77 lines
No EOL
3 KiB
JSON
77 lines
No EOL
3 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2021-01-08",
|
|
"extends_uuid": "",
|
|
"info": "Leonardo S.p.A. Data Breach Analysis blog post from Reaqta",
|
|
"publish_timestamp": "1610465356",
|
|
"published": true,
|
|
"threat_level_id": "1",
|
|
"timestamp": "1610465345",
|
|
"uuid": "28d7a5af-b0e2-40f0-8ead-6e140ff316d4",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1610465299",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "ad61e666-05a3-465c-8f17-b038a2f0d8d0",
|
|
"value": "https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1610465318",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "07bab0af-270c-4ecb-a635-7c60e7966178",
|
|
"value": "rule Fujinama {\r\n meta:\r\n description = \"Fujinama RAT used by Leonardo SpA Insider Threat\"\r\n author = \"ReaQta Threat Intelligence Team\"\r\n ref1 = \"https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa\"\r\n date = \"2021-01-07\"\r\n version = \"1\" \r\n strings:\r\n $kaylog_1 = \"SELECT\" wide ascii nocase\r\n $kaylog_2 = \"RIGHT\" wide ascii nocase\r\n $kaylog_3 = \"HELP\" wide ascii nocase\r\n $kaylog_4 = \"WINDOWS\" wide ascii nocase\r\n $computername = \"computername\" wide ascii nocase\r\n $useragent = \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\" wide ascii nocase\r\n $pattern = \"'()*+,G-./0123456789:\" wide ascii nocase\r\n $function_1 = \"t_save\" wide ascii nocase\r\n $cftmon = \"cftmon\" wide ascii nocase\r\n $font = \"Tahoma\" wide ascii nocase\r\n condition:\r\n uint16(0) == 0x5a4d and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1610465345",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "b20d4cf1-df8f-4a11-beaf-f52aa2d241e9",
|
|
"value": "fujinama.altervista.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1610465345",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "47f7d796-f6d9-42e6-94bf-508e06fbccff",
|
|
"value": "xhdyeggeeefeew.000webhostapp.com"
|
|
}
|
|
]
|
|
}
|
|
} |