Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

Traffic analyzer screenshot

The complete chain of transitions looks like this:

  1. https://nicoooff.com/Store/App1/Data.json
  2. https://gamespacepro.com/1xbet-registration/

The process of traffic analysis looks like this:

Traffic analysis video

With an initial link in the https://nicoooff.com/Store/App1/Data.json chain, you can move on to code analysis.

Config source code
JSON data request source code


All links open in the browser, but not in the app. The app does not lead directly to the gambling sites but contributes to it in every possible way. The app has a banner that cannot be closed after opening it. The banner leads to a site with instructions for registering one of the gambling sites.

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/2WfFrhW0

Password: CTxAMc3Knj