Analyzing Trojan Fareit/Tepfer

Discussion on reverse-engineering and debugging.
Post Reply
Pave
Posts: 1
Joined: Wed Mar 22, 2017 9:23 pm

Analyzing Trojan Fareit/Tepfer

Post by Pave » Fri Apr 21, 2017 3:44 pm

Hi guys!
I am kind of new in the field of reverse engineering, so sorry if it is a silly question.

I am currently analyzing a trojan for a school thesis that has similarities with the trojans Fareit and Tepfer.
I already know that the main purpose of the malware is to steal user credentials and to send them then to a c & c server via HTTP.

But there are two functionalities that I stillt don't understand:
- How is the malware encrypting the sent payload?
- Why is the malware creating a new CMD process? Does the malware maybe also function as an reverse shell?

Virustotal link: https://www.virustotal.com/de/file/8dc6 ... /analysis/
The malware sample is attached
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1660
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Analyzing Trojan Fareit/Tepfer

Post by Xylitol » Mon May 15, 2017 7:43 am

related to this sample i've seen it the 14 Dec 2016 23:15:30 according to my system.
this one is also know as 'pony 3 gates' usually delivered by hancitor, here is a screenshot of one of their pony panel https://twitter.com/CyberCrimeWHQ/statu ... 0349409280
related to your questions i don't remember how pony encryption work etc but there is literally tons of white papers about pony and you can even find the code, so it shouldn't be hard to find your answers.
and nope, Fareit/Tepfer don't do a reverse shell.

Antelox
Posts: 175
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Analyzing Trojan Fareit/Tepfer

Post by Antelox » Mon May 15, 2017 8:46 am

The encryption used is RC4. For the sample you linked the key is: 1RcpNUE12zpJ8uDaDqlygR70aZl2ogwes

And yes, this has been spread by Hancitor (AKA Chanitor) by the following URLs:
hxxp://angatutiradentes.com/wp-includes/pm2.dll
hxxp://bargainshop.councilofcoders.com/wp-includes/pm2.dll
hxxp://guusmeuwissen.nl/wp-admin/includes/pm2.dll
hxxp://www.butterfly.idv.tw/wp-content/themes/dust-317/pm2.dll
hxxp://www.machankin.ru/wp-includes/pomo/pm2.dll
hxxp://www.marcinkwasny.com/wp-admin/includes/pm2.dll
The campaign/build number for this is: 1412b

BR,

Antelox

Post Reply