May 21, 2021

FBC_luckyhuckyDrbest

Introduction

As of this writing, the list of "live" applications:

  • com.luckyhuckyDrbest.wildwesthtF

list of deleted applications:

  • com.roy_secberry.royalberry
  • com.w_Wild.lLadyRoul_ette
  • com.comin_Wild.comti_Joy
  • com.f_egipit.egyptianprincess
  • com.fru_oy.fruityjoker
  • com.hot_com.hotchilligame
  • com.volttqeen.treasuresqeen
  • com.sebasttett.goldenbastet
  • com.jgamejoy.dragonsjoy
  • com.winneogungame.neowincubes
  • com.freshgamettop.freshjewels
  • com.sipmlequestyj.bookoffortune
  • com.cityhitvegacity.hitvegacitypro
  • com.choGameChance.superfruitmoB
  • com.magicfruits.smartquestions

Analysis

The analysis is shown using the com.luckyhuckyDrbest.wildwesthtF application as an example.

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

Traffic analyzer screenshot (Full size)

The complete chain of transitions looks like this:

  1. https://firebaseremoteconfig.googleapis.com/v1/projects/996204902633/namespaces/firebase:fetch
  2. https://forbestresult.support/LuckyHuckyWild
  3. https://forbestresult.support/LuckyHuckyWild/
  4. https://trckweb.me/click.php?bundle=com.luckyhuckyDrbest.wildwesthtF&key=b27r6wgp5y8ovlipsk6a
  5. https://trckweb.me/click.php?key=b3pcx4x44t4pxiqqt0yp&utm_term={utm_term}&source=GAW&uid={uid}&whoseapp={whoseapp}&cid=2377ewhxrsy3yfdb&bundle={bundle}
  6. https://affpros.net/?serial=5565&creative_id=239&anid=f90f6whxrx9feddb_7_8
  7. https://td.prism.bet/bd82ff4?qtag=a661_t5565_c239_sf90f6whxrx9feddb_7_8

The initial link comes from the firebaseremoteconfig service.

The result of searching for this data in the source files:

Source code of parsing data from firebaseconfig (Full size)

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/6Lp5xSs4

Password: 97a45aeq1q