///////////////////////////////////////////////////////
////////////////////// RAGNAROK ///////////////////////
///////////////////////////////////////////////////////
rule crime_win32_ransom_ragnarok_1 {
meta:
	description = "Detects Ragnarok Ransomwaare Payload"
	author = "@VK_Intel"
	reference = "twitter"
	description = "white"
	date = "2020-05-02"


strings:
	$str1 = "rg_path"
	$str2 = "START_"
	$str3 = "rsa_pub_E"


	$crypt_func = {55 8b ec 56 8b ?? ?? 68 90 01 00 00 6a 00 8d ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 8d ?? ?? c7 ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 83 c4 10 83 fa 14 7d ?? 8d ?? ?? 8d ?? ?? 8d ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 83 fa 14 7d ?? 8d ?? ?? 8d ?? ?? 8d ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 5e 5d c3}
	$call_prologue = {55 8b ec 81 ec ac 01 00 00 a1 ?? ?? ?? ?? 33 c5 89 ?? ?? 53 8b ?? ?? 56 57 68 80 94 42 00 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 88 94 42 00 ff ?? ?? ?? ?? ?? 8b ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? ?? ?? ?? 50 68 02 02 00 00 ff ?? ?? ?? ?? ?? 6a 00 6a 01 6a 02 ff ?? ?? ?? ?? ?? 6a 10 8d ?? ?? 89 ?? ?? ?? ?? ?? 51 50 c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 56 89 ?? ?? ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 66 ?? ?? ?? 8d ?? ?? 6a 10 50 57 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 68 00 08 00 00 e8 ?? ?? ?? ?? 68 00 08 00 00 8b f0 6a 00 56 89 ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 10 8d ?? ?? 8a ?? ?? 8d ?? ?? 84 c0 75 ?? a1 ?? ?? ?? ?? 89 ?? 66 ?? ?? ?? ?? ?? 66 ?? ?? ?? 85 db 74 ?? 8b d3}


condition:
( uint16(0) == 0x5a4d and
( 3 of them )
) or ( all of them )
}

///////////////////////////////////////////////////////
////////////////////// RAGNAROK CFG ///////////////////
///////////////////////////////////////////////////////
{"calc_ext":[".doc",".txt",".xls",".ppt",".sql",".pdf"],"file_ext":[".exe",".dll",".sys",".ragnarok"],"proc":["sql","note","powerpnt","winword","excel"],"dst_ip":"198.44.227.126","dst_port":81,"rg_path":"C:\\Users\\public\\veryhotfix","readme_name":"How_To_Decrypt_My_Files.txt","ext":".ragnarok","readme_content":"#what happend?

Unfortunately your files are encrypted, To decrypt your files follow the instructions

1. you need a decrypt tool so that you can decrypt all of your files
2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted
3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid
4. it is wise to pay in the first time it wont cause you more losses

you can send your DEVICE ID to mail address below

 ragnarok_master@protonmail.com

 ragnarok@rape.lol

 yawkyawkyawk@cock.li

DEVICE ID:
","aes_key_rand":"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789","reg_key":["SYSTEM\\CurrentControlSet\\Control\\Nls\\Language","SOFTWARE\\Policies\\Microsoft\\Windows\\HomeGroup","SOFTWARE\\Policies\\Microsoft\\Windows Defender","SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection"],"reg_value":["DisableHomeGroup","DisableAntiSpyware","DisableRealtimeMonitoring","DisableBehaviorMonitoring","DisableOnAccessProtection","InstallLanguage"],"except_language":["0419","1049","2052","0480","1152","0478","1144","0451","1105","040a","1034","042b","1067","042c","1068","082c","2092","0423","1059","0819","2073","043f","1087","0440","0428","1064","0443","1091","0442","1090","0422","1058","040d","1037","0804"],"except_path":["content.ie5","\\temporary internet files","\\local settings\\temp","\\appdata\\local\\temp","\\program files","\\windows","\\programdata","$"],"no_name1":"\\*.*","no_name2":"%s\\%s","no_name3":"%s\\*.*","no_name4":"/proc","no_name5":"/proc/%s/status","no_name6":"%*s %s","no_name7":"%s%s/","no_name8":"/tmp/crypt.txt","no_name9":"/proc/%s","rsa_pub_N":"9D6EACD8D5897A5E02520E6E054D0F316A588337793B8604E36EC425F1B2ED08A516E5390EB99898292E6E3D187431BDCE14F62E04C9C28069FD10C811E82EA6C436E52420B68C4DF452D116D023143B85A01978C474AEC47F103442245256167571E44D14EBE2E5A3BC12C2F62B1CBD4E8875D0CFA103CAED42A2868D8FF2D3D604B92A4FD55C7BCBFE6D9838BA6AC80FF75EBECF49F81A9271A608817AC4908481B8BE34D914C00B9D5DB8F236A3D515108B238132D0ACD0809E0B171FCDF96DF897598A8FC5C94512920EEF7F2152BF6CEEB2DA9BFD22D357123BB6EC9CAA17E8A04325C1BE6AE021D674344638783326CE7FF7A9368CFFF8CD680FEFD8201F284420C37D754837321ADA1B3F5306B223EEE0A8F439849113F103D876F46E690AB658E08BD6F09A0E710F4ACC086951A0D09358AD8B5E1BD3B10B2421CD22952CB1E986BE9C611D16FB0E65A775C12E9B3195761BEF17CB9C58BEB86F71D5E51E6CE8CA12E5F699E6A5257537CE33B8AE3D9CEBD412F329596BE65F83EC294AC877C0DCB742897D1B5EB48147E61A0EF11699E8D898A78893E9657CB39247717B658FD933C3405E796B3CD10BA411CC4458BEE0B22F42DA50E65A8993AE553334B3D55A604DEB429945DB37052FEB24DC7D4E012E44FCCA4A8656F2ECB9DCA95E749F5E6953E2DA48EC3509039C1109E63F9B89D6BCE6AE0D5419BBDDA279","rsa_pub_E":"010001","rand_path":"/dev/random","home_path":"/home/","sys64_path":"C:\\Windows\\SysWOW64","cmd_shadow":"cmd.exe /c vssadmin delete shadows /all /quiet","cmd_boot":"cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures","cmd_recovery":"cmd.exe /c bcdedit /set {current} recoveryenabled no","cmd_firewall":"cmd.exe /c netsh advfirewall set allprofiles state off","dll":["kernel32.dll","Advapi32.dll","Mpr.dll"],"api":["Wow64DisableWow64FsRedirection","Wow64RevertWow64FsRedirection","RegOpenKeyExA","RegQueryValueExA","WNetOpenEnumA","GlobalAlloc","WNetEnumResourceA","FindFirstFileA","FindNextFileA","GlobalFree","WNetCloseEnum","RegCloseKey","CloseHandle","GetVersionExA","CreateProcessA","CryptAcquireContextA","CryptGenRandom","CryptReleaseContext","CreateFileA","GetFileSizeEx","GetLogicalDriveStringsA","Process32Next","Process32First","TerminateProcess","CreateToolhelp32Snapshot","OpenProcess","FreeSid","AllocateAndInitializeSid","CheckTokenMembership","CreateMutexA","WaitForSingleObject","ReleaseMutex","RegCreateKeyA","RegSetValueExA","GetComputerNameA","GetDriveTypeA"],"rsa_rand":"rsa_encrypt"}