ioc[.]one - OSINT Cyber Threat Intelligence Database

Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?

Tags

country:	China Hong Kong Taiwan
attack-pattern:	Data Domains - T1583.001 Domains - T1584.001 Dynamic Dns - T1311 Dynamic Dns - T1333 Junk Data - T1001.001 Malware - T1587.001 Malware - T1588.001 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Connection Proxy - T1090 Rundll32 - T1085 Loss Of Control

Show in Graph

Common Information

Type	Value
UUID	b2a8b0df-22f0-4883-8746-33dd9685a4f5
Fingerprint	76d5380981f3a499
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 3, 2016, 9 a.m.
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?
Title	Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?
Detected Hints/Tags/Attributes	80/2/146

Source URLs

	Redirection	Url
Details	Source	https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	unit42.paloaltonetworks.com

Attributes

Details	Type	#Events	Value
Details	Domain	1	groupspace.findhere.org
Details	Domain	1	msmqinst.ax
Details	Domain	4	showip.net
Details	Domain	2	appletree.onthenetas.com
Details	Domain	1	bluefield.byinter.net
Details	Domain	1	booking.passinggas.net
Details	Domain	1	chairman.onthenetas.com
Details	Domain	2	dnt5b.myfw.us
Details	Domain	1	eventlog.findhere.org
Details	Domain	1	grassland.onthenetas.com
Details	Domain	1	photograph.myfw.us
Details	Domain	2	ustar5.passas.us
Details	Domain	1	webonline.onthenetas.com
Details	Domain	1	www.danangqt.net
Details	Domain	1	zooboo.passinggas.net
Details	File	1	wumsvc.dll
Details	File	1	wspsvc.dll
Details	File	82	default.aspx
Details	File	1	emissarydll.dll
Details	File	1	%temp%\em.log
Details	File	1	emissarydll.cpp
Details	File	1	shell.cpp
Details	File	2	config.cpp
Details	File	1	run.cpp
Details	File	2	httpclient.cpp
Details	File	1	httpdoinstruction.cpp
Details	File	1	netpigeon_dll.dll
Details	File	1	generic.dll
Details	File	1	%temp%\remdisk.dll
Details	File	3	%systemroot%\system32\appmgmts.dll
Details	File	1	remdisk.dll
Details	File	1018	rundll32.exe
Details	File	1	iisdll.dll
Details	File	1	%temp%\000iisa758c8feae5f.tmp
Details	File	2	%appdata%\localdata\75bd50ec.dat
Details	File	2	%appdata%\localdata\a08e81b411.dat
Details	File	2	75bd50ec.dat
Details	File	1	windll.dll
Details	File	2	%temp%\000a758c8feae5f.tmp
Details	File	2	%appdata%\localdata\ishelp.dll
Details	File	1206	index.php
Details	File	1	000a758c8feae5f.tmp
Details	File	2127	cmd.exe
Details	File	1	%appdata%\programs\syncmgr.dll
Details	File	1	%appdata%\programs\60hgbc00.dat
Details	File	1	%appdata%\programs\web2013bw6.dat
Details	File	1	syncmgr.dll
Details	File	1	booking.pas
Details	File	2	ustar5.pas
Details	File	1	zooboo.pas
Details	sha256	1	a7d07b92e48876e2195e5d8769a47cf0a237e11ac304e41b14fc36042b0d9484
Details	sha256	1	e6c4611b1399ada920730686395d6fc1700fc39add3d0d40b4f784ccb6ad0c30
Details	sha256	1	931a1284b11a3997c7a99076d582ed3436aa30409dc73bd763436dddd490f9cb
Details	sha256	1	5edf2d0270f8e7eb5be3476802e46c578c4afc4b046411be0806b9acc3bfa099
Details	sha256	1	9dab2d1b16eb0fb4ec2095d4b4e2a3ad67a707ab4f54f9c26539619691f103f3
Details	sha256	1	dcbeca8c92d6d18f2faf385e677913dc8abac3fa3303c1f5cfe166180cffbed3
Details	sha256	1	5171c9a593389011da4d72125e52bf7ef86b2da7fcd6c2a2bc95467afe6a1b58
Details	sha256	1	70bed57bc3484fe5dbcf3c732bd7b11f80a742138f4733bc7e9b6d03e721da4a
Details	sha256	1	c145bb2e4ce77c79aa01de2aec4a8b5b0b680e23bceda2c230903b5f0e119634
Details	sha256	1	375190cc8e0e75cf771d66347ea2a04b6d1b59bf2f56823eb81270618f133e2d
Details	sha256	1	e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538
Details	sha256	1	29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051
Details	sha256	1	69b1d5454abe2475257defd9962a24a92411212c4f592de8765369a97f26c037
Details	sha256	1	bfceccdd553c7e26006bb044ea6d87e597c7cce08218068e31dc940e9f55b636
Details	sha256	1	42b8898c07374b1fc6a4a33441aadf10e47f226d9d3bf3368a459c0e221dff73
Details	sha256	1	37f752f89b0384291af23542efc08c01be962c04e3b2c881a8bc1f8771e9179f
Details	sha256	1	52b7f93bd4c2d1b1818f2a9506551852e2e7b511c9298e71edb54a39f69f94f2
Details	sha256	1	5cda2251059c34f55ac23941b56e248b9a1111e98f62c5a307eadbb9618592dd
Details	sha256	1	70097adba2743653bc73d0a2909a13f2904dbbcc1ffdb4e9013a8e61866abf5c
Details	sha256	1	9bb0288f7b98fac909ed91ec24dad0d5a31e3eec93a1641849d9dab56c23aa59
Details	sha256	1	b201c89fd7bdfc625bacfd4850feaa81269d9b41ed10ba1f7c0cb1339f4a6abe
Details	sha256	1	ddbe42fb03bf9f4b9144396e814f13cd7054dcf238234dcb838fa9643136c03a
Details	sha256	1	e67d3cc1684c789c3bd02af7a68b783fd90dc6d2d660b174d533f4c0e07490f9
Details	sha256	1	0c550fad82f2653bc13d9629357a2a56df82602ee0ce96aa5a31f885e3aa29df
Details	sha256	1	f36b7f63f46ae6afe8882b34c1ec11597c8537a3a7fa8b6521a83308940cc77b
Details	sha256	1	fdcd10a2c2bf802ba5b6be55c16c0bf407bcbee902b66466b0f954d2951fad2d
Details	sha256	1	da29b647411153b49cbf4df862e3f36209eafb8ebe8b966429edec4fb15dbce9
Details	sha256	1	721676d529a0c439594502f1d53fec697adc80fa1301d2bf20c2600d99ceed4e
Details	sha256	1	0069029ee4029df88f700da335a06e0e3a534a94552fe966186166b526a20b6a
Details	sha256	1	9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab
Details	sha256	1	26e2f4f9026f19156a73ffbfde438916f24d80b8812b6cebe98167eb9be0863c
Details	sha256	1	8e3b7dc3dca92d7458265e2bcd69caa558cbbf24bbbf1200b9aa924260c42480
Details	sha256	1	e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b
Details	sha256	1	02831316a3a04c1248605f28fb08d810230dd4411b2a1fc8187508aea6b449c5
Details	sha256	1	675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc
Details	sha256	1	70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629
Details	sha256	1	925d2f960d8db0510f3681c038311c0c2df86c5ba03f8cb61e3c8846c31bd6e1
Details	sha256	1	98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0
Details	sha256	1	a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8
Details	sha256	1	b07fbb92484fd2aff6d28f0ab04d5f51e96420b6d670f921b0bbe0e5392da408
Details	sha256	1	c72b07f2a423abc4fc45dfddc5162b8eb1ea97d5b5e66811526433f09b6cdf41
Details	sha256	1	dd8ffb9f961299f7cc9cb51e17a5cccf79b7fb583e594b05ef93b54c8cad54f6
Details	sha256	1	fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb
Details	sha256	1	e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d
Details	sha256	1	46ad72811990c1937d26e1f80ec1b9def8c112817f4bb9f94e3d1e4f0fb86f80
Details	sha256	1	731cd2ce87f4c4375782de0686b5b16619f8fa2de188522cbc8e64f8851bb7ed
Details	sha256	1	acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9
Details	IPv4	1	193.34.144.21
Details	IPv4	1	137.189.145.1
Details	IPv4	1	163.20.127.27
Details	IPv4	1	210.209.121.92
Details	IPv4	1	101.55.33.92
Details	IPv4	1	101.55.33.95
Details	IPv4	1	172.16.107.130
Details	IPv4	1	101.55.121.79
Details	IPv4	1	103.243.24.179
Details	IPv4	1	118.193.221.233
Details	IPv4	1	123.1.159.153
Details	IPv4	1	123.1.159.210
Details	IPv4	1	140.131.39.11
Details	IPv4	2	203.124.14.214
Details	IPv4	2	203.124.14.229
Details	IPv4	1	210.209.121.31
Details	Url	1	http://showip.net/index.php
Details	Url	1	http://101.55.121.79/lightserver/default.aspx
Details	Url	1	http://101.55.33.92/default.aspx
Details	Url	1	http://101.55.33.92:80/default.aspx
Details	Url	1	http://101.55.33.95:80/default.aspx
Details	Url	1	http://103.243.24.179/default.aspx
Details	Url	1	http://118.193.221.233:80/default.aspx
Details	Url	1	http://123.1.159.153/lightserver/default.aspx
Details	Url	1	http://123.1.159.210/lightserver/default.aspx
Details	Url	1	http://140.131.39.11/icanxp/help/help/default.aspx
Details	Url	1	http://163.20.127.27/0test/test/default.aspx
Details	Url	1	http://203.124.14.214/default.aspx
Details	Url	2	http://203.124.14.229/default.aspx
Details	Url	1	http://210.209.121.31/lightserver/default.aspx
Details	Url	1	http://210.209.121.92/lightserver/default.aspx
Details	Url	1	http://210.209.121.92/weboffice/default.aspx
Details	Url	1	http://appletree.onthenetas.com/default.aspx
Details	Url	1	http://bluefield.byinter.net/lightserver/default.aspx
Details	Url	1	http://booking.passinggas.net/lightserver/default.aspx
Details	Url	1	http://chairman.onthenetas.com/weboffice/default.aspx
Details	Url	2	http://dnt5b.myfw.us/default.aspx
Details	Url	1	http://eventlog.findhere.org/default.aspx
Details	Url	1	http://grassland.onthenetas.com/lightserver/default.aspx
Details	Url	1	http://groupspace.findhere.org/lightserver/default.aspx
Details	Url	1	http://photograph.myfw.us/lightserver/default.aspx
Details	Url	2	http://ustar5.passas.us/default.aspx
Details	Url	1	http://webonline.onthenetas.com/lightserver/default.aspx
Details	Url	1	http://www.danangqt.net:80/default.aspx
Details	Url	1	http://zooboo.passinggas.net/weboffice/default.aspx
Details	Windows Registry Key	1	HKEY_CLASSES_ROOT\Shell.LocalServer\CheckCode
Details	Windows Registry Key	1	HKEY_CLASSES_ROOT\Shell.LocalServer\CheckID
Details	Windows Registry Key	1	HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll
Details	Windows Registry Key	1	HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Syncmgr