2017-05-17 - EITEST HOEFLERTEXT POPUPS SENS SPORA RANSOMWARE

ASSOCIATED FILES:

• Zip archive of the pcaps:  22017-05-17-EITest-HoeflerText-popup-sends-Spora-ransomware-pcaps.zip   407 kB (407,446 bytes)

• 2017-05-17-1st-run-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap   (371,305 bytes)
• 2017-05-17-2nd-run-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap   (347,065 bytes)
,
• 2017-05-17-3rd-run-EITest-HoeflerText-popup-sends-Spora-ransomware.pcap   (372,941 bytes)

• Zip archive of the malware and artifacts:  2017-05-17-EITest-HoeflerText-popups-send-Spora-ransomware-artifacts.zip   369 kB (369,485 bytes)

• 2017-05-17-1st-run-page-from-intothebluefishing.com-with-injected-EITest-script-for-HoeflerText-popup.txt   (128,363 bytes)
• 2017-05-17-1st-run-Font_Chrome.exe   (187,904 bytes)
• 2017-05-17-2nd-run-page-from-intothebluefishing.com-with-injected-EITest-script-for-HoeflerText-popup.txt   (128,364 bytes)
• 2017-05-17-2nd-run-Font_Chrome.exe   (184,320 bytes)
• 2017-05-17-3rd-run-page-from-intothebluefishing.com-with-injected-EITest-script-for-HoeflerText-popup.txt   (128,337 bytes)
• 2017-05-17-3rd-run-Font_Chrome.exe   (184,320 bytes)
• HELP_Xkj1VYCu.html.txt   (68 bytes)

NOTES:

• My thanks to @malwrhunterteam for contacting me about the recent changes in Spora.
• My thanks to also @killamjr who tweeted about the compromised website used in this traffic (link).

Shown above:  Not seeing any Rig EK from the EITest campaign, but we're still seeing HoeflerText popups.

 

TRAFFIC

• 173.255.128.189 port 80 - www.intothebluefishing.com - GET /     [compromised website]
• 176.223.207.41 port 80 - clinicalpsychology.psiedu.ubbcluj.ro - GET /who.php     [URL to download Spora ransomware]
• 190.115.19.190 port 80 - 190.115.19.190 - GET /     [redirect from decryption instructions HTML file dropped to infected host]
• 190.115.19.190 port 80 - spora.biz - GET /     [The domain to decrypt your encrypted files]

 

MALWARE

SPORA RANSOMWARE SAMPLE 1 OF 3:

• SHA256 hash:  b4f085f6d2fcb419ed28bc6f4836c842bb251eb6c00cfa8099ebcef905e51a9c
  File size:  187,904 bytes
  File name:  Font_Chrome.exe

SPORA RANSOMWARE SAMPLE 2 OF 3:

• SHA256 hash:  e28dca64178f43907eda9f04823066769ab233bc1b0719aab9d7c90b7451dd7a
  File size:  184,320 bytes
  File name:  Font_Chrome.exe

SPORA RANSOMWARE SAMPLE 3 OF 3:

• SHA256 hash:  5a58e4a4910fbbb8092af231cba2e7cf9f9c0acf6ec88ccb7e0566fcf7b03415
  File size:  184,320 bytes
  File name:  Font_Chrome.exe

 

IMAGES

Shown above:  HoflerText popup from compromised website when viewing in Chrome.

 

Shown above:  Downloading Font_Chrome.exe (which is actually Spora ransomware).

 

Shown above:  Here's some metadata on the Spora ransomware binary.

 

Shown above:  The decryption instructions HELP_Xkj1VYCu.html only had one line that redirected to an IP address.

 

Shown above:  The IP address redirects (or is) the Spora.biz decryptor site.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Initial Spora decryptor screen at Spora.biz.

 

Shown above:  After you drag and drop an encrypted file to the previous screen, you'll get the Spora decryptor page.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcaps:  22017-05-17-EITest-HoeflerText-popup-sends-Spora-ransomware-pcaps.zip   407 kB (407,446 bytes)
• Zip archive of the malware and artifacts:  2017-05-17-EITest-HoeflerText-popups-send-Spora-ransomware-artifacts.zip   369 kB (369,485 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.