{
  "Event": {
    "analysis": "2",
    "date": "2021-01-08",
    "extends_uuid": "",
    "info": "Leonardo S.p.A. Data Breach Analysis blog post from Reaqta",
    "publish_timestamp": "1610465356",
    "published": true,
    "threat_level_id": "1",
    "timestamp": "1610465345",
    "uuid": "28d7a5af-b0e2-40f0-8ead-6e140ff316d4",
    "Orgc": {
      "name": "CthulhuSPRL.be",
      "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
    },
    "Tag": [
      {
        "colour": "#ffffff",
        "local": "0",
        "name": "tlp:white",
        "relationship_type": ""
      },
      {
        "colour": "#00223b",
        "local": "0",
        "name": "osint:source-type=\"blog-post\"",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1610465299",
        "to_ids": false,
        "type": "link",
        "uuid": "ad61e666-05a3-465c-8f17-b038a2f0d8d0",
        "value": "https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa"
      },
      {
        "category": "Artifacts dropped",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1610465318",
        "to_ids": true,
        "type": "yara",
        "uuid": "07bab0af-270c-4ecb-a635-7c60e7966178",
        "value": "rule Fujinama {\r\n    meta:\r\n        description = \"Fujinama RAT used by Leonardo SpA Insider Threat\"\r\n        author = \"ReaQta Threat Intelligence Team\"\r\n        ref1 = \"https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa\"\r\n        date = \"2021-01-07\"\r\n        version = \"1\"   \r\n    strings:\r\n        $kaylog_1 = \"SELECT\" wide ascii nocase\r\n        $kaylog_2 = \"RIGHT\" wide ascii nocase\r\n        $kaylog_3 = \"HELP\" wide ascii nocase\r\n        $kaylog_4 = \"WINDOWS\" wide ascii nocase\r\n        $computername = \"computername\" wide ascii nocase\r\n        $useragent = \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\" wide ascii nocase\r\n        $pattern = \"'()*+,G-./0123456789:\" wide ascii nocase\r\n        $function_1 = \"t_save\" wide ascii nocase\r\n        $cftmon = \"cftmon\" wide ascii nocase\r\n        $font = \"Tahoma\" wide ascii nocase\r\n    condition:\r\n        uint16(0) == 0x5a4d and all of them\r\n}"
      },
      {
        "category": "Network activity",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1610465345",
        "to_ids": true,
        "type": "hostname",
        "uuid": "b20d4cf1-df8f-4a11-beaf-f52aa2d241e9",
        "value": "fujinama.altervista.org"
      },
      {
        "category": "Network activity",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1610465345",
        "to_ids": true,
        "type": "hostname",
        "uuid": "47f7d796-f6d9-42e6-94bf-508e06fbccff",
        "value": "xhdyeggeeefeew.000webhostapp.com"
      }
    ]
  }
}