{
    "type": "bundle",
    "id": "bundle--ff0cae9c-90e4-4a24-aed0-f1a8d558cd29",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--59f99ee9-2b33-4e70-a488-4addc93d3d77",
            "created": "2023-03-08T12:51:43.018137Z",
            "modified": "2024-10-23T12:33:11.030915Z",
            "name": "Kaspersky",
            "identity_class": "organization"
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--ccabb092-6df0-440e-8991-2eb9952a8e99",
            "hashes": {
                "MD5": "9c7c7149387a1c79679a87dd1ba755bc"
            }
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--f703d21d-79d6-446b-a504-31fe23066118",
            "hashes": {
                "MD5": "ac21c8ad899727137c4b94458d7aa8d8"
            }
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--206016f4-2ced-4ba5-9408-34256b023d0b",
            "created": "2026-06-24T17:26:57.601619Z",
            "modified": "2026-06-24T17:26:57.601619Z",
            "name": "YARA Rule",
            "pattern": "rule lazaruswannacry {\r\nmeta:\r\ndescription = \"Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta\"\r\ndate = \"2017-05-15\"\r\nreference = \"https://twitter.com/neelmehta/status/864164081116225536\"\r\nauthor = \"Kaspersky Lab\"\r\nversion = \"1.0\"\r\nhash = \"9c7c7149387a1c79679a87dd1ba755bc\"\r\nhash = \"ac21c8ad899727137c4b94458d7aa8d8\"\r\nstrings:\r\n$a1={\r\n51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75\r\n04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01\r\n46 56 E8\r\n}\r\n$a2={\r\n03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00\r\n10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00\r\n30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00\r\n38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00\r\n44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00\r\n68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00\r\nFF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0\r\n08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0\r\n10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0\r\n2B C0 2C C0 FF FE\r\n}\r\ncondition:\r\n((uint16(0) == 0x5A4D)) and (filesize < 15000000) and\r\nall of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2017-05-15T00:00:00Z"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b",
            "created": "2026-06-24T17:26:57.605955Z",
            "modified": "2026-06-24T17:26:57.605955Z",
            "name": "Lazarus"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--d9324b72-53f5-4791-af34-19130c013bd7",
            "created_by_ref": "identity--59f99ee9-2b33-4e70-a488-4addc93d3d77",
            "created": "2026-06-24T17:26:57.607277Z",
            "modified": "2026-06-24T17:26:57.607277Z",
            "name": "WannaCry and Lazarus Group \u2013 the missing link?",
            "published": "2017-05-15T00:00:00Z",
            "object_refs": [
                "identity--59f99ee9-2b33-4e70-a488-4addc93d3d77",
                "file--ccabb092-6df0-440e-8991-2eb9952a8e99",
                "file--f703d21d-79d6-446b-a504-31fe23066118",
                "indicator--206016f4-2ced-4ba5-9408-34256b023d0b",
                "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://securelist.com/wannacry-and-lazarus-group-the-missing-link/78431/"
                }
            ]
        }
    ]
}