SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pandora (Back to overview)

Pandora


Pandora ransomware was obtained by vx-underground at 2022-03-14.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-12CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20220512:technical:87d0cbd, author = {Anandeshwar Unnikrishnan}, title = {{Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group}}, date = {2022-05-12}, organization = {Cloudsek}, url = {https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/}, language = {English}, urldate = {2022-05-17} } Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
Pandora
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-19FortinetGergely Revay
@online{revay:20220419:using:51d31d5, author = {Gergely Revay}, title = {{Using Emulation Against Anti-Reverse Engineering Techniques}}, date = {2022-04-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques}, language = {English}, urldate = {2022-04-25} } Using Emulation Against Anti-Reverse Engineering Techniques
Pandora
2022-04-07FortinetGergely Revay, Shunichi Imano
@online{revay:20220407:looking:d148b0f, author = {Gergely Revay and Shunichi Imano}, title = {{Looking Inside Pandora’s Box}}, date = {2022-04-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box}, language = {English}, urldate = {2022-04-08} } Looking Inside Pandora’s Box
Pandora
2022-03-21VinCSSTran Trung Kien, m4n0w4r
@online{kien:20220321:quicknote:4be36f8, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Analysis of Pandora ransomware}}, date = {2022-03-21}, organization = {VinCSS}, url = {https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/}, language = {English}, urldate = {2022-03-22} } [QuickNote] Analysis of Pandora ransomware
Pandora
2022-03-16Dissecting MalwareMarius Genheimer
@online{genheimer:20220316:quick:f97769c, author = {Marius Genheimer}, title = {{Quick revs: Pandora Ransomware - The Box has been open for a while...}}, date = {2022-03-16}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/blog/pandora/}, language = {English}, urldate = {2022-03-17} } Quick revs: Pandora Ransomware - The Box has been open for a while...
Pandora
2022-03-15cybleCyble
@online{cyble:20220315:deep:6e5c8b7, author = {Cyble}, title = {{Deep Dive Analysis - Pandora Ransomware}}, date = {2022-03-15}, organization = {cyble}, url = {https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/}, language = {English}, urldate = {2022-09-19} } Deep Dive Analysis - Pandora Ransomware
Pandora Rook
Yara Rules
[TLP:WHITE] win_pandora_auto (20230125 | Detects win.pandora.)
rule win_pandora_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.pandora."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb6c8 41c1e108 420fb68411401b0600 4433c8 41c1e108 418bc6 c1e808 }
            // n = 7, score = 100
            //   0fb6c8               | lea                 eax, [ebp - 0x29]
            //   41c1e108             | dec                 eax
            //   420fb68411401b0600     | lea    eax, [ebp - 0x29]
            //   4433c8               | dec                 ebp
            //   41c1e108             | mov                 ecx, esi
            //   418bc6               | dec                 eax
            //   c1e808               | mov                 ecx, dword ptr [ebp + 0x67]

        $sequence_1 = { 440bd0 410fb6410d 41c1e208 440bd0 410fb6410c 41c1e208 440bd0 }
            // n = 7, score = 100
            //   440bd0               | test                eax, eax
            //   410fb6410d           | jne                 0xa9e
            //   41c1e208             | pop                 esi
            //   440bd0               | dec                 eax
            //   410fb6410c           | sub                 esp, 0x28
            //   41c1e208             | dec                 eax
            //   440bd0               | lea                 edi, [esi + 0x78000]

        $sequence_2 = { bf94ffffff 8bc7 85c0 0f883c010000 488bcb 482bce 4883f901 }
            // n = 7, score = 100
            //   bf94ffffff           | mov                 dword ptr [edi + eax*4], edx
            //   8bc7                 | dec                 eax
            //   85c0                 | lea                 ecx, [ecx + 0x10]
            //   0f883c010000         | mov                 edx, dword ptr [ecx]
            //   488bcb               | inc                 ecx
            //   482bce               | mov                 eax, edi
            //   4883f901             | dec                 eax

        $sequence_3 = { 498db578100600 0f11442430 4903f1 4c8d542444 498bfb 0f1f00 443836 }
            // n = 7, score = 100
            //   498db578100600       | inc                 esp
            //   0f11442430           | add                 ebx, eax
            //   4903f1               | add                 ebx, edi
            //   4c8d542444           | inc                 ecx
            //   498bfb               | rol                 eax, 9
            //   0f1f00               | inc                 esp
            //   443836               | add                 eax, edi

        $sequence_4 = { 7ccf 418bd2 4c8d05c5c20500 41b90a000000 8bc2 418910 2480 }
            // n = 7, score = 100
            //   7ccf                 | dec                 eax
            //   418bd2               | sub                 esp, 0x48
            //   4c8d05c5c20500       | test                byte ptr [ecx + 0xa4], 0x10
            //   41b90a000000         | dec                 ebp
            //   8bc2                 | mov                 esp, ecx
            //   418910               | inc                 eax
            //   2480                 | push                ebx

        $sequence_5 = { 488d1df3fa0200 eb07 488d1dd2fa0200 4883a4249800000000 4084f6 740b b903000000 }
            // n = 7, score = 100
            //   488d1df3fa0200       | dec                 esp
            //   eb07                 | mov                 dword ptr [eax], esi
            //   488d1dd2fa0200       | dec                 ebp
            //   4883a4249800000000     | test    esi, esi
            //   4084f6               | jne                 0x2009
            //   740b                 | xor                 eax, eax
            //   b903000000           | ret                 

        $sequence_6 = { 4863c2 418911 4d8d4904 44890484 0fb6c2 02c0 0fb6c8 }
            // n = 7, score = 100
            //   4863c2               | js                  0x14ab
            //   418911               | nop                 dword ptr [eax + eax]
            //   4d8d4904             | dec                 esp
            //   44890484             | mov                 eax, edi
            //   0fb6c2               | dec                 eax
            //   02c0                 | lea                 edx, [ebp - 0x19]
            //   0fb6c8               | dec                 eax

        $sequence_7 = { 4133cb 41c1c802 03c3 8b5c2438 03c8 4403d1 8bca }
            // n = 7, score = 100
            //   4133cb               | test                ebx, ebx
            //   41c1c802             | jne                 0x1c9e
            //   03c3                 | dec                 eax
            //   8b5c2438             | lea                 ecx, [ebp - 0x31]
            //   03c8                 | mov                 ebx, eax
            //   4403d1               | test                eax, eax
            //   8bca                 | jne                 0x1a76

        $sequence_8 = { 41b801000000 498d542458 498d4c2458 e8???????? 8bd8 85c0 0f85d9010000 }
            // n = 7, score = 100
            //   41b801000000         | dec                 esp
            //   498d542458           | mov                 dword ptr [eax - 0x20], esi
            //   498d4c2458           | dec                 esp
            //   e8????????           |                     
            //   8bd8                 | mov                 esi, ecx
            //   85c0                 | dec                 esp
            //   0f85d9010000         | mov                 dword ptr [eax - 0x28], edi

        $sequence_9 = { 488d2d90150300 488d4d30 4533c0 baa00f0000 e8???????? 488b05???????? }
            // n = 6, score = 100
            //   488d2d90150300       | mov                 ebx, eax
            //   488d4d30             | jne                 0x44e
            //   4533c0               | dec                 eax
            //   baa00f0000           | lea                 ecx, [edi + 8]
            //   e8????????           |                     
            //   488b05????????       |                     

    condition:
        7 of them and filesize < 1032192
}
Download all Yara Rules