.000Z", "modified": "2017-04-07T10:19:00.000Z", "description": "DOCX file - Xchecked via VT: 0e53d65ecd1d6ae5f77500c535b8916f43a1da04b59efde63c1ca593d8363483", "pattern": "[file:hashes.SHA1 = '7807eecce4b89564901caa1d3abd827f6438fcd5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:19:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76795-6f78-481f-a454-4f9802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:19:01.000Z", "modified": "2017-04-07T10:19:01.000Z", "description": "DOCX file - Xchecked via VT: 0e53d65ecd1d6ae5f77500c535b8916f43a1da04b59efde63c1ca593d8363483", "pattern": "[file:hashes.MD5 = '9f86684abeb100455295a9a3f86e0d99']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:19:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e76796-0eb0-4f71-8fd8-47fa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:19:02.000Z", "modified": "2017-04-07T10:19:02.000Z", "first_observed": "2017-04-07T10:19:02Z", "last_observed": "2017-04-07T10:19:02Z", "number_observed": 1, "object_refs": [ "url--58e76796-0eb0-4f71-8fd8-47fa02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e76796-0eb0-4f71-8fd8-47fa02de0b81", "value": "https://www.virustotal.com/file/0e53d65ecd1d6ae5f77500c535b8916f43a1da04b59efde63c1ca593d8363483/analysis/1491275798/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }