FBC_luckyhuckyDrbest

Introduction

As of this writing, the list of "live" applications:

• com.luckyhuckyDrbest.wildwesthtF

list of deleted applications:

• com.roy_secberry.royalberry
• com.w_Wild.lLadyRoul_ette
• com.comin_Wild.comti_Joy
• com.f_egipit.egyptianprincess
• com.fru_oy.fruityjoker
• com.hot_com.hotchilligame
• com.volttqeen.treasuresqeen
• com.sebasttett.goldenbastet
• com.jgamejoy.dragonsjoy
• com.winneogungame.neowincubes
• com.freshgamettop.freshjewels
• com.sipmlequestyj.bookoffortune
• com.cityhitvegacity.hitvegacitypro
• com.choGameChance.superfruitmoB
• com.magicfruits.smartquestions

Analysis

The analysis is shown using the com.luckyhuckyDrbest.wildwesthtF application as an example.

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

The complete chain of transitions looks like this:

1. https://firebaseremoteconfig.googleapis.com/v1/projects/996204902633/namespaces/firebase:fetch
2. https://forbestresult.support/LuckyHuckyWild
3. https://forbestresult.support/LuckyHuckyWild/
4. https://trckweb.me/click.php?bundle=com.luckyhuckyDrbest.wildwesthtF&key=b27r6wgp5y8ovlipsk6a
5. https://trckweb.me/click.php?key=b3pcx4x44t4pxiqqt0yp&utm_term={utm_term}&source=GAW&uid={uid}&whoseapp={whoseapp}&cid=2377ewhxrsy3yfdb&bundle={bundle}
6. https://affpros.net/?serial=5565&creative_id=239&anid=f90f6whxrx9feddb_7_8
7. https://td.prism.bet/bd82ff4?qtag=a661_t5565_c239_sf90f6whxrx9feddb_7_8

The initial link comes from the firebaseremoteconfig service.

The result of searching for this data in the source files:

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/6Lp5xSs4

Password: 97a45aeq1q