April 30, 2021
Cordova pin620pong
Analysis
The analysis is shown using the co.pharaon630gold.bduki application as an example.
Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:
- The dns.google service is used to obtain the initial data. As parameters the name of the application is used in which the first and the last blocks are swapped. It was co.pharaon630gold.bduki, became bduki.pharaon630gold.co.
- The service returns the data in response to the request from point 1. The "data" parameter stores base64 encoded initialization data.
- Decoding data from base64
- Result: {"yamAppKey":"fc23e46f-100b-40a7-a826-e05f7620b03f","osAppId":"a91f1331-aad6-4893-8ff1-431b16bb5e7d","disableInit":false,"apiUrl":"\/arvzaiewxzacl"}
- The apiUrl parameter is used as the path to query the link bduki.pharaon630gold.co. The full link looks like this: https://bduki.pharaon630gold.co/arvzaiewxzacl
- Sending a request
- The response to the query is also encoded in base64
- Decoded from base64 data looks like this: {"ct":"DDYoxKp3Ngz0M1aogqga6DS6y9IZgp7w\/SEZ\/k3vUJrZHYyiow9SG4kGstfgRxurLyXW8qFAehGIuFCnDskCNdjrhyWn70y9aHuW1NzUKjffuC9ZVenFbQ3eXoyigMavjjSA+8FL\/9xWo2+vj64IXD7Mah9zcfzXOWF2TakpN+MXTki3ZzLVswl2pXgDLITco3QZGN+pO5gSgA09wHlqXlyykP8nr8oesilkD7X4wgE8sY6mWinB8lS5y9TaQx0sCUQGPoZNCihSTUhLYgZOUul9+lkTGUjcZWHU5sIPAk3sa4grlOAyfMTdWZ7NnyzaU9WNW7fLSIbOd6pgfUyi9MPuH2jkLqe3Gq1ONmC6I3oxZqp78iP\/15vMOqqFyVAshlGcNFayky7zMZ0XoRm1vYrUTZxGe1PZTvh2OYXbkYUx7MCTPVThvno5pDBjcyyQWkMhoc19gsHMO8ab0ouzeYi9gBand8smKwhfnOJsGlmo7t7EusJCVqsHDvtKYOlKVb+RFEHGtDFoGu0A54ipJw==","iv":"b348ab4b42a7d38ec78ff67582f452ff","s":"99b69fcbc3331fc5"}
- The decoded data have parameters "iv" and "s" which indicate aes encryption. Put the data decoded from base64 into AES decoder, specify application name co.pharaon630gold.bduki as a key parameter
- Decoded from AES data looks like this: {"init":true,"first_init":true,"fb_event_name":"sentFriendRequest","fb_event_sum":0,"event_rec_timer":300,"fb_event_page_count":0,"fb_event_page_sum":0.05,"event_web_page_count":0,"event_web_change_timer":5,"af_event_content_view":false,"web_sec_redirect":1000,"url":"https:\/\/track.dragonhall.pro\/click?pid=352&offer_id=617&l=1611044811&ref_id=318nqkq3pdil4","fcm_os_empty":true,"c_id":"3896471"}
- link from the "url" parameter
- The link redirects the request to https://clickpupbit.com/3gyte4nj/...
which also redirects the request to the last address https://greenmanua.pu020ev.com/?lang=uk....
The complete chain of transitions looks like this:
- https://dns.google/resolve?name=bduki.pharaon630gold.co&type=txt&ct=application/x-javascript
- https://bduki.pharaon630gold.co/arvzaiewxzacl
- https://track.dragonhall.pro/click?pid=352&offer_id=617&l=1611044811&ref_id=318nqkq3pdil4
- https://clickpupbit.com/3gyte4nj/?subId1=608bc0672a3df20001869cce&subId2=352&subId5=
- https://greenmanua.pu020ev.com/?lang=uk&st=3gyte4nj&s1=608bc0672a3df20001869cce&s2=352&s3=&s4=&s5=&pc=30&form_phone={form_phone}&form_email={form_email}&trId=c25s0q1ct2hbv8haeor0&source=
Conclusion
The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.
Yara rules: https://pastebin.com/BVRX6Czw