2017-04-16 - EITEST CAMPAIGN RIG EK / HOEFLERTEXT CHROME POPUP

ASSOCIATED FILES:

  • 2017-04-16-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap   (201,890 bytes)
  • 2017-04-16-EITest-Rig-EK-traffic.pcap   (1,356,878 bytes)
  • 2017-04-16-EITest-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-04-16-EITest-Rig-EK-flash-exploit.swf   (19,110 bytes)
  • 2017-04-16-EITest-Rig-EK-landing-page.txt   (117,801 bytes)
  • 2017-04-16-EITest-Rig-EK-payload-i4rcqon9.exe   (237,568 bytes) -- I think this is Quant Loader
  • 2017-04-16-EITest-Rig-EK-post-infection-follow-up-malware.exe   (311,296 bytes)
  • 2017-04-16-Spora-ransomware-decryption-instructions.html   (12,326 bytes)
  • 2017-04-16-Spora-ransomware.exe   (79,872 bytes)
  • 2017-04-16-page-from-tanaakk.net-with-injected-EITest-script-for-HoeflerText.txt   (97,366 bytes)
  • 2017-04-16-page-from-tanaakk.net-with-injected-EITest-script-for-RigEK.txt   (51,084 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

NOTES:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  EITest HoeflerText popup traffic when compromised site is viewed using Google Chrome.

 


Shown above:  EITest Rig EK traffic when compromised site is viewed using Internet Explorer.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

SPORA RANSOMWARE FROM HOEFLERTEXT POPUP:

ARTIFACTS FROM RIG EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.