Quick revs: Pandora Ransomware - The Box has been open for a while...
Tags
| attack-pattern: | Data Hardware - T1592.001 Malware - T1587.001 Malware - T1588.001 Tool - T1588.002 |
Common Information
| Type | Value |
|---|---|
| UUID | 144e5ff6-ae4f-4250-9b82-24e04f75123a |
| Fingerprint | 3c0798b21d958293 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 16, 2022, midnight |
| Added to db | Sept. 11, 2022, 12:33 p.m. |
| Last updated | Nov. 17, 2024, 5:58 p.m. |
| Headline | UNKNOWN |
| Title | Quick revs: Pandora Ransomware - The Box has been open for a while... |
| Detected Hints/Tags/Attributes | 39/1/26 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://dissectingmalwa.re/blog/pandora |
| Details | Source | https://dissectingmalwa.re/blog/pandora/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 4 | dissectingmalwa.re |
|
| Details | 2 | hello@dissectingmalwa.re |
||
| Details | File | 1 | 1vfrk1jrt.dll |
|
| Details | File | 1 | m3do2.exe |
|
| Details | File | 1 | 7nm2j.txt |
|
| Details | File | 229 | advapi32.dll |
|
| Details | File | 748 | kernel32.dll |
|
| Details | File | 45 | mpr.dll |
|
| Details | File | 185 | shell32.dll |
|
| Details | File | 69 | shlwapi.dll |
|
| Details | File | 291 | user32.dll |
|
| Details | md5 | 4 | 0c4a84b66832a08dccc42b478d9d5e1b |
|
| Details | md5 | 1 | 511501033ca23754113686ac70f629db |
|
| Details | md5 | 2 | bec9b3480934ce3d30c25e1272f60d02 |
|
| Details | md5 | 1 | afdf739eb186e2ec8088b008797d1f6d |
|
| Details | md5 | 1 | 51a8b4c9f41b0c0ca57db63e21505b0d |
|
| Details | sha1 | 3 | 160320b920a5ef22ac17b48146152ffbef60461f |
|
| Details | sha1 | 1 | 26a02a149aca6a8a43e2dca5c75a6360cfe54c50 |
|
| Details | sha1 | 2 | 104d9e31e34ba8517f701552594f1fc167550964 |
|
| Details | sha1 | 1 | f611c2976ebb080214eddd905d30628230f2280d |
|
| Details | sha256 | 2 | 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b |
|
| Details | sha256 | 1 | 2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224 |
|
| Details | sha256 | 2 | f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789 |
|
| Details | sha256 | 1 | ebfdee6e5fe2aa5699280248a5e7b714ca18e5bfd284cac0ba4fb88ccbcec5b6 |
|
| Details | Url | 1 | https://dissectingmalwa.re/blog/pandora |
|
| Details | Yara rule | 1 | import "pe"
rule upx_packer_modified_pandora : Packer {
meta:
author = "Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>"
description = "Detects modified UPX packer used by Pandora Ransomware"
reference = "https://dissectingmalwa.re/blog/pandora/"
date = "2022-03-16"
tlp = "WHITE"
hash = "5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b"
strings:
$header = { 33 2E 30 30 00 55 50 58 21 }
condition:
uint16(0) == 0x5a4d and pe.imphash() == "51a8b4c9f41b0c0ca57db63e21505b0d" and $header and for any i in (0 .. pe.number_of_sections) : ( pe.sections[i].name == "pppp" and pe.sections[i + 1].name == "cccc" ) and filesize > 112KB and filesize < 1MB
} |