Analyzing Trojan Fareit/Tepfer

Discussion on reverse-engineering and debugging.

Analyzing Trojan Fareit/Tepfer

Postby Pave » Fri Apr 21, 2017 3:44 pm

Hi guys!
I am kind of new in the field of reverse engineering, so sorry if it is a silly question.

I am currently analyzing a trojan for a school thesis that has similarities with the trojans Fareit and Tepfer.
I already know that the main purpose of the malware is to steal user credentials and to send them then to a c & c server via HTTP.

But there are two functionalities that I stillt don't understand:
- How is the malware encrypting the sent payload?
- Why is the malware creating a new CMD process? Does the malware maybe also function as an reverse shell?

Virustotal link: https://www.virustotal.com/de/file/8dc605df0657313ffdeee5ba7d5315e8d2be5e96d44cbcc58f71dd26e9abb76b/analysis/
The malware sample is attached
You do not have the required permissions to view the files attached to this post.
Pave
 
Posts: 1
Joined: Wed Mar 22, 2017 9:23 pm
Reputation point: 0

Re: Analyzing Trojan Fareit/Tepfer

Postby Xylitol » Mon May 15, 2017 7:43 am

related to this sample i've seen it the 14 Dec 2016 23:15:30 according to my system.
this one is also know as 'pony 3 gates' usually delivered by hancitor, here is a screenshot of one of their pony panel https://twitter.com/CyberCrimeWHQ/statu ... 0349409280
related to your questions i don't remember how pony encryption work etc but there is literally tons of white papers about pony and you can even find the code, so it shouldn't be hard to find your answers.
and nope, Fareit/Tepfer don't do a reverse shell.
User avatar
Xylitol
Global Moderator
 
Posts: 1622
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Analyzing Trojan Fareit/Tepfer

Postby Antelox » Mon May 15, 2017 8:46 am

The encryption used is RC4. For the sample you linked the key is: 1RcpNUE12zpJ8uDaDqlygR70aZl2ogwes

And yes, this has been spread by Hancitor (AKA Chanitor) by the following URLs:



The campaign/build number for this is: 1412b

BR,

Antelox
Antelox
 
Posts: 101
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 79


Return to Reverse Engineering and Debugging

Who is online

Users browsing this forum: No registered users and 2 guests