2017-04-18 - EITEST CAMPAIGN RIG EK / HOEFLERTEXT CHROME POPUP

ASSOCIATED FILES:

  • 2017-04-18-EITest-HoeflerText-popup-traffic.pcap   (287,204 bytes)
  • 2017-04-18-EITest-Rig-EK-traffic.pcap   (23,828,777 bytes)
  • 2017-04-18-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-04-18-Rig-EK-flash-exploit.swf   (19,249 bytes)
  • 2017-04-18-Rig-EK-landing-page.txt   (57,665 bytes)
  • 2017-04-18-Rig-EK-payload-Quant-Loader.exe   (303,104 bytes)
  • 2017-04-18-Rig-EK-post-infection-follow-up-malware-DELoader.exe   (327,680 bytes)
  • 2017-04-18-Spora-ransomware-decryption-instructions.html   (12,320 bytes)
  • 2017-04-18-Spora-ransomware-from-HoeflerText-popup.exe   (106,496 bytes)
  • 2017-04-18-page-from-serialeshqip.com-with-injected-EITest-script-for-HoeflerText-popup.txt   (137,760 bytes)
  • 2017-04-18-page-from-serialeshqip.com-with-injected-EITest-script-for-Rig-EK.txt   (91,761 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

NOTES:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  EITest HoeflerText popup traffic when compromised site is viewed using Google Chrome.

 


Shown above:  EITest Rig EK traffic when compromised site is viewed using Internet Explorer.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

SPORA RANSOMWARE FROM HOEFLERTEXT POPUP:

ARTIFACTS FROM RIG EK:

 

IMAGES


Shown above:  When using Chrome, we see a HoeflerText popup from the compromised website.

 


Shown above:  Clicking the download link from HoeflerText popup.

 


Shown above:  Spora decryption instructions.

 


Shown above:  Spora decryption site.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.