About Teletype
Join
H
@hawkeye
February 24, 2021

Zver.app new signature

Introduction

An analysis of another type of application from this actor can be found at this link https://teletype.in/@hawkeye/tz2kx3E6P.

Here we will look at applications of a different type from this actor.

List of live applications:

  • com.old.king
  • com.love.correspondence
  • com.vik.cas
  • pirate.secrets.com

List of deleted applications:

  • com.big.chips
  • com.supergame.win:

Analysis

The analysis will be demonstrated using the com.love.correspondence application as an example.

The traffic analysis shows the initial link and the chain of conversions.

Traffic analyzer screenshot (Full size)

Based on the traffic analyzer, the chain of requests looks like this:

  1. https://lovecorrespondence.xyz/lander/com-love-correspondence/index.php?aid=1614177368284-2157373331582694884
  2. https://lovecorrespondence.xyz/lovecorrespondence?aid=1614177368284-2157373331582694884
  3. https://dating.statmyad.com/
  4. https://dating.statmyad.com/landing/dating_redirect/go.php?uniq=uniq&token=uuid_3rh0uc7h2f0q_3rh0uc7h2f0q603664603a0c41.39751549&country=UA
  5. https://dating.statmyad.com/?_lp=1&_token=uuid_3rh0uc7h2f0q_3rh0uc7h2f0q603664603a0c41.39751549&offer_id=675
  6. https://track.oneamour.com/click?pid=2810&offer_id=60&sub1={affiliate_id}&sub2=3rh0uc7h2f0q&sub3=com.love.correspondence
  7. https://oneamour.com/land/ba8efea17da0bea9b1f57f7a91299531dbc493b7?clickid=603664613ddd3d0001539784&partner=2810&pid={affiliate_id}&tid=3rh0uc7h2f0q&src=com.love.correspondence&offer_id=60&ip=46.252.220.153&geo=UA&sub4=&sub5=&device_ua=Mozilla%2F5.0+%28Linux%3B+Android+7.1.2%3B+ASUS_Z01QD+Build%2FN2G48H%3B+wv%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Version%2F4.0+Chrome%2F66.0.3359.158+Mobile+Safari%2F537.36&rand=fa218614-c8bb-48e6-828b-e9d4ef3185de&time=1614177377&city=Kiev

Once you know the original link, you can start looking for it in the application code.

Screenshot of the code section with the link (Full size)

There is also code in the code below that uses this link

Using the link in the code (Full size)

There is also another variation on the use of the link in the code, using the example of the com.old.king application

Another example of using a link in an appendix (Full Size)

They differ slightly, but there are differences. Both uses of the link will be used to create a YARA-rule.

Conclusion

The result of the analysis of applications of this type is the YARA-rule, which allows to accurately identify applications belonging to this type.

Yara rule: https://pastebin.com/kkW3vz9n

Password: 4HScAiF2aM

@m0cn0
February 24, 2021, 15:55
0 views
0 reactions
0 replies