SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pandora (Back to overview)

Pandora

Pandora ransomware was obtained by vx-underground at 2022-03-14.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-12CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20220512:technical:87d0cbd, author = {Anandeshwar Unnikrishnan}, title = {{Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group}}, date = {2022-05-12}, organization = {Cloudsek}, url = {https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/}, language = {English}, urldate = {2022-05-17} } Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
Pandora
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-19FortinetGergely Revay
@online{revay:20220419:using:51d31d5, author = {Gergely Revay}, title = {{Using Emulation Against Anti-Reverse Engineering Techniques}}, date = {2022-04-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques}, language = {English}, urldate = {2022-04-25} } Using Emulation Against Anti-Reverse Engineering Techniques
Pandora
2022-04-07FortinetGergely Revay, Shunichi Imano
@online{revay:20220407:looking:d148b0f, author = {Gergely Revay and Shunichi Imano}, title = {{Looking Inside Pandora’s Box}}, date = {2022-04-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box}, language = {English}, urldate = {2022-04-08} } Looking Inside Pandora’s Box
Pandora
2022-03-21VinCSSTran Trung Kien, m4n0w4r
@online{kien:20220321:quicknote:4be36f8, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Analysis of Pandora ransomware}}, date = {2022-03-21}, organization = {VinCSS}, url = {https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/}, language = {English}, urldate = {2022-03-22} } [QuickNote] Analysis of Pandora ransomware
Pandora
2022-03-16Dissecting MalwareMarius Genheimer
@online{genheimer:20220316:quick:f97769c, author = {Marius Genheimer}, title = {{Quick revs: Pandora Ransomware - The Box has been open for a while...}}, date = {2022-03-16}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/blog/pandora/}, language = {English}, urldate = {2022-03-17} } Quick revs: Pandora Ransomware - The Box has been open for a while...
Pandora
2022-03-15cybleCyble
@online{cyble:20220315:deep:6e5c8b7, author = {Cyble}, title = {{Deep Dive Analysis - Pandora Ransomware}}, date = {2022-03-15}, organization = {cyble}, url = {https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/}, language = {English}, urldate = {2022-09-19} } Deep Dive Analysis - Pandora Ransomware
Pandora Rook
Yara Rules
[TLP:WHITE] win_pandora_auto (20230715 | Detects win.pandora.)
rule win_pandora_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.pandora."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c894c2420 4d8bc8 4d8bf8 4c8bf2 }
            // n = 4, score = 100
            //   4c894c2420           | dec                 esp
            //   4d8bc8               | mov                 eax, dword ptr [esp + 0x78]
            //   4d8bf8               | dec                 eax
            //   4c8bf2               | test                esi, esi

        $sequence_1 = { 09c0 744a 8b5f04 488d8c30dcb10700 4801f3 4883c708 ff15???????? }
            // n = 7, score = 100
            //   09c0                 | dec                 esp
            //   744a                 | mov                 edi, dword ptr [esp + 0x90]
            //   8b5f04               | xor                 eax, eax
            //   488d8c30dcb10700     | inc                 ebp
            //   4801f3               | lea                 ecx, [eax - 0x61]
            //   4883c708             | inc                 ecx
            //   ff15????????         |                     

        $sequence_2 = { 41c1ec08 8975f0 4133bc92b0f90600 4133bc8ab00d0700 418bcf 337804 c1e918 }
            // n = 7, score = 100
            //   41c1ec08             | mov                 edi, eax
            //   8975f0               | mov                 eax, dword ptr [esp + 0x38]
            //   4133bc92b0f90600     | test                edi, edi
            //   4133bc8ab00d0700     | cmove               eax, ebx
            //   418bcf               | dec                 eax
            //   337804               | lea                 edx, [esp + 0x40]
            //   c1e918               | dec                 eax

        $sequence_3 = { 488b8c2480000000 4803ca 483bcf 740d b89ac4ffff 4883c460 5f }
            // n = 7, score = 100
            //   488b8c2480000000     | mov                 edi, dword ptr [esp + 0x68]
            //   4803ca               | mov                 ebx, 1
            //   483bcf               | dec                 esp
            //   740d                 | cmp                 edi, ebx
            //   b89ac4ffff           | jbe                 0x3df
            //   4883c460             | test                eax, eax
            //   5f                   | je                  0x3e2

        $sequence_4 = { 4157 488d6c24a8 4881ec58010000 4c8bf2 c745d801000000 488bf9 48c745e001000000 }
            // n = 7, score = 100
            //   4157                 | test                eax, eax
            //   488d6c24a8           | jne                 0xb0f
            //   4881ec58010000       | xor                 dl, dl
            //   4c8bf2               | dec                 eax
            //   c745d801000000       | mov                 ecx, ebx
            //   488bf9               | mov                 esi, eax
            //   48c745e001000000     | test                eax, eax

        $sequence_5 = { 0bd7 418bcf 23d3 4133cc 4123ca 4133cf }
            // n = 6, score = 100
            //   0bd7                 | dec                 ecx
            //   418bcf               | mov                 eax, ecx
            //   23d3                 | dec                 esi
            //   4133cc               | lea                 esi, [edx + eax]
            //   4123ca               | dec                 eax
            //   4133cf               | ror                 eax, 0x12

        $sequence_6 = { 488d05f3210300 48894730 488d05b8fd0200 c7472001000000 48c7472806000000 48894748 488d05c63a0300 }
            // n = 7, score = 100
            //   488d05f3210300       | mov                 byte ptr [edi + 0x2a], al
            //   48894730             | movzx               eax, byte ptr [ebx + 0x3c]
            //   488d05b8fd0200       | mov                 byte ptr [edi + 0x2b], al
            //   c7472001000000       | movzx               eax, byte ptr [ebx + 0x3b]
            //   48c7472806000000     | mov                 byte ptr [edi + 0x2a], al
            //   48894748             | movzx               eax, byte ptr [ebx + 0x3c]
            //   488d05c63a0300       | mov                 byte ptr [edi + 0x2b], al

        $sequence_7 = { 4233541bfc 418953fc 4883ee01 0f8575ffffff 488b5c2410 488b6c2418 488b742420 }
            // n = 7, score = 100
            //   4233541bfc           | xor                 edx, eax
            //   418953fc             | rol                 ecx, 0xf
            //   4883ee01             | inc                 ecx
            //   0f8575ffffff         | mov                 eax, eax
            //   488b5c2410           | dec                 eax
            //   488b6c2418           | lea                 edi, [ebp - 0x70]
            //   488b742420           | je                  0x916

        $sequence_8 = { 41be01000000 48f7d9 0f1f440000 488d0419 4883f801 0f8c6afdffff 48ffcb }
            // n = 7, score = 100
            //   41be01000000         | dec                 eax
            //   48f7d9               | lea                 eax, [eax + 4]
            //   0f1f440000           | dec                 eax
            //   488d0419             | sub                 edx, 1
            //   4883f801             | jne                 0x11a1
            //   0f8c6afdffff         | inc                 esp
            //   48ffcb               | lea                 eax, [edx + 0x40]

        $sequence_9 = { 488d3dabd0fcff 44334a04 498bd8 448b11 418bc1 443312 }
            // n = 6, score = 100
            //   488d3dabd0fcff       | mov                 eax, edx
            //   44334a04             | add                 eax, esi
            //   498bd8               | inc                 ebp
            //   448b11               | xor                 eax, ebx
            //   418bc1               | inc                 esp
            //   443312               | add                 eax, eax

    condition:
        7 of them and filesize < 1032192
}
Download all Yara Rules