SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pandora (Back to overview)

Pandora

VTCollection    

Pandora ransomware was obtained by vx-underground at 2022-03-14.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-05-12CloudsekAnandeshwar Unnikrishnan
Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
Pandora
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-04-19FortinetGergely Revay
Using Emulation Against Anti-Reverse Engineering Techniques
Pandora
2022-04-07FortinetGergely Revay, Shunichi Imano
Looking Inside Pandora’s Box
Pandora
2022-03-21VinCSSm4n0w4r, Tran Trung Kien
[QuickNote] Analysis of Pandora ransomware
Pandora
2022-03-16Dissecting MalwareMarius Genheimer
Quick revs: Pandora Ransomware - The Box has been open for a while...
Pandora
2022-03-15cybleCyble
Deep Dive Analysis - Pandora Ransomware
Pandora Rook
Yara Rules
[TLP:WHITE] win_pandora_auto (20230808 | Detects win.pandora.)
rule win_pandora_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.pandora."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48ffcb 48899d60020000 48ffc6 c60300 4c8bc6 488d8d60020000 }
            // n = 6, score = 100
            //   48ffcb               | lea                 eax, [ebx + 0x180]
            //   48899d60020000       | dec                 eax
            //   48ffc6               | lea                 ecx, [eax + 0xf]
            //   c60300               | dec                 eax
            //   4c8bc6               | sub                 ebp, eax
            //   488d8d60020000       | jae                 0x1149

        $sequence_1 = { 458bce 41c1c90b 4433c9 44895d40 418bce 458bc3 c1c906 }
            // n = 7, score = 100
            //   458bce               | dec                 eax
            //   41c1c90b             | mov                 eax, ebx
            //   4433c9               | dec                 eax
            //   44895d40             | rol                 eax, 0x19
            //   418bce               | dec                 eax
            //   458bc3               | xor                 edx, eax
            //   c1c906               | dec                 esp

        $sequence_2 = { 4885c0 750a b880eeffff e9???????? 4d8bcf 48896c2420 4c8d442430 }
            // n = 7, score = 100
            //   4885c0               | jne                 0x765
            //   750a                 | movzx               eax, byte ptr [edx + 0x1a]
            //   b880eeffff           | movzx               ecx, byte ptr [edx + 0x1b]
            //   e9????????           |                     
            //   4d8bcf               | shl                 ecx, 8
            //   48896c2420           | or                  ecx, eax
            //   4c8d442430           | movzx               eax, byte ptr [edx + 0x19]

        $sequence_3 = { 488d1d43ef0200 4885c0 7404 488d5820 8bcf e8???????? 8903 }
            // n = 7, score = 100
            //   488d1d43ef0200       | shr                 eax, 0x10
            //   4885c0               | inc                 edx
            //   7404                 | movzx               esi, byte ptr [ecx + ebp + 0x61940]
            //   488d5820             | movzx               ecx, al
            //   8bcf                 | shl                 esi, 8
            //   e8????????           |                     
            //   8903                 | inc                 edx

        $sequence_4 = { 4c8d7c2430 4c2bff 4c8dab80010000 0f1f4000 0f1f840000000000 488bd5 498d4d0f }
            // n = 7, score = 100
            //   4c8d7c2430           | lea                 ecx, [0x10f1b]
            //   4c2bff               | jmp                 0x1028
            //   4c8dab80010000       | dec                 eax
            //   0f1f4000             | lea                 edx, [0x352a8]
            //   0f1f840000000000     | dec                 eax
            //   488bd5               | lea                 ecx, [ebp - 0x11]
            //   498d4d0f             | test                eax, eax

        $sequence_5 = { 418bf8 488bea 488bf1 4d85c9 7423 498b4128 }
            // n = 6, score = 100
            //   418bf8               | cmp                 ecx, esi
            //   488bea               | dec                 eax
            //   488bf1               | mov                 edi, edx
            //   4d85c9               | dec                 eax
            //   7423                 | mov                 ebx, ecx
            //   498b4128             | inc                 esp

        $sequence_6 = { 4533b48db0050700 418bcb 44337014 c1e908 0fb6d1 8bcb }
            // n = 6, score = 100
            //   4533b48db0050700     | mov                 byte ptr [edi + 0x2e], al
            //   418bcb               | movzx               eax, byte ptr [ebx + 0x38]
            //   44337014             | mov                 byte ptr [edi + 0x2f], al
            //   c1e908               | cmp                 dword ptr [ebx + 0xd0], 0
            //   0fb6d1               | jne                 0x27a
            //   8bcb                 | mov                 byte ptr [edi + 0x2f], al

        $sequence_7 = { 452bf8 c1ed08 452be0 8d4147 41c1ef08 41c1ec08 458d48e6 }
            // n = 7, score = 100
            //   452bf8               | mov                 cl, 0x1f
            //   c1ed08               | dec                 esp
            //   452be0               | mov                 eax, edi
            //   8d4147               | dec                 eax
            //   41c1ef08             | mov                 edx, esi
            //   41c1ec08             | dec                 eax
            //   458d48e6             | mov                 ecx, ebx

        $sequence_8 = { 4403d1 418bc9 4181c139a093fc 41c1c20a 4403d2 f7d1 410bca }
            // n = 7, score = 100
            //   4403d1               | dec                 esp
            //   418bc9               | cmp                 dword ptr [ecx], ebp
            //   4181c139a093fc       | jne                 0x529
            //   41c1c20a             | dec                 ecx
            //   4403d2               | mov                 eax, dword ptr [edi + 0x10]
            //   f7d1                 | dec                 ecx
            //   410bca               | mov                 ecx, esp

        $sequence_9 = { 79da 85db 0f8538020000 4c8d45cf 498bd7 488d4db7 e8???????? }
            // n = 7, score = 100
            //   79da                 | movzx               eax, byte ptr [edx + 0x39]
            //   85db                 | movzx               eax, byte ptr [edx + 0x3a]
            //   0f8538020000         | shl                 ecx, 8
            //   4c8d45cf             | or                  ecx, eax
            //   498bd7               | movzx               eax, byte ptr [edx + 0x3b]
            //   488d4db7             | shl                 ecx, 8
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1032192
}
Download all Yara Rules