bok.booknils.ofnile (FBC_luckyhuckyDrbest)

This application uses the same algorithm as the group of applications described earlier: https://teletype.in/@hawkeye/VF_YOtmqBwi

Analysis

The analysis is shown using the bok.booknils.ofnile application as an example.

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

The complete chain of transitions looks like this:

1. https://firebaseremoteconfig.googleapis.com/v1/projects/257989247899/namespaces/firebase:fetch
2. https://brontamiventbattcomp.tk/SB7SGwMt?&subid=1624317439138-1734672484446304287&advertising_id=c01167bf-7a2f-4040-ab40-974196c0c32a
3. http://185.233.37.63/fdHjMhyC?sub1=&sub2={sub2}&sub3={sub3}&sub4={sub4}&sub5={sub5}&sub6=1624317439138-1734672484446304287&sub7=c01167bf-7a2f-4040-ab40-974196c0c32a&sub9={sub9}

The application did not show anything suspicious in the video, just a white screen, but the traffic analyzer showed requests to the developers' servers. This means that traffic is completely controlled by the developers' server.

This is easily proven using the standard Charles traffic analyzer functionality. First you need to change the response status code to 302, this is the status code responsible for redirection. After replacing the status code you need to add a response header of this form: Location: http://google.com, where Location is the name of the header, from it, is taken a link for redirection.

Such redirection to the desired link can occur at any stage of the chain of conversions. For example, request for link brontamiventbattcomp.tk could redirect response not to 185.233.37.63 but to any other necessary site.

The initial link comes from the firebaseremoteconfig service.

The result of searching for this data in the source files:

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/fwvCF1CN

Password: Qbx7k6XydG