2017-02-15 - EITEST HOEFLERTEXT CHROME POPUP LEADS TO SPORA RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-02-15-EITest-HoeflerText-Chrome-popup-traffic-all-pcaps.zip 849 kB (849,358 bytes)
- ZIP archive of the malware: 2017-02-15-EITest-HoeflerText-Chrome-popup-artifacts-and-malware.zip 518 kB (517,567 bytes)
BACKGROUND ON EITEST HOEFLERTEXT CHROME POPUPS:
- 2017-01-17 - Kafeine at Proofpoint published a writeup about this campaign: EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.
BACKGROUND ON SPORA RANSOMWARE:
- BleepingComputer published a good write-up on Spora shortly after it first appeared (link).
Shown above: Flowchart for this infection traffic.
TRAFFIC
URLS GENERATED BY EITEST HOEFLERTEXT SCRIPT THAT SENT SPORA RANSOMWARE:
- 107.155.113.132 port 80 - www.ppsmralimmadrasah.edu.bd - POST /info.php
- 143.95.235.52 port 80 - liinc.bme.columbia.edu - POST /info.php
- 103.26.197.82 port 80 - bpa.ums.edu.my - POST /info.php
- 190.90.163.225 port 80 - calidad.udes.edu.co - POST /info.php
- 203.113.244.90 port 80 - fitzroynthps.vic.edu.au - POST /info.php
- 46.248.168.49 port 80 - demo.ore.edu.pl - POST /info.php
CHECKING THE SPORA RANSOMWARE DECRYPTION INSTRUCTIONS:
- 186.2.163.47 port 80 - spora.biz - POST /
- 186.2.163.47 port 443 - spora.biz - HTTPS/TLS/SSL encrypted traffic
FILE HASHES
DOWNLOADED SPORA RANSOMWARE:
- b402c8297ee5b05517a04f48eef6306711d8af2b91ef0adc70b4ee8036631cb6 - Chrome Font v1.16.exe
- 7eae21855ee12b17f1861acc128aa6789f181d600b55b18989ba8227d061d33b - Chrome Font v1.99.exe
- 5f14e1beafe9af59f15e3fd0e1a0140e077bed331ff74cde2d7fd4242e71db46 - Chrome Font v2.41.exe
- f6b2d3118d818b58af5ba8e1cb8d6e2753a45ff3ffd6470ec8ee956a7874e7c6 - Chrome Font v3.22.exe
- 99b837320b7fd776a85b3b605666319ddbf8a3a96ada437953688be3418f92ae - Chrome Font v4.74.exe
- 5677e9172f674ba578504b0862f3c98cdcb226dfac37883e3936dd1e2108deb6 - Chrome Font v8.16.exe
- 817c7c0d98e8a665aa21f41e2a7650485197971c94e43c1d7c618e60046ae005 - Chrome Font v8.71.exe
- df541424df22224e3e2fc9407e16a242a11f66a14d1384bfab15d748e6c224ea - Chrome Font v9.11.exe
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-02-15-EITest-HoeflerText-Chrome-popup-traffic-all-pcaps.zip 849 kB (849,358 bytes)
- ZIP archive of the malware: 2017-02-15-EITest-HoeflerText-Chrome-popup-artifacts-and-malware.zip 518 kB (517,567 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.