Ragnarok Ransomware


Tactical report of Ransomware Ragnarok
Identification

Vendor
Detection
ESET-NOD32
A Variant Of Win32/Filecoder.Ragnarok.A
TrendMicro
Ransom.Win32.RAGNAROK.A
ALYac
Trojan.Ransom.Ragnarok

The following table contains list of artifacts that had been analyzed within this document.



PE
Time stamp
MD
Size in bytes
Filename
Description
Monday 03 February 2020, 05.03.52
48452DD2506831D0B340E45B08799623
210.00 KB (215040 bytes)
since1969.exe
Main malicious



Summary
Ragnarok is a piece of malicious software, classified as ransomware. Its discovery is credited to Karsten Hahn. It operates by encrypting the data of infected devices, for the purpose of making ransom demands for the decryption. As Ragnarok ransomware encrypts, all affected files are appended with the ".ragnarok_cry" extension. To elaborate on how files would appear following encryption, then a file titled something like "1.jpg" would appear as "1.jpg.ragnarok_cry". After this process is complete, a text file - "How_To_Decrypt_My_Files.txt" is created on the desktop.



Technical details
Ransomware starts to resolve apis and libraries based on specific value as shown in figure (1).

It resolves libraries like kernel32.dll, Advapi32.dll, Mpr.dll

Figure (1)

Mutex
Ransomware Resolve api called CreateMutexA from library called kernel32.dll and creates new mutex called name. To make sure that there is only one version of ranowamre is running, if the mutex already exists so ranomware will terminate as shown in figure (2).


Figure (2)



It resolves api called RegOpenKeyExA and RegQueryValueExA then try get current language of machine by check registry path SYSTEM\CurrentControlSet\Control\Nls\Language as shown in figure (3).

Figure (3)
It checks if operating system is 32 or 64 so in case of 32 bits it will create new process as shown in figure (4) and in case of operating system is 64 it will create process as shown in table and figure (5)

Figure (4)
First Case (32 bit)
Command
cmd_shadow
Process name
cmd.exe /c vssadmin delete shadows /all /quiet
Purpose
To delete the Shadow Volume Copies


Second case (64 bit)
It deletes volume shadow copies and disables recovery of firewall as shown in figure (5) and tables below.


Figure (5)

Command
cmd_shadow
Process name
cmd.exe /c vssadmin delete shadows /all /quiet
Purpose
To delete the Shadow Volume Copies


lpCommandLine
cmd.exe /c bcdedit /set {current} recoveryenabled no
lpCommandLine
cmd.exe /c bcdedit /set {current} recoveryenabled no
lpApplicationName
cmd_firewall



It generates new AES key as shown in figure (6)

Figure (6)
Aes_key_rand 
  • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.

It gets computer name as shown in figure (7).

Figure (7)

Malware trying to get public and private ip address of machine as shown in figure (8).

Figure (8)
It resolves apies to search for files and detect all drives in pc as shown in figure (9).

Figure (9)
I collected most of configurations of ransomware as shown in two figures (10) and (11) below.

Figure (10)

Figure (11)

It adds extension ragnaroks at every file that encrypted.
After encryption finished it displays readme message at the end as shown in figure (12).


Figure (12)
Yara Rule

/*
  Yara Rule Set
  Author: Mahmoud Elmenshawy
  Date:2019-11-17
  Identifier:  BitPaymer Ransomware
*/
private rule IsPE
{condition:
     // MZ signature at offset 0 and ...
     uint16(0) == 0x5A4D and
     // ... PE signature at offset stored in MZ header at 0x3C
     uint32(uint32(0x3C)) == 0x00004550}
rule RagrokRansomware{
     meta:
                                  Author = "Mahmoud Elmenshawy"
                                  Description = "  Ragrok Ransomware Rule for detecting Main file"
                                  MD5 = "48452DD2506831D0B340E45B08799623" 
                strings:
                                  $x1 ="!!ReadMe_To_Decrypt_My_Files.txt".
                                  $x2 ="cmd.exe /c bcdedit /set {current} recoveryenabled no".
                                  $x3 =" cmd.exe /c bcdedit /set {current} bootstatuspolicy   ignoreallfailures".
                               
                condition:
                All of them  and  IsPE



If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  
YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA



Malware analyst : Mahmoud El Menshawy.
Contact Me : mahmoudmorsy372@gmail.com.
linkedin profile : https://www.linkedin.com/in/mahmoudmorsy1/.






Comments

Post a Comment

Popular posts from this blog

IOCs 7_8_2021

Image
  (1) File Name Netflix Checker AutoProxy.rar Created process Qsbb.exe Connected (Ip/Dns) Fhruhceio[.]eu5[.]org MD5 54407258f1e20055897fe7dad504a5dc SHA256 4c54592475d4636eb0fe0555dbe44813332059d787c755571797484b87983a50 Family njRAT   (2) File Name Start.exe Created process yGYkD7gHOX.exe Connected (Ip/Dns) Telete[.]in MD5 e123bd2a5d074027510e792b92bce913 SHA256 245c87b29983815f1bad519d8490e4fae064ec3f4788781f3944cbe4ad7e8e8b Family Raccoon   (3) File Name Banco do Brasil_eDeclaração_SMX_046_6-08-2021_SWIFT.COPY.exe Created process Banco do Brasil_eDeclaração_SMX_046_6-08-2021_SWIFT.COPY.exe Connected (Ip/Dns) www[.]transinta[.]com MD5 c5
Read more

Phishing Attacks 23_4_2022

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course   (1) Sender ip 180.214.238.82 From "Dang Thi Thu Hien<hiendang@panpacific.co.kr>" Subject "RE: [SSC CS] F22 03/09 Buy Shipping request_04062022" Attachment "SEALOGISTICS DEBIT NOTE.zip" MD5 add8e964a595d7af30f02783943c3a00 SHA256 24f6485539bc5d700d17ec8d629827ea80dfae2eb2189e872f4b8ae0e7f1d66f Family AgentTesla   If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .         (2) Sender ip 138.197.200.182 From "Nguyen Thi Quy <nguyen@47.fximnii.sbs>" Subject "RE: Purchase Inquiry: KPC/PU-231(MECH)NBI/20-22"
Read more

Phishing Attacks 15_2_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 137.184.90.200 From "<zita@anthonybirch.ml>" Subject "Attached our formal P/O : 4501226854." Attachment "PO - 4501226854,pdf (1).iso" MD5 9addd85060db79af3b0ac0e3011c69c1 SHA256 b0b0135c292340ab5993a9f2bea6f3f6e6478fb5883fe2e1ef67c60cf3dd0944 Family Formbook   (2) Sender ip 143.198.41.151 From "Gilbert Anderson <info@digimaincheckshower.com>" Subject "Please accept my applicant " Attachment "Approvald-32134.doc" MD5 40582aacc0f7f8a0946a64249dae4767 SHA256 1b97ac97a845c9f63cf7308e3f6f983
Read more