SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pandora (Back to overview)

Pandora


Pandora ransomware was obtained by vx-underground at 2022-03-14.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-12CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20220512:technical:87d0cbd, author = {Anandeshwar Unnikrishnan}, title = {{Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group}}, date = {2022-05-12}, organization = {Cloudsek}, url = {https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/}, language = {English}, urldate = {2022-05-17} } Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
Pandora
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-19FortinetGergely Revay
@online{revay:20220419:using:51d31d5, author = {Gergely Revay}, title = {{Using Emulation Against Anti-Reverse Engineering Techniques}}, date = {2022-04-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques}, language = {English}, urldate = {2022-04-25} } Using Emulation Against Anti-Reverse Engineering Techniques
Pandora
2022-04-07FortinetGergely Revay, Shunichi Imano
@online{revay:20220407:looking:d148b0f, author = {Gergely Revay and Shunichi Imano}, title = {{Looking Inside Pandora’s Box}}, date = {2022-04-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box}, language = {English}, urldate = {2022-04-08} } Looking Inside Pandora’s Box
Pandora
2022-03-21VinCSSTran Trung Kien, m4n0w4r
@online{kien:20220321:quicknote:4be36f8, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Analysis of Pandora ransomware}}, date = {2022-03-21}, organization = {VinCSS}, url = {https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/}, language = {English}, urldate = {2022-03-22} } [QuickNote] Analysis of Pandora ransomware
Pandora
2022-03-16Dissecting MalwareMarius Genheimer
@online{genheimer:20220316:quick:f97769c, author = {Marius Genheimer}, title = {{Quick revs: Pandora Ransomware - The Box has been open for a while...}}, date = {2022-03-16}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/blog/pandora/}, language = {English}, urldate = {2022-03-17} } Quick revs: Pandora Ransomware - The Box has been open for a while...
Pandora
2022-03-15cybleCyble
@online{cyble:20220315:deep:6e5c8b7, author = {Cyble}, title = {{Deep Dive Analysis - Pandora Ransomware}}, date = {2022-03-15}, organization = {cyble}, url = {https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/}, language = {English}, urldate = {2022-09-19} } Deep Dive Analysis - Pandora Ransomware
Pandora Rook
Yara Rules
[TLP:WHITE] win_pandora_auto (20221125 | Detects win.pandora.)
rule win_pandora_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.pandora."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 23c7 4403c1 8bcf f7d1 41c1c009 4123cf 4503c1 }
            // n = 7, score = 100
            //   23c7                 | ror                 eax, 0xd
            //   4403c1               | inc                 esp
            //   8bcf                 | xor                 eax, eax
            //   f7d1                 | inc                 esp
            //   41c1c009             | mov                 dword ptr [esp + 0x20], edx
            //   4123cf               | inc                 ebp
            //   4503c1               | add                 edx, ecx

        $sequence_1 = { e8???????? 8bf8 85c0 7539 895def eb38 4c8d45ef }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf8                 | dec                 esp
            //   85c0                 | mov                 dword ptr [esp + 0x128], esp
            //   7539                 | mov                 ecx, edx
            //   895def               | dec                 esp
            //   eb38                 | mov                 esp, dword ptr [ebp + 0xa0]
            //   4c8d45ef             | dec                 eax

        $sequence_2 = { 33d2 4c8d45af 488d4de7 e8???????? 8bd8 85c0 0f850e010000 }
            // n = 7, score = 100
            //   33d2                 | jle                 0x1ce5
            //   4c8d45af             | dec                 eax
            //   488d4de7             | lea                 edx, [ebp - 0x68]
            //   e8????????           |                     
            //   8bd8                 | dec                 eax
            //   85c0                 | lea                 ecx, [ebp - 0x50]
            //   0f850e010000         | test                eax, eax

        $sequence_3 = { 488b05???????? 33d2 ffd0 488b4c2440 e8???????? 8bc3 4c8d5c2450 }
            // n = 7, score = 100
            //   488b05????????       |                     
            //   33d2                 | dec                 esp
            //   ffd0                 | sub                 edi, edi
            //   488b4c2440           | dec                 esp
            //   e8????????           |                     
            //   8bc3                 | lea                 ebp, [ebx + 0x180]
            //   4c8d5c2450           | nop                 dword ptr [eax]

        $sequence_4 = { 8bf0 8b442450 85f6 410f44c7 448bf8 89442430 89442450 }
            // n = 7, score = 100
            //   8bf0                 | shl                 eax, 6
            //   8b442450             | dec                 esp
            //   85f6                 | sub                 eax, ecx
            //   410f44c7             | inc                 ecx
            //   448bf8               | mov                 eax, ecx
            //   89442430             | jmp                 0xed
            //   89442450             | mov                 dword ptr [eax + ecx*8], esi

        $sequence_5 = { 660f1f840000000000 488b4e10 488bd3 48c1ea03 4c8d04d1 0fb6142b }
            // n = 6, score = 100
            //   660f1f840000000000     | shl    esi, 8
            //   488b4e10             | movzx               ebx, byte ptr [edx + 0x3b]
            //   488bd3               | inc                 esp
            //   48c1ea03             | or                  edi, eax
            //   4c8d04d1             | movzx               eax, byte ptr [edx + 0x3a]
            //   0fb6142b             | movzx               esi, byte ptr [edx + 0x3f]

        $sequence_6 = { c1c105 33fb d1c7 418bee 448b742450 4133ee d1c6 }
            // n = 7, score = 100
            //   c1c105               | mov                 ecx, dword ptr [ebp - 0x18]
            //   33fb                 | dec                 eax
            //   d1c7                 | mov                 ecx, dword ptr [ebp]
            //   418bee               | dec                 eax
            //   448b742450           | test                ecx, ecx
            //   4133ee               | je                  0x144
            //   d1c6                 | call                eax

        $sequence_7 = { 4c8b6c2470 4c8bf1 33c9 4d8bd8 4c8bd2 4d85ed 750e }
            // n = 7, score = 100
            //   4c8b6c2470           | lea                 eax, [ebp - 0xc]
            //   4c8bf1               | dec                 eax
            //   33c9                 | add                 esp, 0x158
            //   4d8bd8               | inc                 ecx
            //   4c8bd2               | pop                 edi
            //   4d85ed               | inc                 ecx
            //   750e                 | pop                 esi

        $sequence_8 = { 488b9540070000 4c8d05d0a80000 498bce e8???????? 85c0 7442 e9???????? }
            // n = 7, score = 100
            //   488b9540070000       | dec                 esp
            //   4c8d05d0a80000       | mov                 edi, dword ptr [esp + 0x70]
            //   498bce               | dec                 esp
            //   e8????????           |                     
            //   85c0                 | mov                 esp, dword ptr [esp + 0x80]
            //   7442                 | dec                 eax
            //   e9????????           |                     

        $sequence_9 = { 48634610 85c0 7805 488bd8 eb14 488b5e18 4883fb30 }
            // n = 7, score = 100
            //   48634610             | mov                 dword ptr [esp + 0x78], eax
            //   85c0                 | dec                 eax
            //   7805                 | mov                 eax, dword ptr [esp + 0x78]
            //   488bd8               | dec                 eax
            //   eb14                 | lea                 eax, [esp + 0x40]
            //   488b5e18             | dec                 eax
            //   4883fb30             | mov                 dword ptr [esp + 0x80], eax

    condition:
        7 of them and filesize < 1032192
}
Download all Yara Rules