May 21, 2021
FBC_luckyhuckyDrbest
Introduction
As of this writing, the list of "live" applications:
- com.luckyhuckyDrbest.wildwesthtF
list of deleted applications:
com.roy_secberry.royalberrycom.w_Wild.lLadyRoul_ettecom.comin_Wild.comti_Joycom.f_egipit.egyptianprincesscom.fru_oy.fruityjokercom.hot_com.hotchilligamecom.volttqeen.treasuresqeencom.sebasttett.goldenbastetcom.jgamejoy.dragonsjoycom.winneogungame.neowincubescom.freshgamettop.freshjewelscom.sipmlequestyj.bookoffortunecom.cityhitvegacity.hitvegacityprocom.choGameChance.superfruitmoBcom.magicfruits.smartquestions
Analysis
The analysis is shown using the com.luckyhuckyDrbest.wildwesthtF application as an example.
Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:
The complete chain of transitions looks like this:
- https://firebaseremoteconfig.googleapis.com/v1/projects/996204902633/namespaces/firebase:fetch
- https://forbestresult.support/LuckyHuckyWild
- https://forbestresult.support/LuckyHuckyWild/
- https://trckweb.me/click.php?bundle=com.luckyhuckyDrbest.wildwesthtF&key=b27r6wgp5y8ovlipsk6a
- https://trckweb.me/click.php?key=b3pcx4x44t4pxiqqt0yp&utm_term={utm_term}&source=GAW&uid={uid}&whoseapp={whoseapp}&cid=2377ewhxrsy3yfdb&bundle={bundle}
- https://affpros.net/?serial=5565&creative_id=239&anid=f90f6whxrx9feddb_7_8
- https://td.prism.bet/bd82ff4?qtag=a661_t5565_c239_sf90f6whxrx9feddb_7_8
The initial link comes from the firebaseremoteconfig service.
The result of searching for this data in the source files:
Conclusion
The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.
Yara rules: https://pastebin.com/6Lp5xSs4
Password: 97a45aeq1q