292 lines
No EOL
13 KiB
JSON
292 lines
No EOL
13 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--59a66c11-6c14-4987-b79d-430e950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:51.000Z",
|
|
"modified": "2017-08-30T12:01:51.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "grouping",
|
|
"spec_version": "2.1",
|
|
"id": "grouping--59a66c11-6c14-4987-b79d-430e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:51.000Z",
|
|
"modified": "2017-08-30T12:01:51.000Z",
|
|
"name": "OSINT - Bit Paymer Ransomware Hits Scottish Hospitals",
|
|
"context": "suspicious-activity",
|
|
"object_refs": [
|
|
"indicator--59a66c26-1b6c-47ba-81a0-4d6f950d210f",
|
|
"indicator--59a66c26-7d34-4151-999f-4021950d210f",
|
|
"x-misp-attribute--59a66c4f-9ba8-4373-937e-4ecd950d210f",
|
|
"observed-data--59a66d55-2e34-4cf6-9da0-4a0a950d210f",
|
|
"url--59a66d55-2e34-4cf6-9da0-4a0a950d210f",
|
|
"indicator--59a6a90e-c544-4ea6-bb53-9e4c02de0b81",
|
|
"indicator--59a6a90e-3990-4232-8c38-9e4c02de0b81",
|
|
"observed-data--59a6a90e-1180-411c-a6c3-9e4c02de0b81",
|
|
"url--59a6a90e-1180-411c-a6c3-9e4c02de0b81",
|
|
"indicator--59a6a90e-f014-4064-9781-9e4c02de0b81",
|
|
"indicator--59a6a90e-3524-477e-b706-9e4c02de0b81",
|
|
"observed-data--59a6a90e-bf58-4d84-85bd-9e4c02de0b81",
|
|
"url--59a6a90e-bf58-4d84-85bd-9e4c02de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"malware_classification:malware-category=\"Ransomware\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a66c26-1b6c-47ba-81a0-4d6f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:18.000Z",
|
|
"modified": "2017-08-30T12:01:18.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '1c0ffdaddec1eca9a9a5ef5192151dbce8ccd8e31a84c51d70f5a5c64f07a363']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-30T12:01:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a66c26-7d34-4151-999f-4021950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:18.000Z",
|
|
"modified": "2017-08-30T12:01:18.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'd693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-30T12:01:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--59a66c4f-9ba8-4373-937e-4ecd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:18.000Z",
|
|
"modified": "2017-08-30T12:01:18.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "The Bit Paymer ransomware \u2014 sometimes also spelled as Bitpaymer \u2014 first came to Bleeping Computer's attention on July 11, when security researcher Michael Gillespie tweeted a link to a sample uploaded on VirusTotal, a web-based file scanning service.\r\n\r\nFellow researcher MalwareHunter told Bleeping Computer today in a private conversation that following the NHS Lanarkshire attacks, more samples were found on VirusTotal going back to June 21, 2017, hinting that more campaigns might have taken place before the NHS Lanarkshire incident.\r\n\r\nUnlike most ransomware we see today, Bit Paymer is well coded and appears to be the work of experienced programmers."
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a66d55-2e34-4cf6-9da0-4a0a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:18.000Z",
|
|
"modified": "2017-08-30T12:01:18.000Z",
|
|
"first_observed": "2017-08-30T12:01:18Z",
|
|
"last_observed": "2017-08-30T12:01:18Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59a66d55-2e34-4cf6-9da0-4a0a950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59a66d55-2e34-4cf6-9da0-4a0a950d210f",
|
|
"value": "https://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a6a90e-c544-4ea6-bb53-9e4c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:18.000Z",
|
|
"modified": "2017-08-30T12:01:18.000Z",
|
|
"description": "- Xchecked via VT: d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2",
|
|
"pattern": "[file:hashes.SHA1 = '5a2d799ac4cca8954fc117c7fb3e868f93c6f009']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-30T12:01:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a6a90e-3990-4232-8c38-9e4c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:18.000Z",
|
|
"modified": "2017-08-30T12:01:18.000Z",
|
|
"description": "- Xchecked via VT: d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2",
|
|
"pattern": "[file:hashes.MD5 = '998246bd0e51f9582b998ca514317c33']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-30T12:01:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a6a90e-1180-411c-a6c3-9e4c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:18.000Z",
|
|
"modified": "2017-08-30T12:01:18.000Z",
|
|
"first_observed": "2017-08-30T12:01:18Z",
|
|
"last_observed": "2017-08-30T12:01:18Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59a6a90e-1180-411c-a6c3-9e4c02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59a6a90e-1180-411c-a6c3-9e4c02de0b81",
|
|
"value": "https://www.virustotal.com/file/d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2/analysis/1504008092/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a6a90e-f014-4064-9781-9e4c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:18.000Z",
|
|
"modified": "2017-08-30T12:01:18.000Z",
|
|
"description": "- Xchecked via VT: 1c0ffdaddec1eca9a9a5ef5192151dbce8ccd8e31a84c51d70f5a5c64f07a363",
|
|
"pattern": "[file:hashes.SHA1 = '9aa00d808a205495f24909e9f78ba414f08cdb15']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-30T12:01:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a6a90e-3524-477e-b706-9e4c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:18.000Z",
|
|
"modified": "2017-08-30T12:01:18.000Z",
|
|
"description": "- Xchecked via VT: 1c0ffdaddec1eca9a9a5ef5192151dbce8ccd8e31a84c51d70f5a5c64f07a363",
|
|
"pattern": "[file:hashes.MD5 = '0a19dd8fdd632f175f0ff0488e4cd8f2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-30T12:01:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a6a90e-bf58-4d84-85bd-9e4c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-30T12:01:18.000Z",
|
|
"modified": "2017-08-30T12:01:18.000Z",
|
|
"first_observed": "2017-08-30T12:01:18Z",
|
|
"last_observed": "2017-08-30T12:01:18Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59a6a90e-bf58-4d84-85bd-9e4c02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59a6a90e-bf58-4d84-85bd-9e4c02de0b81",
|
|
"value": "https://www.virustotal.com/file/1c0ffdaddec1eca9a9a5ef5192151dbce8ccd8e31a84c51d70f5a5c64f07a363/analysis/1504008078/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |