EiTest campaign Hoefler Text Pop-up delivers GandCrab Ransomware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-02-01-Hoefler-Text-GandCrab-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • big4accountingfirms.org – COMPROMISED SITE
  • 46.248.168.49 – demo.ore.edu.pl GET /index_3.php – GANDCRAB RANSOMWARE
  • 92.53.77.218 – POST /curl.php?token=1027 – RANSOMWARE CHECK-IN
  • 80.67.3.122 – gdcbghvjyqy7jclk.onion.top – RANSOMWARE PAYMENT

DOMAINS RESOLVING TO 92.53.77.218:

  • nomoreransom.bit
  • bleepingcomputer.bit

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the EiTest campaign and Hoefler Text pop-up leading to GandCrab ransomware

 

Shown above: GandCrab downloaded from  demo.ore.edu.pl

 

Shown above: GandCrab encrypts files and appends .GDCB file extension

 

Shown above: Ransomware payment instruction

 

MALICIOUS PAYLOAD ASSOCIATED WITH EITEST CAMPAIGN: