About Teletype
Join
H
@hawkeye
June 24, 2021

com.sumappgame.vnight io.cherry.golden

Introduction

Previous report: https://teletype.in/@hawkeye/NGovaUm7LAk

We've used Ukrainian IP address to get those results.

Traffic analysis video

Analysis

Both applications have the same algorithm and the same chain of redirects:

Traffic analyzer screenshot

The complete chain of transitions looks like this:

  1. https://adspartners.net/v1/r/ads?appId=.....
  2. https://fruktwalk.ru/......
  3. https://ahufgtds.com/fruitwalk/vlknlndua?param={atp}&clickid=.....
  4. https://huffsongpp.live/vulkanua/p18001/?atp=%7Batp%7D&goto=....

With an initial link in the https://adspartners.net chain, you can move on to code analysis. The part of the code where the full reference is used was used to write the yara rules:

Screenshot of the code using the initial link (Full size)

Both applications have methods named "startWeb", which were used to write the Yara rules.

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/rEFmkU44

Password: 79t2t4hqWt

@m0cn0
June 24, 2021, 13:21
0 reactions
0 views