About Teletype
Join
H
@hawkeye
June 22, 2021

com.popeenod.coinen

This application uses the same algorithm as the group of applications described earlier: https://teletype.in/@hawkeye/KClopJhJ_T1

Analysis

The analysis is shown using the com.popeenod.coinen application as an example.

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

Traffic analyzer screenshot

The complete chain of transitions looks like this:

  1. Checking to exist of special words in https://firebaseremoteconfig.googleapis.com/v1/projects/176487251911/namespaces/firebase:fetch
  2. Getting a deep link from https://giveus.party/7tkj77mh?af_media_source=null&af_track_id=com.popeenod.coinen__1624329682003-8213896610057466324__c01167bf-7a2f-4040-ab40-974196c0c32a
  3. Opening the link from step 2 and displaying it on the screen
Traffic analysis video

With an initial link in the https://giveus.party/chain, you can move on to code analysis.

Screenshot of the code using the initial link
Source code of parsing data from firebaseconfig (Full size)

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/zXdiWNXC

Password: 1p6V3Pni72

@m0cn0
June 22, 2021, 12:48
0 reactions
0 views