About Teletype
Join
H
@hawkeye
December 30, 2021

FBC_CosmoStyle

This group of applications has the same principle of work as the FBC_smartanimo_V3Scw2tF group

Analysis

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

Traffic analyzer screenshot

The complete chain of transitions looks like this:

  1. https://firebaseremoteconfig.googleapis.com/v1/projects/499155919985/namespaces/firebase:fetch
  2. https://crazybones.store/?campa=&apees=1640767882917-929552962518192688&adeve=55f9ef49-c962-46bc-893a-a553f941172b&deep=null
  3. https://kit-store.website/jbVFtCLn?sub6=1640767882917-929552962518192688&sub7=55f9ef49-c962-46bc-893a-a553f941172b
  4. https://link-trk.com/click.php?key=wv1fbzehhas3y563wxpi&account=organic&app=com.zce.cre.bon&t_click=1640767882917-929552962518192688&adv_id=55f9ef49-c962-46bc-893a-a553f941172b
  5. https://wtfmwc.top/1on8?s1=4384a9lj6a296b&s2=46&s3=1640767882917-929552962518192688&s4=com.zce.cre.bon&s5=55f9ef49-c962-46bc-893a-a553f941172b&p=%2Fuser%2Fregistration%2F&s8=Unknown&appskip=1
  6. https://wtfmwc.top/s/1on8?s1=4384a9lj6a296b&s2=46&s3=1640767882917-929552962518192688&s4=com.zce.cre.bon&s5=55f9ef49-c962-46bc-893a-a553f941172b&p=%2Fuser%2Fregistration%2F&s8=Unknown&appskip=1&fp=00000000000000000000000000000000&tz=-180
  7. https://betwinner-ua.com/user/registration/?btag=d_19844m_332018c_bw_HCR8S8nYhz7A2VHvmchbci&appskip=1
  8. https://m.betwinner-ua.com/

The initial link comes from the firebaseremoteconfig service.

The initial link creation source code

Definitions

This group of applications uses the firebaseremoteconfig service to retrieve traffic links and other data. The response from the service firebaseremoteconfig has a characteristic structure: as the entries receives JSON data in the form of a string. The data has many values, but their number is only needed to distract attention from the main parameters. Of the JSON data, you should pay attention to parameters whose values are similar to links or API keys for AppsFlyer, OneSignal, Facebook, etc. You can clearly see by the example of this data:

{\"crazybones\":\"https://crazybones.store\",\"crazybones1\":\"885047032130519\",\"crazybones2\":\"2597645\",\"crazybones3\":\"5639379\",\"crazybones4\":\"47256\",\"crazybones5\":\"684784\",\"crazybones6\":\"7944528\",\"crazybones7\":\"6267455\"}

The data has 8 values, but you can see from the code that only two of them are used.

The process of traffic analysis looks like this:

Traffic analysis video

Conclusion

The analysis results are YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/32KmuQ6U

Password: EZM0ER2Y08

@m0cn0
December 30, 2021, 14:28
0 reactions
0 views