2017-02-15 - EITEST HOEFLERTEXT CHROME POPUP LEADS TO SPORA RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-02-15-EITest-HoeflerText-Chrome-popup-traffic-all-pcaps.zip   849 kB (849,358 bytes)
• ZIP archive of the malware:  2017-02-15-EITest-HoeflerText-Chrome-popup-artifacts-and-malware.zip   518 kB (517,567 bytes)

BACKGROUND ON EITEST HOEFLERTEXT CHROME POPUPS:

• 2017-01-17 - Kafeine at Proofpoint published a writeup about this campaign:  EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.

BACKGROUND ON SPORA RANSOMWARE:

• BleepingComputer published a good write-up on Spora shortly after it first appeared (link).

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

 

URLS GENERATED BY EITEST HOEFLERTEXT SCRIPT THAT SENT SPORA RANSOMWARE:

• 107.155.113.132 port 80 - www.ppsmralimmadrasah.edu.bd - POST /info.php
• 143.95.235.52 port 80 - liinc.bme.columbia.edu - POST /info.php
• 103.26.197.82 port 80 - bpa.ums.edu.my - POST /info.php
• 190.90.163.225 port 80 - calidad.udes.edu.co - POST /info.php
• 203.113.244.90 port 80 - fitzroynthps.vic.edu.au - POST /info.php
• 46.248.168.49 port 80 - demo.ore.edu.pl - POST /info.php

 

CHECKING THE SPORA RANSOMWARE DECRYPTION INSTRUCTIONS:

• 186.2.163.47 port 80 - spora.biz - POST /
• 186.2.163.47 port 443 - spora.biz - HTTPS/TLS/SSL encrypted traffic

 

FILE HASHES

DOWNLOADED SPORA RANSOMWARE:

• b402c8297ee5b05517a04f48eef6306711d8af2b91ef0adc70b4ee8036631cb6 - Chrome Font v1.16.exe
• 7eae21855ee12b17f1861acc128aa6789f181d600b55b18989ba8227d061d33b - Chrome Font v1.99.exe
• 5f14e1beafe9af59f15e3fd0e1a0140e077bed331ff74cde2d7fd4242e71db46 - Chrome Font v2.41.exe
• f6b2d3118d818b58af5ba8e1cb8d6e2753a45ff3ffd6470ec8ee956a7874e7c6 - Chrome Font v3.22.exe
• 99b837320b7fd776a85b3b605666319ddbf8a3a96ada437953688be3418f92ae - Chrome Font v4.74.exe
• 5677e9172f674ba578504b0862f3c98cdcb226dfac37883e3936dd1e2108deb6 - Chrome Font v8.16.exe
• 817c7c0d98e8a665aa21f41e2a7650485197971c94e43c1d7c618e60046ae005 - Chrome Font v8.71.exe
• df541424df22224e3e2fc9407e16a242a11f66a14d1384bfab15d748e6c224ea - Chrome Font v9.11.exe

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-02-15-EITest-HoeflerText-Chrome-popup-traffic-all-pcaps.zip   849 kB (849,358 bytes)
• ZIP archive of the malware:  2017-02-15-EITest-HoeflerText-Chrome-popup-artifacts-and-malware.zip   518 kB (517,567 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.