pood.rozenariom.heroleg (FBC_luckyhuckyDrbest)

This application uses the same algorithm as the group of applications described earlier: https://teletype.in/@hawkeye/VF_YOtmqBwi

Analysis

The analysis is shown using the pood.rozenariom.heroleg application as an example.

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

The complete chain of transitions looks like this:

1. Checking to exist of wpecial words in https://firebaseremoteconfig.googleapis.com/v1/projects/427110093316/namespaces/firebase:fetch
2. Getting deeplink from https://giveus.party/MY62K7WL?af_media_source=null&af_track_id=pood.rozenariom.heroleg__1623919190327-1447968839607863400__c01167bf-7a2f-4040-ab40-974196c0c32a
3. https://trustmeplz.com/?stream_key=CtejdMI2L7&sub_id_1=gruzz&sub_id_3=pood.rozenariom.heroleg__1623919190327-1447968839607863400__c01167bf-7a2f-4040-ab40-974196c0c32a
4. https://1partners.link/1casino-maxbonus/?refcode=c6d62234-6b7f-498c-9a05-e76c2a51d420&clickid=13958755fb214c09ed5a0ba27d3c8aae&subid=3052&subid2=gruzz&subid3={subid2}

The process of traffic analysis looks like this:

With an initial link in the https://giveus.party/ chain, you can move on to code analysis.

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/zXdiWNXC

Password: 1p6V3Pni72

UPD(Mon, 21 Jun 2021 09:07:02 GMT)

The same applications online:

• mob.developstats.rainsplendor
• moo.nasecrast.youngh
• nug.hydevb.gurubook
• sap.lopinast.gambinow
• vvt.harmweb.houseraa
• com.technominds.app
• dro.comander.billionairedom
• mgg.drenastick.thomassec
• dro.vovieles.secretcours

Offline:

• nod.bodraziklop.luxuryx
• glob.goper77032mot.xstarty
• mio.feustats.casumachine
• ipp.tojsaod.irviesecret
• pos.rominad.mmonkey
• com.frostyminer.bombaley