Derin Analiz - Ragnar Locker Ransomware | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | 041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14 |
|---|---|
| Boyut | 817,764 byte (PE32 GUI x86, 6 sections) |
| Entropi | 7.973 (packed -- gizlenilmis) |
---RAGNAR SECRET---: Kimlik Onay
RAGNAR LOCKER: Binary icinde "---RAGNAR SECRET---" string ile tescilli Ragnar Locker ransomware tespiti!
---RAGNAR SECRET---\n\n-- Ragnar Locker: 2019-2023 aktif ransomware grubu (Europol kapatmasi 2023)\n-- PE32 GUI x86: ana sifreleme motoru\n-- Entropi 7.97: tum payload sifrelenmis/paketlenmis\n-- Hedef: kurumsal aglar, kritik altyapi, 12+ ulke
Dosya Sifreleme Kapasitesi
CryptAcquireContextW\nCryptEncrypt\nCryptDestroyKey\nCryptGenRandom\nCryptReleaseContext\nGetDriveTypeW\nFindFirstFileW\nFindNextFileW\nSetFileAttributesW\nCopyFileW\n\n-- CryptAcquireContextW: Windows Crypto API ile sifreleme baslat\n-- CryptEncrypt: dosyalari sifreleme islevleri\n-- GetDriveTypeW: network, removable, fixed suruculeri tara\n-- FindFirstFileW / FindNextFileW: tum dosyalari listele ve sifrele\n-- SetFileAttributesW: sifrelenen dosyalari gizle / ozellik degistir
Token Manipulasyonu (Privilege Escalation)
OpenProcessToken\nSetTokenInformation\nDuplicateTokenEx\n\n-- OpenProcessToken: mevcut prosesin token bilgisine eris\n-- DuplicateTokenEx: token kopyala (impersonation)\n-- SetTokenInformation: token ayarlarini degistir\n-- Amac: SYSTEM yetkisi ile tum dosyalara eris ve sifrele
IOC
| SHA256 | 041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14 |
|---|---|
| Imza | ---RAGNAR SECRET--- (ic binary string) |
| Sifreleme | CryptAcquireContextW + CryptEncrypt |
| Privilege | OpenProcessToken + DuplicateTokenEx |
| Drive enum | GetDriveTypeW + FindFirstFileW/FindNextFileW |
RagnarLocker — Malware Profile
Ragnar Locker is a ransomware group active 2019-2023, dismantled by Europol. PE32 GUI x86 binary with RAGNAR SECRET string confirmed. CryptAcquireContextW+CryptEncrypt for file encryption. GetDriveTypeW+FindFirstFileW/FindNextFileW for drive and file enumeration. OpenProcessToken+DuplicateTokenEx for privilege escalation to SYSTEM. Targets corporate networks across 12+ countries.
Malware Type
Ransomware
Programming Language
C
C2 Protocol
—
Target Systems
Windows
Capabilities & Behavior
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC List (1 indicators)
IOC — RagnarLocker
# SHA256
041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14
| Type | Value | Note |
|---|---|---|
| sha256 | 041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14 |