Scanbox Watering Hole Targets Pakistani and Tibetan Government Website Visitors
Common Information
| Type | Value |
|---|---|
| UUID | 454a030a-762a-4276-979a-4b9917bb9264 |
| Fingerprint | d5ffd182d93d81604c9b8de0cca17e67fb48331de1e4b8a93ea40272673435d2 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 25, 2019, 11:53 a.m. |
| Added to db | March 10, 2024, 12:50 a.m. |
| Last updated | Aug. 30, 2024, 10:26 p.m. |
| Headline | Scanbox Watering Hole Targets Pakistani and Tibetan Government Website Visitors |
| Title | Scanbox Watering Hole Targets Pakistani and Tibetan Government Website Visitors |
| Detected Hints/Tags/Attributes | 79/3/31 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://go.recordedfuture.com/hubfs/reports/cta-2019-0326.pdf |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 546 | www.recordedfuture.com |
|
| Details | Domain | 1 | dgip.gov.pk |
|
| Details | Domain | 3 | tibct.net |
|
| Details | Domain | 2 | oppo.ml |
|
| Details | Domain | 6 | tibet.net |
|
| Details | Domain | 2 | tibct.org |
|
| Details | Domain | 2 | monlamlt.com |
|
| Details | Domain | 2 | monlamit.com |
|
| Details | Domain | 2 | mailshield.ga |
|
| Details | Domain | 2 | photogram.ga |
|
| Details | Domain | 2 | mail.mailshield.ga |
|
| Details | Domain | 2 | tracking.dgip.gov.pk |
|
| Details | Domain | 9 | urlquery.net |
|
| Details | Domain | 10 | www.fidelissecurity.com |
|
| Details | Domain | 8 | www.alienvault.com |
|
| Details | File | 364 | console.log |
|
| Details | IPv4 | 3 | 185.236.76.35 |
|
| Details | IPv4 | 2 | 104.18.36.192 |
|
| Details | IPv4 | 2 | 104.18.37.192 |
|
| Details | IPv4 | 2 | 139.59.90.169 |
|
| Details | IPv4 | 2 | 103.255.179.142 |
|
| Details | IPv4 | 2 | 23.225.161.105 |
|
| Details | IPv6 | 2 | 2606:4700:30::6812 |
|
| Details | Mandiant Temporary Group Assumption | 44 | TEMP.PERISCOPE |
|
| Details | Threat Actor Identifier - APT | 143 | APT40 |
|
| Details | Threat Actor Identifier - APT | 278 | APT10 |
|
| Details | Threat Actor Identifier - APT | 78 | APT3 |
|
| Details | Threat Actor Identifier by SecureWorks | 25 | TG-3390 |
|
| Details | Url | 1 | http://oppo.ml/i/?3 |
|
| Details | Url | 1 | https://www.fidelissecurity.com/tradesecret |
|
| Details | Yara rule | 1 | rule YARA_scanbox_framework_obfuscated {
meta:
ref = "https://www.fidelissecurity.com/TradeSecret"
strings:
$sa1 = /(var|new|return)\s[_\$]+\s?/
$sa2 = "function"
$sa3 = "toString"
$sa4 = "toUpperCase"
$sa5 = "arguments.length"
$sa6 = "return"
$sa7 = "while"
$sa8 = "unescape("
$sa9 = "365*10*24*60*60*1000"
$sa10 = ">> 2"
$sa11 = "& 3) << 4"
$sa12 = "& 15) << 2"
$sa13 = ">> 6) | 192"
$sa14 = "& 63) | 128"
$sa15 = ">> 12) | 224"
condition:
all of them
} |