Join
H
@hawkeye
June 10, 2021

com.sport.vdvijenii

Traffic analysis video

Analysis

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

Screenshot of the code using the initial link

The complete chain of transitions looks like this:

  1. https://mini-sport.pp.ua/sport_score_mini
  2. https://affpros.net/?serial=7101&creative_id=464&anid=_79_31gojrs68k1b
  3. https://td.prism.bet/?tid=pr_a16b21_AFF-Regtel.7-HQ&qtag=a1349_t7101_c464_s_79_31gojrs68k1b
  4. https://pmstats.com/api/Mirrors/NotAvailable?q=eyJzd2lkIjoiMjlhZWI5OTQtN2NhMy00MjRhLWIwNjUtZTA3MWFkNzhlOGQxIiwiaG9zdCI6Imh0dHBzOi8vcGFyaW1hdGNoLmNvbSIsInN3dmVyc2lvbiI6MC40LCJwcm9kdWN0IjoibXZwX3Byb2QiLCJzdGF0dXMiOjIwMH0
  5. https://en.parimatch.com/
  6. https://parimatch.com/

The initial link https://mini-sport.pp.ua/sport_score_mini was not found in the source code, so the Inspeckage utility was used to find it.

Inspeckage utility screenshot (Full size)
Source code screenshot (Full size)

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/PAuY7F5h

Password: zdkUWnH96K

@m0cn0
June 10, 2021, 13:00
0 views
0 reactions