adspartners

Introduction

This group of applications uses the Сhrisney enigma (Github) string encryption method. The same method of string encryption is used by the appdev128 group.

Analysis

The analysis is shown using the co.pharaon630gold.bduki application as an example.

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

Traffic analyzer screenshot (Full size)

The process of traffic analysis looks like this:

Traffic analysis animation

The complete chain of transitions looks like this:

https://adspartners.net/v1/r/ads?appId=cGApouRASW&apps_f_id=1622545761603-4789362645043801192&hash=fd16101a9d4d0078
https://fruktwalk.com/pWxLQSFc?apps_f_id=1622508806363-9156175753183662217&sub8=cherry
https://bhufgtds.com/fruitwalk/uanwlnk?param=cherry&clickid=2h0u92hk8gu&lp=01
https://huffsongpp.live/vulkanua/p18001/?atp=cherry&goto=sitereg&clickid=2h0u92hk8gu&plid=9561&bnid=24503

With an initial link in the https://adspartners.net chain, you can move on to code analysis. The part of the code where the full reference is used was used to write the yara rules:

Screenshot of the code using the initial link (Full size)

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/rEFmkU44

Password: 79t2t4hqWt