Checking the behavioural information extracted by Cogito we noticed that those samples are really aggressive on Ad displaying.
In fact, fullscreen Ads are displayed each time: One of the two applications also contained really suspicious code to auto-click Ads issued by Facebook.
All the files are hosted on the same Amazon S3 bucket: Unluckily, some interesting files and folders are not accessible (e.g.
program, tmp), but all of the folders related to the file are accessible and we had a way to collect all the packages relying on the CDN for the privacy link.
Comparing the and files byte by byte, it’s easy to see that only the first 2048 bytes of the file are encoded.
To be precise, a single-byte XOR encoding with key = 0x FF is applied to the first 2048 bytes of
After decoding, we can see that is equal to and the content is just a single file.
The code is slightly obfuscated with meaningless class/field names and encoded strings.
During the analysis we checked the configuration URL to understand why it was down and we noticed that Kaspersky Lab managed to find a piece of code connecting to the same domain (but different sub-domain): c.phaishey.com/ft/.Tags: Adult Dating, affair dating, sex dating