2017-04-20 - EITEST CAMPAIGN RIG EK / HOEFLERTEXT CHROME POPUP

ASSOCIATED FILES:

  • 2017-04-20-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap   (229,225 bytes)
  • 2017-04-20-EITest-Rig-EK-sends-Quant-Loader.pcap   (826,888 bytes)
  • 2017-04-20-EITest-Rig-EK-payload-Quant-Loader.exe   (286,720 bytes)
  • 2017-04-20-EITest-Rig-EK-post-infection-follow-up-malware-ZLoader-DELoader.exe   (344,064 bytes)
  • 2017-04-20-EITest-Spora-ransomware-from-HoflerText-popup.exe   (114,688 bytes)
  • 2017-04-20-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-04-20-Rig-EK-flash-exploit.swf   (18,245 bytes)
  • 2017-04-20-Rig-EK-landing-page.txt   (1178,25 bytes)
  • 2017-04-20-Spora-ransomware-decryption-instructions.html   (12,321 bytes)
  • 2017-04-20-page-from-saywitzproperties.com-with-injected-EITest-script-for-HoeflerText-popup.txt   (104,439 bytes)
  • 2017-04-20-page-from-saywitzproperties.com-with-injected-EITest-script-for-Rig-EK.txt   (57,513 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

NOTES:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  EITest HoeflerText popup traffic when compromised site is viewed using Google Chrome.

 


Shown above:  EITest Rig EK traffic when compromised site is viewed using Internet Explorer.

 


Shown above:  Post-infection traffic after Rig EK sends Quant Loader as its payload.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

SPORA RANSOMWARE FROM HOEFLERTEXT POPUP:

ARTIFACTS FROM RIG EK:

 

IMAGES


Shown above:  When using Chrome, we see a HoeflerText popup from the compromised website.

 


Shown above:  Clicking the download link from HoeflerText popup.

 


Shown above:  Spora decryption instructions.

 


Shown above:  Spora decryption site.

 


Shown above:  Injected script seen from the compromised site when viewing in Internet Explorer (leads to Rig EK landing page).

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.