2017-03-06 - EITEST HOEFLERTEXT CHROME POPUP LEADS TO SPORA RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-03-06-EITest-HoeflerText-Chrome-popup-traffic-all-pcaps.zip 833 kB (832,673 bytes)
- ZIP archive of the malware: 2017-03-06-EITest-HoeflerText-Chrome-popup-artifacts-and-malware.zip 529 kB (528,996 bytes)
BACKGROUND ON EITEST HOEFLERTEXT CHROME POPUPS:
- 2017-01-17 - Kafeine at Proofpoint published a writeup about this campaign: EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.
BACKGROUND ON SPORA RANSOMWARE:
- BleepingComputer published a good write-up on Spora shortly after it first appeared (link).
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Start of injected script in a page from the compromised website.
Shown above: End of injected script in a page from the compromised website.
Shown above: Traffic from the 1st infection filtered in Wireshark.
Shown above: Traffic from the 2nd infection filtered in Wireshark.
Shown above: Traffic from the 3rd infection filtered in Wireshark (forgot to save this one for the pcap archive).
Shown above: Traffic from the 4th infection filtered in Wireshark.
Shown above: Traffic from the 5th infection filtered in Wireshark.
Shown above: Traffic from the 6th infection filtered in Wireshark.
Shown above: Traffic from the 7th infection filtered in Wireshark.
Shown above: Traffic from the 8th infection filtered in Wireshark.
URLS GENERATED BY EITEST HOEFLERTEXT SCRIPT THAT SENT SPORA RANSOMWARE:
- 129.121.177.69 port 80 - www.educplus.org - POST /forum.php
- 103.11.74.21 port 80 - alvihadisugondo.com - POST /forum.php
- 107.155.113.132 port 80 - www.stsbmc.edu.bd - POST /forum.php
- 172.110.31.151 port 80 - leadertalk.edu.vn - POST /forum.php
- 107.155.113.132 port 80 - www.sitet.edu.bd - POST /forum.php
- 107.155.113.132 port 80 - www.palashbarimohilamadrasa.edu.bd - POST /forum.php
- 75.119.205.228 port 80 - jackson.edu.gh - POST /forum.php
- 198.15.81.91 port 80 - vistaareducate.com - POST /forum.php
CHECKING THE SPORA RANSOMWARE DECRYPTION INSTRUCTIONS:
- 186.2.163.47 port 80 - spora.store - POST /
- 186.2.163.47 port 443 - spora.store - HTTPS/TLS/SSL encrypted traffic
FILE HASHES
DOWNLOADED SPORA RANSOMWARE:
- e5712f92ca5bb7f7cc71fceb2085e07b419be896d597b08ddc771005382d57e4 - 2017-03-06-Spora-Ransomware-1st-run-Chrome_font.exe
- 459e5023a0f2a3f03da5bee3140395ed1b9cf943fb5367e29ea6b54b16d50840 - 2017-03-06-Spora-Ransomware-2nd-run-Chrome_font.exe
- ebb49d61236b6fcdba54a197707f3ea1de621f46c1a8410e69090c2ab6cddad0 - 2017-03-06-Spora-Ransomware-3rd-run-Chrome_font.exe
- 85087a5596cd8d9aab4b05d1cb948daf33d971b5c84e092c5d0fa5c619cf0990 - 2017-03-06-Spora-Ransomware-4th-run-Chrome_font.exe
- a8c0ba2223340751ede5bf307a9637bc7ff8a1dc5333f83f4ba194710f40e367 - 2017-03-06-Spora-Ransomware-5th-run-Chrome_font.exe
- 5ab9b586eaf1bcaa76443b4f69d67e57a057d57cb30b6d863a7cfab3d0882c2a - 2017-03-06-Spora-Ransomware-6th-run-Chrome_font.exe
- de271e00cdba9f2819e20a3860b425dcc1066c7a8fdd89e18798e249bf64b1c6 - 2017-03-06-Spora-Ransomware-7th-run-Chrome_font.exe
- 2ad9bf44d986593d21176a836e079d3236d6610e88ada74d4cab83392aa9ed42 - 2017-03-06-Spora-Ransomware-8th-run-Chrome_font.exe
IMAGES
Shown above: HoeflerText popup from the compromised website.
Shown above: Clicking the download link from HoeflerText popup.
Shown above: Spora decryption instructions.
Shown above: Spora decryption site.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-03-06-EITest-HoeflerText-Chrome-popup-traffic-all-pcaps.zip 833 kB (832,673 bytes)
- ZIP archive of the malware: 2017-03-06-EITest-HoeflerText-Chrome-popup-artifacts-and-malware.zip 529 kB (528,996 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.