SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pandora (Back to overview)

Pandora


Pandora ransomware was obtained by vx-underground at 2022-03-14.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-06-27} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora Rook
2022-05-12CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20220512:technical:87d0cbd, author = {Anandeshwar Unnikrishnan}, title = {{Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group}}, date = {2022-05-12}, organization = {Cloudsek}, url = {https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/}, language = {English}, urldate = {2022-05-17} } Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
Pandora
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-04-19FortinetGergely Revay
@online{revay:20220419:using:51d31d5, author = {Gergely Revay}, title = {{Using Emulation Against Anti-Reverse Engineering Techniques}}, date = {2022-04-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques}, language = {English}, urldate = {2022-04-25} } Using Emulation Against Anti-Reverse Engineering Techniques
Pandora
2022-04-07FortinetGergely Revay, Shunichi Imano
@online{revay:20220407:looking:d148b0f, author = {Gergely Revay and Shunichi Imano}, title = {{Looking Inside Pandora’s Box}}, date = {2022-04-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box}, language = {English}, urldate = {2022-04-08} } Looking Inside Pandora’s Box
Pandora
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-03-28} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora
2022-03-21VinCSSTran Trung Kien, m4n0w4r
@online{kien:20220321:quicknote:4be36f8, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Analysis of Pandora ransomware}}, date = {2022-03-21}, organization = {VinCSS}, url = {https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/}, language = {English}, urldate = {2022-03-22} } [QuickNote] Analysis of Pandora ransomware
Pandora
2022-03-16Dissecting MalwareMarius Genheimer
@online{genheimer:20220316:quick:f97769c, author = {Marius Genheimer}, title = {{Quick revs: Pandora Ransomware - The Box has been open for a while...}}, date = {2022-03-16}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/blog/pandora/}, language = {English}, urldate = {2022-03-17} } Quick revs: Pandora Ransomware - The Box has been open for a while...
Pandora
Yara Rules
[TLP:WHITE] win_pandora_auto (20220516 | Detects win.pandora.)
rule win_pandora_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.pandora."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d4c2468 0faf4580 85c0 7e4b 488d5580 e8???????? 488d4c2468 }
            // n = 7, score = 100
            //   488d4c2468           | mov                 eax, dword ptr [edi + 0x60]
            //   0faf4580             | dec                 eax
            //   85c0                 | test                eax, eax
            //   7e4b                 | je                  0x563
            //   488d5580             | dec                 eax
            //   e8????????           |                     
            //   488d4c2468           | cmp                 dword ptr [edi + 0x78], 0

        $sequence_1 = { 894d60 83f80a 0f8f2a030000 8bf2 8bc6 ffc6 83f80a }
            // n = 7, score = 100
            //   894d60               | inc                 ecx
            //   83f80a               | add                 eax, ebx
            //   0f8f2a030000         | inc                 esp
            //   8bf2                 | mov                 ebx, dword ptr [esp + 0x24]
            //   8bc6                 | inc                 esp
            //   ffc6                 | xor                 ebx, dword ptr [esp + 0x54]
            //   83f80a               | add                 esi, eax

        $sequence_2 = { 488d158b0f0100 488d0d540f0100 e8???????? 85c0 740a b8ff000000 e9???????? }
            // n = 7, score = 100
            //   488d158b0f0100       | inc                 esp
            //   488d0d540f0100       | add                 eax, edx
            //   e8????????           |                     
            //   85c0                 | inc                 ecx
            //   740a                 | mov                 eax, esi
            //   b8ff000000           | add                 ecx, 0xe9b6c7aa
            //   e9????????           |                     

        $sequence_3 = { 48c7477004000000 48898790000000 c7878000000001000000 48c7878800000001000000 488b5710 4885d2 744e }
            // n = 7, score = 100
            //   48c7477004000000     | inc                 ecx
            //   48898790000000       | movups              xmm2, xmmword ptr [esp + 0x58]
            //   c7878000000001000000     | inc    ecx
            //   48c7878800000001000000     | movups    xmm3, xmmword ptr [esp + 0x68]
            //   488b5710             | inc                 ecx
            //   4885d2               | movups              xmmword ptr [esp + 0x58], xmm0
            //   744e                 | test                edi, edi

        $sequence_4 = { 75f2 ebc8 4c8b28 4c8b7808 410fb6410c 3be8 75b8 }
            // n = 7, score = 100
            //   75f2                 | mov                 ecx, eax
            //   ebc8                 | test                eax, eax
            //   4c8b28               | jne                 0x326
            //   4c8b7808             | mov                 dword ptr [ebx], edi
            //   410fb6410c           | test                ecx, ecx
            //   3be8                 | mov                 ecx, eax
            //   75b8                 | test                eax, eax

        $sequence_5 = { 750a bf80b3ffff e9???????? 488d15a8520300 488d4def e8???????? 85c0 }
            // n = 7, score = 100
            //   750a                 | inc                 esp
            //   bf80b3ffff           | mov                 eax, ebp
            //   e9????????           |                     
            //   488d15a8520300       | inc                 ecx
            //   488d4def             | mov                 byte ptr [esp], 0
            //   e8????????           |                     
            //   85c0                 | dec                 ebp

        $sequence_6 = { 85db 0f858d020000 488b4710 48b98564def933f304b5 49394c04f8 72b5 488b5528 }
            // n = 7, score = 100
            //   85db                 | mov                 ebx, dword ptr [esp + 0x50]
            //   0f858d020000         | dec                 eax
            //   488b4710             | mov                 dword ptr [esi + ebx*8], eax
            //   48b98564def933f304b5     | dec    eax
            //   49394c04f8           | mov                 edx, dword ptr [esp + 0x50]
            //   72b5                 | call                ebp
            //   488b5528             | dec                 eax

        $sequence_7 = { 488d457f c745df01000000 4533ff 488945ef 488d55df 4c897d7f }
            // n = 6, score = 100
            //   488d457f             | not                 edx
            //   c745df01000000       | inc                 ecx
            //   4533ff               | or                  edx, ecx
            //   488945ef             | inc                 ecx
            //   488d55df             | xor                 edx, eax
            //   4c897d7f             | add                 edx, dword ptr [esp + 0x30]

        $sequence_8 = { 41c1e208 420fb68c2280f30600 4433d1 400fb6cf 41c1e208 420fb68c2180f30600 4433d1 }
            // n = 7, score = 100
            //   41c1e208             | mov                 ecx, ebx
            //   420fb68c2280f30600     | dec    ecx
            //   4433d1               | mov                 ebp, ecx
            //   400fb6cf             | setne               dl
            //   41c1e208             | dec                 ebp
            //   420fb68c2180f30600     | mov    esi, eax
            //   4433d1               | dec                 eax

        $sequence_9 = { 41d1c3 0bc8 41c1ca02 4103cb 44895c2440 03cb 8bf7 }
            // n = 7, score = 100
            //   41d1c3               | test                eax, eax
            //   0bc8                 | dec                 eax
            //   41c1ca02             | mov                 ecx, esi
            //   4103cb               | dec                 eax
            //   44895c2440           | mov                 edi, eax
            //   03cb                 | dec                 eax
            //   8bf7                 | cmp                 eax, 0x8b

    condition:
        7 of them and filesize < 1032192
}
Download all Yara Rules