About Teletype
Join
H
@hawkeye
June 15, 2021

com.yeknom.yzarc

Analysis

The analysis is shown using the com.yeknom.yzarc application is an example.

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

Traffic analyzer screenshot

The complete chain of transitions looks like this:

  1. Post request at https://silpo.fun/
  2. https://dialleads.ru/7q217Ddg?app=159-android-sasha&view_id=5587436&stream=deffy
  3. https://sol-iynvvzbaie.com/c7fbebcaa?ctag=2djdn57110vdd&btag=159-android-sasha
  4. https://sol-media1.com/c7fbebcaa?ctag=2djdn57110vdd&btag=159-android-sasha
  5. https://zzfftt.rxsfree.com/solprtapp/?btag=159-android-sasha&ctag=2djdn57110vdd&r=u9Wa0Fmc0NXanVmc&stag=177692_60c8bd1b73984b4dbaba1310

The process of traffic analysis looks like this:

Traffic analysis video

With an initial link in the https://silpo.fun/ chain, you can move on to code analysis.

Screenshot of the code using the initial link

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/iLvCH7jE

Password: wtbAMz5aEn

@m0cn0
June 15, 2021, 14:57
0 reactions
0 views