2017-02-22 - EITEST HOEFLERTEXT CHROME POPUP LEADS TO SPORA RANSOMWARE

ASSOCIATED FILES:

  • 2017-02-22-EITest-HoeflerText-Chrome-popup-after-expervision.com.pcap   (207,119 bytes)
  • 2017-02-22-EITest-HoeflerText-Chrome-popup-after-techydiary.com.pcap   (193,576 bytes)
  • 2017-02-22-page-from-expervision.com-with-injected-EITest-HoeflerText-script.txt   (82,380 bytes)
  • 2017-02-22-page-from-techydiary.com-with-injected-EITest-HoeflerText-script.txt   (99,821 bytes)
  • Chrome Font v8.17.exe   (86,016 bytes)
  • Chrome Font v8.72.exe   (86,016 bytes)

BACKGROUND ON EITEST HOEFLERTEXT CHROME POPUPS:

BACKGROUND ON SPORA RANSOMWARE:

OTHER NOTES:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Start of injected script from the EITest campaign from a page from the compromised site.

 


Shown above:  End of of injected script from the EITest campaign from a page from the compromised site.

 


Shown above:  Popup associated with this campaign.

 


Shown above:  Clicking on the link downloads the malware (you still have to run it to get infected).

 


Shown above:  Pcap of the infection traffic filtered in Wireshark (1st run).

 


Shown above:  Pcap of the infection traffic filtered in Wireshark (2nd run).

 

ASSOCIATED DOMAINS:

 

FILE HASHES

SPORA RANSOMWARE - FIRST RUN:

SPORA RANSOMWARE - SECOND RUN:

 

IMAGES


Shown above:  Decryption instructions dropped as an HTML file to the infected host.

 


Shown above:  Checking the spora.biz site for further instructions.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.