2017-05-17 - EITEST HOEFLERTEXT POPUPS SENS SPORA RANSOMWARE
ASSOCIATED FILES:
- Zip archive of the pcaps: 22017-05-17-EITest-HoeflerText-popup-sends-Spora-ransomware-pcaps.zip 407 kB (407,446 bytes)
- 2017-05-17-1st-run-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap (371,305 bytes)
- 2017-05-17-2nd-run-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap (347,065 bytes)
,- 2017-05-17-3rd-run-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap (372,941 bytes)
- Zip archive of the malware and artifacts: 2017-05-17-EITest-HoeflerText-popups-send-Spora-ransomware-artifacts.zip 369 kB (369,485 bytes)
- 2017-05-17-1st-run-page-from-intothebluefishing.com-with-injected-EITest-script-for-HoeflerText-popup.txt (128,363 bytes)
- 2017-05-17-1st-run-Font_Chrome.exe (187,904 bytes)
- 2017-05-17-2nd-run-page-from-intothebluefishing.com-with-injected-EITest-script-for-HoeflerText-popup.txt (128,364 bytes)
- 2017-05-17-2nd-run-Font_Chrome.exe (184,320 bytes)
- 2017-05-17-3rd-run-page-from-intothebluefishing.com-with-injected-EITest-script-for-HoeflerText-popup.txt (128,337 bytes)
- 2017-05-17-3rd-run-Font_Chrome.exe (184,320 bytes)
- HELP_Xkj1VYCu.html.txt (68 bytes)
NOTES:
- My thanks to @malwrhunterteam for contacting me about the recent changes in Spora.
- My thanks to also @killamjr who tweeted about the compromised website used in this traffic (link).
Shown above: Not seeing any Rig EK from the EITest campaign, but we're still seeing HoeflerText popups.
TRAFFIC
- 173.255.128.189 port 80 - www.intothebluefishing.com - GET / [compromised website]
- 176.223.207.41 port 80 - clinicalpsychology.psiedu.ubbcluj.ro - GET /who.php [URL to download Spora ransomware]
- 190.115.19.190 port 80 - 190.115.19.190 - GET / [redirect from decryption instructions HTML file dropped to infected host]
- 190.115.19.190 port 80 - spora.biz - GET / [The domain to decrypt your encrypted files]
MALWARE
SPORA RANSOMWARE SAMPLE 1 OF 3:
- SHA256 hash: b4f085f6d2fcb419ed28bc6f4836c842bb251eb6c00cfa8099ebcef905e51a9c
File size: 187,904 bytes
File name: Font_Chrome.exe
SPORA RANSOMWARE SAMPLE 2 OF 3:
- SHA256 hash: e28dca64178f43907eda9f04823066769ab233bc1b0719aab9d7c90b7451dd7a
File size: 184,320 bytes
File name: Font_Chrome.exe
SPORA RANSOMWARE SAMPLE 3 OF 3:
- SHA256 hash: 5a58e4a4910fbbb8092af231cba2e7cf9f9c0acf6ec88ccb7e0566fcf7b03415
File size: 184,320 bytes
File name: Font_Chrome.exe
IMAGES
Shown above: HoflerText popup from compromised website when viewing in Chrome.
Shown above: Downloading Font_Chrome.exe (which is actually Spora ransomware).
Shown above: Here's some metadata on the Spora ransomware binary.
Shown above: The decryption instructions HELP_Xkj1VYCu.html only had one line that redirected to an IP address.
Shown above: The IP address redirects (or is) the Spora.biz decryptor site.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Initial Spora decryptor screen at Spora.biz.
Shown above: After you drag and drop an encrypted file to the previous screen, you'll get the Spora decryptor page.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcaps: 22017-05-17-EITest-HoeflerText-popup-sends-Spora-ransomware-pcaps.zip 407 kB (407,446 bytes)
- Zip archive of the malware and artifacts: 2017-05-17-EITest-HoeflerText-popups-send-Spora-ransomware-artifacts.zip 369 kB (369,485 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.