Threat Research

Cyble – Deep Dive Analysis – Pandora Ransomware

Securonix

Cyble’s deep-dive into Pandora ransomware unveils its encryption behavior, links to ROOK-like TTPs, and notable anti-analysis and cleanup techniques. The analysis details a UPX-packed, C++-compiled payload that uses mutexes, privilege escalation, ETW/AMSI evasion, shadow-copy deletion, and multithreaded file encryption, with indications Pandora may be a ROOK re-brand and a double-extortion actor. #PandoraRansomware #ROOKRansomware #DataLeakSite #DoubleExtortion #UPXPacker #ETW #AMSI

Keypoints

  • Pandora ransomware encrypts the victim’s files and drops a ransom note named Restore_My_Files.txt in each folder, renaming encrypted files with the .Pandora extension.
  • The sample is UPX-packed and written in Visual C++, with encrypted strings and code structure designed to hinder debugging.
  • It uses a mutex (ThisIsMutexa) to ensure a single instance and elevates privileges via NtSetInformationProcess to mark the process as critical.
  • ETW is disabled and AMSI is bypassed to evade detection, aiding stealth during execution.
  • Cleanup routines include reducing process priority, emptying the recycle bin, and deleting shadow copies via vssadmin, to hinder recovery.
  • Pandora targets specific files and folders, excludes many system and application directories, and uses FindFirstFileW/FindNextFileW to locate targets, with multi-threaded encryption for speed.
  • There are indications Pandora may be a ROOK re-brand, sharing similar TTPs and a contested link to a large automotive technology provider.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Uses Windows API calls (FindFirstFileW and FindNextFileW) to enumerate files before encryption. “Finally, the ransomware searches for files using FindFirstFileW() and FindNextFileW () APIs and then proceeds to encrypt them.”
  • [T1548] Abuse Elevation Control Mechanism – Elevates privilege via NtSetInformationProcess to mark the malware as a critical process. “loads ntdll.dll and calls the NtSetInformationProcess() API, which changes the privilege level and sets the malware file as a critical process.”
  • [T1134] Access Token Manipulation – Combined with T1548, enabling privilege changes described above.
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Disables ETW by patching EtwEventWrite() and bypasses AMSI to evade antivirus detection. “patching the EtwEventWrite() function and further bypasses AMSI to evade detection by Anti-Virus products.”
  • [T1027] Obfuscated/Encrypted Files or Information – Encrypted strings and obfuscated control flow to hinder analysis. “encrypted strings and several jumps and calls that can make debugging difficult.”
  • [T1082] System Information Discovery – Collects volume details via GetDriveTypeW, FindFirstVolumeW, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, GetLogicalDrives. “Before obtaining volume details by calling the APIs such as GetDriveTypeW…”
  • [T1083] File and Directory Discovery – Enumerates target files using FindFirstFileW and FindNextFileW before encryption. “FindFirstFileW() and FindNextFileW ()…”
  • [T1490] Inhibit System Recovery – Deletes shadow copies with vssadmin to defeat recovery. “Deletes shadow copies using vssadmin using ShellExecuteW() API.”
  • [T1486] Data Encrypted for Impact – Encrypts files and displays the ransom note; files are renamed with .Pandora extension. “The ransomware encrypts the victim’s system and drops the ransom note… After encryption, the file is renamed with the extension ‘.Pandora’.”

Indicators of Compromise

  • [MD5] Executable binary – 0c4a84b66832a08dccc42b478d9d5e1b
  • [SHA-1] Executable binary – 160320b920a5ef22ac17b48146152ffbef60461f
  • [SHA-256] Executable binary – 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b

Read more: https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/