Pandora ransomware was obtained by vx-underground at 2022-03-14.
rule win_pandora_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.pandora." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4c894c2420 4d8bc8 4d8bf8 4c8bf2 } // n = 4, score = 100 // 4c894c2420 | dec esp // 4d8bc8 | mov eax, dword ptr [esp + 0x78] // 4d8bf8 | dec eax // 4c8bf2 | test esi, esi $sequence_1 = { 09c0 744a 8b5f04 488d8c30dcb10700 4801f3 4883c708 ff15???????? } // n = 7, score = 100 // 09c0 | dec esp // 744a | mov edi, dword ptr [esp + 0x90] // 8b5f04 | xor eax, eax // 488d8c30dcb10700 | inc ebp // 4801f3 | lea ecx, [eax - 0x61] // 4883c708 | inc ecx // ff15???????? | $sequence_2 = { 41c1ec08 8975f0 4133bc92b0f90600 4133bc8ab00d0700 418bcf 337804 c1e918 } // n = 7, score = 100 // 41c1ec08 | mov edi, eax // 8975f0 | mov eax, dword ptr [esp + 0x38] // 4133bc92b0f90600 | test edi, edi // 4133bc8ab00d0700 | cmove eax, ebx // 418bcf | dec eax // 337804 | lea edx, [esp + 0x40] // c1e918 | dec eax $sequence_3 = { 488b8c2480000000 4803ca 483bcf 740d b89ac4ffff 4883c460 5f } // n = 7, score = 100 // 488b8c2480000000 | mov edi, dword ptr [esp + 0x68] // 4803ca | mov ebx, 1 // 483bcf | dec esp // 740d | cmp edi, ebx // b89ac4ffff | jbe 0x3df // 4883c460 | test eax, eax // 5f | je 0x3e2 $sequence_4 = { 4157 488d6c24a8 4881ec58010000 4c8bf2 c745d801000000 488bf9 48c745e001000000 } // n = 7, score = 100 // 4157 | test eax, eax // 488d6c24a8 | jne 0xb0f // 4881ec58010000 | xor dl, dl // 4c8bf2 | dec eax // c745d801000000 | mov ecx, ebx // 488bf9 | mov esi, eax // 48c745e001000000 | test eax, eax $sequence_5 = { 0bd7 418bcf 23d3 4133cc 4123ca 4133cf } // n = 6, score = 100 // 0bd7 | dec ecx // 418bcf | mov eax, ecx // 23d3 | dec esi // 4133cc | lea esi, [edx + eax] // 4123ca | dec eax // 4133cf | ror eax, 0x12 $sequence_6 = { 488d05f3210300 48894730 488d05b8fd0200 c7472001000000 48c7472806000000 48894748 488d05c63a0300 } // n = 7, score = 100 // 488d05f3210300 | mov byte ptr [edi + 0x2a], al // 48894730 | movzx eax, byte ptr [ebx + 0x3c] // 488d05b8fd0200 | mov byte ptr [edi + 0x2b], al // c7472001000000 | movzx eax, byte ptr [ebx + 0x3b] // 48c7472806000000 | mov byte ptr [edi + 0x2a], al // 48894748 | movzx eax, byte ptr [ebx + 0x3c] // 488d05c63a0300 | mov byte ptr [edi + 0x2b], al $sequence_7 = { 4233541bfc 418953fc 4883ee01 0f8575ffffff 488b5c2410 488b6c2418 488b742420 } // n = 7, score = 100 // 4233541bfc | xor edx, eax // 418953fc | rol ecx, 0xf // 4883ee01 | inc ecx // 0f8575ffffff | mov eax, eax // 488b5c2410 | dec eax // 488b6c2418 | lea edi, [ebp - 0x70] // 488b742420 | je 0x916 $sequence_8 = { 41be01000000 48f7d9 0f1f440000 488d0419 4883f801 0f8c6afdffff 48ffcb } // n = 7, score = 100 // 41be01000000 | dec eax // 48f7d9 | lea eax, [eax + 4] // 0f1f440000 | dec eax // 488d0419 | sub edx, 1 // 4883f801 | jne 0x11a1 // 0f8c6afdffff | inc esp // 48ffcb | lea eax, [edx + 0x40] $sequence_9 = { 488d3dabd0fcff 44334a04 498bd8 448b11 418bc1 443312 } // n = 6, score = 100 // 488d3dabd0fcff | mov eax, edx // 44334a04 | add eax, esi // 498bd8 | inc ebp // 448b11 | xor eax, ebx // 418bc1 | inc esp // 443312 | add eax, eax condition: 7 of them and filesize < 1032192 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY