2017-04-07 - IF USING CHROME: EITEST = HOEFLERTEXT POPUP - IF USING IE: EITEST = RIG EK

ASSOCIATED FILES:

  • 2017-04-07-1st-run-EITest-campaign-HoeflerText-popup-sends-Spora-ransomware.pcap   (263,663 bytes)
  • 2017-04-07-1st-run-EITest-campaign-Rig-EK-sends-Matrix-ransomware-variant.pcap   (659,016 bytes)
  • 2017-04-07-2nd-run-EITest-campaign-HoeflerText-popup-sends-Spora-ransomware.pcap   (203,114 bytes)
  • 2017-04-07-2nd-run-EITest-campaign-Rig-EK-sends-Matrix-ransomware-variant.pcap   (615,556 bytes)
  • 2017-04-07-3rd-run-EITest-campaign-HoeflerText-popup-sends-Spora-ransomware.pcap   (136,858 bytes)
  • 2017-04-07-3rd-run-EITest-campaign-Rig-EK-sends-Matrix-ransomware-variant.pcap   (528,656 bytes)
  • 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe   (78,848 bytes)
  • 2017-04-07-1st-run-EITest-Rig-EK-payload-Matrix-ransomware-variant.exe   (411,136 bytes)
  • 2017-04-07-1st-run-Rig-EK-landing-page.txt   (117,786 bytes)
  • 2017-04-07-1st-run-page-from-trackingsharks.com-with-injected-EITest-script-for-HoeflerText.txt   (163,933 bytes)
  • 2017-04-07-1st-run-page-from-trackingsharks.com-with-injected-EITest-script-for-Rig-EK.txt   (75,579 bytes)
  • 2017-04-07-2nd-run-EITest-HoeflerText-payload-Spora-ransomware.exe   (65,536 bytes)
  • 2017-04-07-2nd-run-EITest-Rig-EK-payload-Matrix-ransomware-variant.exe   (377,344 bytes)
  • 2017-04-07-2nd-run-Rig-EK-landing-page.txt   (117,721 bytes)
  • 2017-04-07-2nd-run-page-from-everythingcebu.com-with-injected-EITest-script-for-HoeflerText.txt   (68,432 bytes)
  • 2017-04-07-2nd-run-page-from-everythingcebu.com-with-injected-EITest-script-for-Rig-EK.txt   (114,254 bytes)
  • 2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe   (78,848 bytes)
  • 2017-04-07-3rd-run-EITest-Rig-EK-payload-Matrix-ransomware-variant.exe   (377,344 bytes)
  • 2017-04-07-3rd-run-Rig-EK-landing-page.txt   (117,740 bytes)
  • 2017-04-07-3rd-run-page-from-mojdehstudio.ir-with-injected-EITest-script-for-HoeflerText.txt   (142,980 bytes)
  • 2017-04-07-3rd-run-page-from-mojdehstudio.ir-with-injected-EITest-script-for-Rig-EK.txt   (97,401 bytes)
  • 2017-04-07-Matrix-variant-decryption-instructions.hta   (3,231 bytes)
  • 2017-04-07-Matrix-variant-decryption-instructions.rtf   (5,684 bytes)
  • 2017-04-07-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-04-07-Rig-EK-flash-exploit.swf   (38,178 bytes)
  • 2017-04-07-Spora-decryption-instructions.html   (12,320 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

NOTES:


Shown above:  Flowchart for this infection traffic.

 

EITEST CAMPAIGN USING GOOGLE CHROME


Shown above:  If you use Google Chrome, the site has injected script that shows a HoeflerText font notification.

 


Shown above:  Clicking the download link sends a file named Chrome font.exe with some non-ASCII characters in the file name.

 


Shown above:  Double-click the Chrome font.exe file, and you infect your Windows host with Spora ransomwware.

 


Shown above:  Clicking on the link in the decryption instructions take you to the Spora decryption service site.

 


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

EITEST CAMPAIGN USING INTERNET EXPLORER


Shown above:  Visit the same site using Internet Explorer, and you get different injected script leading to Rig EK.

 


Shown above:  Pcap of the traffic filtered in Wireshark.

 


Shown above:  Desktop of the infected Windows host.  When EITest used Rig EK, my hosts were infected with a Matrix ransomware variant.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

EMAIL ADDRESSES FROM THE MATRIX RANSOMWARE VARIANT DECRYPTION INSTRUCTIONS:

 

FILE HASHES

RIG EK FLASH EXPLOIT:

SPORA RANSOMWARE FROM EITEST HOEFLERTEXT POPUP:

MATRIX RANSOMWARE VARIANT FROM EITEST RIG EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.