April 30, 2021

Cordova pin620pong

Analysis

The analysis is shown using the co.pharaon630gold.bduki application as an example.

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

Traffic analyzer screenshot (Full size)
  1. The dns.google service is used to obtain the initial data. As parameters the name of the application is used in which the first and the last blocks are swapped. It was co.pharaon630gold.bduki, became bduki.pharaon630gold.co.
  2. The service returns the data in response to the request from point 1. The "data" parameter stores base64 encoded initialization data.
  3. Decoding data from base64
  4. Result: {"yamAppKey":"fc23e46f-100b-40a7-a826-e05f7620b03f","osAppId":"a91f1331-aad6-4893-8ff1-431b16bb5e7d","disableInit":false,"apiUrl":"\/arvzaiewxzacl"}
  5. The apiUrl parameter is used as the path to query the link bduki.pharaon630gold.co. The full link looks like this: https://bduki.pharaon630gold.co/arvzaiewxzacl
  6. Sending a request
  7. The response to the query is also encoded in base64
  8. Decoded from base64 data looks like this: {"ct":"DDYoxKp3Ngz0M1aogqga6DS6y9IZgp7w\/SEZ\/k3vUJrZHYyiow9SG4kGstfgRxurLyXW8qFAehGIuFCnDskCNdjrhyWn70y9aHuW1NzUKjffuC9ZVenFbQ3eXoyigMavjjSA+8FL\/9xWo2+vj64IXD7Mah9zcfzXOWF2TakpN+MXTki3ZzLVswl2pXgDLITco3QZGN+pO5gSgA09wHlqXlyykP8nr8oesilkD7X4wgE8sY6mWinB8lS5y9TaQx0sCUQGPoZNCihSTUhLYgZOUul9+lkTGUjcZWHU5sIPAk3sa4grlOAyfMTdWZ7NnyzaU9WNW7fLSIbOd6pgfUyi9MPuH2jkLqe3Gq1ONmC6I3oxZqp78iP\/15vMOqqFyVAshlGcNFayky7zMZ0XoRm1vYrUTZxGe1PZTvh2OYXbkYUx7MCTPVThvno5pDBjcyyQWkMhoc19gsHMO8ab0ouzeYi9gBand8smKwhfnOJsGlmo7t7EusJCVqsHDvtKYOlKVb+RFEHGtDFoGu0A54ipJw==","iv":"b348ab4b42a7d38ec78ff67582f452ff","s":"99b69fcbc3331fc5"}
  9. The decoded data have parameters "iv" and "s" which indicate aes encryption. Put the data decoded from base64 into AES decoder, specify application name co.pharaon630gold.bduki as a key parameter
  10. Decoded from AES data looks like this: {"init":true,"first_init":true,"fb_event_name":"sentFriendRequest","fb_event_sum":0,"event_rec_timer":300,"fb_event_page_count":0,"fb_event_page_sum":0.05,"event_web_page_count":0,"event_web_change_timer":5,"af_event_content_view":false,"web_sec_redirect":1000,"url":"https:\/\/track.dragonhall.pro\/click?pid=352&offer_id=617&l=1611044811&ref_id=318nqkq3pdil4","fcm_os_empty":true,"c_id":"3896471"}
  11. link from the "url" parameter
  12. The link redirects the request to https://clickpupbit.com/3gyte4nj/...
    which also redirects the request to the last address https://greenmanua.pu020ev.com/?lang=uk....

The complete chain of transitions looks like this:

  1. https://dns.google/resolve?name=bduki.pharaon630gold.co&type=txt&ct=application/x-javascript
  2. https://bduki.pharaon630gold.co/arvzaiewxzacl
  3. https://track.dragonhall.pro/click?pid=352&offer_id=617&l=1611044811&ref_id=318nqkq3pdil4
  4. https://clickpupbit.com/3gyte4nj/?subId1=608bc0672a3df20001869cce&subId2=352&subId5=
  5. https://greenmanua.pu020ev.com/?lang=uk&st=3gyte4nj&s1=608bc0672a3df20001869cce&s2=352&s3=&s4=&s5=&pc=30&form_phone={form_phone}&form_email={form_email}&trId=c25s0q1ct2hbv8haeor0&source=

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/BVRX6Czw

Password: tADffRD7qn