Infostealer MySayad Operation Saffron Rose Malware Analysis
I received a sample of Operation Saffron Rose malware and analyzed it. Here is details:
CRC32: 99CC79B7 MD5: A7813001063A23627404887B43616386 SHA-1: 1C52B749403D3F229636F07B0040EB17BEBA28E4
This application is a packed cabinet file and it is a self-extractor. Simply we extract files in it using winrar and we get two files:
~8f60957b3689075fa093b047242c0255.exe MD5: 72641DEDB31280B78BF6A0F184EF29B6 SHA-1: 69FD05CA3A7514EA79480D1DBB358FAB391E738D ~8f60957b3689075fa093b047242c0255.exe.config MD5: C7CFEECEC1E049D65F5238B949913A78 SHA-1: 863CBD3E9C0B779C4FC0E418535BCB4258B4A261
You can see config file here which is not important at all. The binary file is compiled with .NET framework 2. Here is file description as written by authors:
In .NET resources of this file, we see two large Byte array entries which is Base64 encoded, they are identified by Client_2 and Client_4 in this resource file. There is no encryption or obfuscation, simply decoding Base64 will give you two new .NET DLL modules.
Client_2: MD5: 432A79F8F1402CB2622B27E26E900D55 SHA-1: 8521EEFBF7336DF5C275C3DA4B61C94062FAFDDA Client_4: MD5: D15211D8E67EE7D88F7B26AEEA6ADF5E SHA-1: 6401486B4E1CD5D7C6B8472D8F88DA9D20329C1C
Both of these files are also written in .NET C# and compiled with .NET framework 2 as .NET DLL modules. Both of these files have an export table entry "78121". Sayad uses this entry to pass as an argument to RunDLL32.exe.
Also I should mention, as far as I've seen, both of these DLLs are identical, just client_2 compiled with .NET framework 2 and client_4 compiled with .NET framework 4.
These two DLL modules also have some base64 encoded strings in their resource file:
cnVuZGxsMzIuZXhl ==> rundll32.exe U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu ==> SOFTWARE\Microsoft\Windows\CurrentVersion\Run It also have some hidden (not really) config file in end of it's original file.
ExecutableConfigInfo executableConfigInfo = Program.ReadExtraDataFromEndOfbuffer(File.ReadAllBytes(Assembly.GetExecutingAssembly().Location)); Using the code above, it reads Unicode XML file from end of it's file, here is a copy of it.
So it's publickey key entry, decodes to "http://0o0o0o0o0.com/sqlite3.dll" and we can guess it is C&C server.
PostURL entry also decodes to "http://0o0o0o0o0.com/soft.php" which is probably PHP interface for receiving files from malware. You can see whois information here.
ScreenShotCount decodes to 2, and interval decodes to 15. Also startupScreenShot entry decodes to True, means it will take screenshot at startup and will upload 2 ScreenShot every 15 minute.
Basically initial module is just a dropper, it extracts both resource files (client_2 or client_4) and runs them with RunDLL32.exe and terminates.
Initial look at Saffron client module classes:
This malware is written in .NET and doesn't have anything special, I've decompiled all of it's source codes. You can download entire source code of all Sayad modules here.