net.samportines.premoves.halloed

This aplication written using Apache Cordova using the Crypt File. This article helped us.

Analysis

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

The app did not show anything suspicious, but the traffic analyzer did find a suspicious request with the request and response bodies encrypted.

With an initial link in the https://thumbdot.info/grapestylepackstaff.php, you can move on to code analysis.

To decrypt the Crypt File, the decryption method has been rewritten so that it can be easily executed on https://rextester.com/YNSGV33985.

After decrypting all the files, only the affusions.js file was obfuscated, it is worth using https://lelinhtinh.github.io/de4js/ (Obfuscator IO)to improve the readability of the code.

After all the above manipulations, the initial link was found in the file affusions.js:

The full source code map looks like this:

The decryption code has been rewritten in node.js on rextester.com for ease of use.

Request and response bodies decryptor link: https://pastebin.com/2y0MYUsj

Password: 9SFart9swr

After decoding responses from the server, the parameter named link is missing, but in the source code there is a check for its presence. For further analysis, the query bodies should be decrypted.

The decoded request from the NOX emulator looks like this:

[{"H4KNLhMl1ov":"EaVPyATJd"},{"Ur0lY2P5":"drsqc"},{"5QFTfcbiM":"T3U42tA5a"},{"Vsz9VHZvYcVr":"BHS5M7Af2"},{"tviR":"b5TX5HfnJvn"},{"6sHC1jOd9bQ":"Tdt2h"},{"ByOnRMYO02EtU":"E7Ii0j"},{"QoArYPt":"SoeU"},{},{"91QX9dRGL":"tbwJFx"},{"Jyb4Fk":"c53VLZswbCRG"},{"J1uWZrKrFRhW":"dYv4j9b"},{"dbKduvyOEk":"AAHiRkPbPJmfP"},{"NfqCycA":"O6aKGOhjtFe"},{"96u":"oGkdEqKQW"},{"IKj2A":"LUXtP2onRdq8p"},{"riKUA9035nBtH":"gE4"},{"MNMmsjJq":"vhg6P"},{"R5qgnwTr":"MxJKjNpd"},{"6BG2bdbYbILuO":"2efJc0G"}]

The decoded request from the Memu emulator looks like this:

The full text:

[{"FGmEj5qf":"x8p9UAWrIda7k"},{"hhu79e5":"Gez"},{"6lg":"bQyfh"},{"hBdO1gNY":"VlSwCsRL9ra"},{"7K33":"dSGj5"},{"PGyaNjgp9A":"3D6j"},{"lhT":"LP8FcD5S1M6t"},{"qisQzO":"CCo0"},{"4UHjl":"k1HjdS"},{"store":"com.microvirt.download","version":8},{"GxNrWDdL3vC":"WrRoStN"},{"QlaQz34QHB":"wAwxlrdfu1Xi"},{"2XaDme":"HGe"},{"ErXsiaY":"Aker55imI"},{"zebtopTtVdcT":"ufbCC5Dg4vI"},{"zl6SKJHBmN8":"gpUm66jkfN"},{"DuhY1XqUmQShV":"2rGrbdv1Y0V"},{"wXq":"dvViSde9sOt"},{"vNJdfU7b":"4SdX"}]

Long testing has shown that all parameters do not make any sense and are generated randomly, except the parameter "stor", which in the case of the emulator NOX is empty and with the emulator Memu has a value com.microvirt.download.

This value indicates that the application gets the name of the place from which it was installed and sends it to the server, which checks this parameter.

These "stor" values indicate that app were not installed from the Play market, so it should be reinstalled.

After reinstalling an app from the play store, the request has a parameter like this: {"store": "com.android.vending", "version":8}, and the response has a link parameter:
{"link": "https://thumbdot.info/fibrocyteastee.php"}

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/9C71Z0CQ

Password: 2Qz2vyDGRc

Another application with the same functionality is com.top.still.curarizes:

But this web-site is disabled