2017-02-15 - EITEST HOEFLERTEXT CHROME POPUP LEADS TO SPORA RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-02-15-EITest-HoeflerText-Chrome-popup-traffic-6-pcaps.zip   850.3 kB (850,312 bytes)
• 2017-02-15-EITest-HoeflerText-artifacts-and-associated-malware.zip   519.6 kB (519,585 bytes)

BACKGROUND ON EITEST HOEFLERTEXT CHROME POPUPS:

• 2017-01-17 - Kafeine at Proofpoint published a writeup about this campaign:  EITest Nabbing Chrome Users with a "Chrome Font" Social Engineering Scheme.

BACKGROUND ON SPORA RANSOMWARE:

• BleepingComputer published a good write-up on Spora shortly after it first appeared (link).

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

 

URLS GENERATED BY EITEST HOEFLERTEXT SCRIPT THAT SENT SPORA RANSOMWARE:

• 107.155.113[.]132 port 80 - www.ppsmralimmadrasah[.]edu[.]bd - POST /info.php
• 143.95.235[.]52 port 80 - liinc.bme.columbia.edu - POST /info.php
• 103.26.197[.]82 port 80 - bpa.ums[.]edu[.]my - POST /info.php
• 190.90.163[.]225 port 80 - calidad.udes[.]edu[.]co - POST /info.php
• 203.113.244[.]90 port 80 - fitzroynthps.vic[.]edu[.]au - POST /info.php
• 46.248.168[.]49 port 80 - demo.ore[.]edu[.]pl - POST /info.php

 

CHECKING THE SPORA RANSOMWARE DECRYPTION INSTRUCTIONS:

• 186.2.163[.]47 port 80 - spora[.]biz - POST /
• 186.2.163[.]47 port 443 - spora[.]biz - HTTPS/TLS/SSL encrypted traffic

 

FILE HASHES

DOWNLOADED SPORA RANSOMWARE:

• b402c8297ee5b05517a04f48eef6306711d8af2b91ef0adc70b4ee8036631cb6 - Chrome Font v1.16.exe
• 7eae21855ee12b17f1861acc128aa6789f181d600b55b18989ba8227d061d33b - Chrome Font v1.99.exe
• 5f14e1beafe9af59f15e3fd0e1a0140e077bed331ff74cde2d7fd4242e71db46 - Chrome Font v2.41.exe
• f6b2d3118d818b58af5ba8e1cb8d6e2753a45ff3ffd6470ec8ee956a7874e7c6 - Chrome Font v3.22.exe
• 99b837320b7fd776a85b3b605666319ddbf8a3a96ada437953688be3418f92ae - Chrome Font v4.74.exe
• 5677e9172f674ba578504b0862f3c98cdcb226dfac37883e3936dd1e2108deb6 - Chrome Font v8.16.exe
• 817c7c0d98e8a665aa21f41e2a7650485197971c94e43c1d7c618e60046ae005 - Chrome Font v8.71.exe
• df541424df22224e3e2fc9407e16a242a11f66a14d1384bfab15d748e6c224ea - Chrome Font v9.11.exe

 

Click here to return to the main page.