misp-circl-feed/feeds/circl/misp/28d7a5af-b0e2-40f0-8ead-6e140ff316d4.json

77 lines
3 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2021-01-08",
"extends_uuid": "",
"info": "Leonardo S.p.A. Data Breach Analysis blog post from Reaqta",
"publish_timestamp": "1610465356",
"published": true,
"threat_level_id": "1",
"timestamp": "1610465345",
"uuid": "28d7a5af-b0e2-40f0-8ead-6e140ff316d4",
"Orgc": {
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
},
"Tag": [
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#00223b",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1610465299",
"to_ids": false,
"type": "link",
"uuid": "ad61e666-05a3-465c-8f17-b038a2f0d8d0",
"value": "https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1610465318",
"to_ids": true,
"type": "yara",
"uuid": "07bab0af-270c-4ecb-a635-7c60e7966178",
"value": "rule Fujinama {\r\n meta:\r\n description = \"Fujinama RAT used by Leonardo SpA Insider Threat\"\r\n author = \"ReaQta Threat Intelligence Team\"\r\n ref1 = \"https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa\"\r\n date = \"2021-01-07\"\r\n version = \"1\" \r\n strings:\r\n $kaylog_1 = \"SELECT\" wide ascii nocase\r\n $kaylog_2 = \"RIGHT\" wide ascii nocase\r\n $kaylog_3 = \"HELP\" wide ascii nocase\r\n $kaylog_4 = \"WINDOWS\" wide ascii nocase\r\n $computername = \"computername\" wide ascii nocase\r\n $useragent = \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\" wide ascii nocase\r\n $pattern = \"'()*+,G-./0123456789:\" wide ascii nocase\r\n $function_1 = \"t_save\" wide ascii nocase\r\n $cftmon = \"cftmon\" wide ascii nocase\r\n $font = \"Tahoma\" wide ascii nocase\r\n condition:\r\n uint16(0) == 0x5a4d and all of them\r\n}"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1610465345",
"to_ids": true,
"type": "hostname",
"uuid": "b20d4cf1-df8f-4a11-beaf-f52aa2d241e9",
"value": "fujinama.altervista.org"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1610465345",
"to_ids": true,
"type": "hostname",
"uuid": "47f7d796-f6d9-42e6-94bf-508e06fbccff",
"value": "xhdyeggeeefeew.000webhostapp.com"
}
]
}
}