[QuickNote] Analysis of Pandora ransomware

Posted: March 21, 2022 in My Tutorials, [QuickNote] Analysis of Pandora ransomware
Tags: , , , , , ,


  • Pandora’s code looks very weird and obfuscate complicated, so this analysis does not cover all its functions.
  • I’m not a crypto expert, so I won’t dive into Pandora’s function like generating encryption key, process of creating threads to do its main task of encrypting files, writing file footer,..
  • During malware code analysis, I found that Pandora and Rook ransomware (https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware) shared a lot of similarities.

1. Pandora sample

The analyzed sample is a 64-bit executable: 0c4a84b66832a08dccc42b478d9d5e1b

2. Manual unpacking

Quick check the sample with some tools like ExeInfo PE, DiE, all results show that this sample is packed by UPX.

Checking more information about sections shows that the names of sections have been changed, not UPX0, UPX1, it changed to pppp and cccc.

Additionally, the information behind the 3.00 UPX! strings were stripped by the attacker:

Therefore, we can not use the upx -d command to auto unpack this sample:

For manually unpacking, I used x64dbg to find OEP and Scylla to dump the file and fix the IAT:

Here is the unpacked file that can run normally: 1497ac198a13de8c4e6d1a1e73eaa50f

3. Pandora Code Obfuscation

Pandora developer makes it very difficult for static analysis, its code uses indirect calls through registers rax, rdx, rbp, etc. Important strings such as Mutex name, Dll Name, PUBLIC KEY info, Ransom note, are already encrypted and decrypted when the malicious code executes.

Related to indirect calls, it can be seen as follows:

  • The calls to the decrypt string function will take the rdx and rcx registers as parameters. The rdx register will point to the memory area containing the encrypted string. The rcx register will point to the memory area containing the decoded string.
  • The calls to the API functions or Pandora’s function should look like this:

Besides, Pandora also applies control flow obfuscation technique. For example, the pseudo-code of function that decrypt the string is as follows:

4. Analyze some of the main functions of Pandora

To be able to analyze, I use IDA in combination with Bochs debugger.

4.1. Create Mutex
  • First, Pandora decrypts the mutex name is “ThisIsMutexa”, then call the OpenMutexA function to check the existence of this mutex.
  • If the mutex has not been created, call the CreateMutexA function to create the mutex to ensure that only one instance of the malware is running in the system.

4.2. Call NtSetInformationProcess

Pandora decrypts the string “NtSetInformationProcess“, calls the GetProcAddress function to retrieve the address. Then call the function NtSetInformationProcess with the ProcessInformationClass parameter passed as “ProcessInstrumentationCallback”:

I still do not know the purpose of using this function of Pandora.

4.3. Patching EtwEventWrite function

To disable ETW logging, Pandora decrypts the string “EtwEventWrite” and uses GetProcAddress to get the address of the function. Then use WriteProcessMemory to replace the first byte of the EtwEventWrite function with the opcode 0xC3 for the purpose to return immediately stopping the user-mode loggers.

4.4. Defeat AmsiScanBuffer function

Pandora decrypts the string “amsi.dll” and calls the GetModuleHandleA function to get the amsi handle.

Decrypts the string “AmsiScanBuffer” and get the address of the function. Then use VirtualProtectEx to change the protection at the AmsiScanBuffer.

4.5. Generate RSA key

Pandora decrypts the string “fast_test“, then uses the CryptAcquireContext, CryptGenRandom functions to generate a random bytes buffer:

Pandora calls the function to decrypt the RSA public key. Then call the mbedtls_pk_parse_public_key function to parse this public key:

The decrypted content of the Public key is as follows:


Use the RegCreateKeyExW function to open the “Software” subkey in the HKEY_CURRENT_USER branch.

Then call the RegQueryValueExW function to check if the registry value “Public” exists in there:

If it does not, the malware generates a public-private key pair for the victim.

4.6. Update shutdown priority

Pandora calls the SetProcessShutdownParameters function to sets a shutdown order:

4.7. Empty all Recycle Bins on all drives

For empty all recycle bins, Pandora calls the function SHEmptyRecycleBinA:

4.8. Deleting Shadow Copies

By calling IsWow64Process, Pandora checks if its process is running under a 64-bit system. If it is, then it calls Wow64DisableWow64FsRedirection to disable file system redirection for its process. Finally, it calls ShellExecuteW to launch a command for deleting all shadow copies:

The command is:

cmd.exe "/c vssadmin.exe delete shadows /all /quiet"

4.9. Manually mount drives

Pandora provides a built-in list of drive letters:

The complete list is as follows:

UPX1:0000000140047712     str_Q:
UPX1:0000000140047712             text "UTF-16LE", 'Q:\',0
UPX1:000000014004771A     str_W:
UPX1:000000014004771A             text "UTF-16LE", 'W:\',0
UPX1:0000000140047722     str_E:
UPX1:0000000140047722             text "UTF-16LE", 'E:\',0
UPX1:000000014004772A     str_R:
UPX1:000000014004772A             text "UTF-16LE", 'R:\',0
UPX1:0000000140047732     str_T:
UPX1:0000000140047732             text "UTF-16LE", 'T:\',0
UPX1:000000014004773A     str_Y:
UPX1:000000014004773A             text "UTF-16LE", 'Y:\',0
UPX1:0000000140047742     str_U:
UPX1:0000000140047742             text "UTF-16LE", 'U:\',0
UPX1:000000014004774A     str_I:
UPX1:000000014004774A             text "UTF-16LE", 'I:\',0
UPX1:0000000140047752     str_O_0:
UPX1:0000000140047752             text "UTF-16LE", 'O:\',0
UPX1:000000014004775A     str_P_0:
UPX1:000000014004775A             text "UTF-16LE", 'P:\',0
UPX1:0000000140047762     str_A:
UPX1:0000000140047762             text "UTF-16LE", 'A:\',0
UPX1:000000014004776A     str_S:
UPX1:000000014004776A             text "UTF-16LE", 'S:\',0
UPX1:0000000140047772     str_D:
UPX1:0000000140047772             text "UTF-16LE", 'D:\',0
UPX1:000000014004777A     str_F:
UPX1:000000014004777A             text "UTF-16LE", 'F:\',0
UPX1:0000000140047782     str_G:
UPX1:0000000140047782             text "UTF-16LE", 'G:\',0
UPX1:000000014004778A     str_H:
UPX1:000000014004778A             text "UTF-16LE", 'H:\',0
UPX1:0000000140047792     str_J:
UPX1:0000000140047792             text "UTF-16LE", 'J:\',0
UPX1:000000014004779A     str_K:
UPX1:000000014004779A             text "UTF-16LE", 'K:\',0
UPX1:00000001400477A2     str_L_0:
UPX1:00000001400477A2             text "UTF-16LE", 'L:\',0
UPX1:00000001400477AA     str_Z:
UPX1:00000001400477AA             text "UTF-16LE", 'Z:\',0
UPX1:00000001400477B2     str_X:
UPX1:00000001400477B2             text "UTF-16LE", 'X:\',0
UPX1:00000001400477BA     str_C_0:
UPX1:00000001400477BA             text "UTF-16LE", 'C:\',0
UPX1:00000001400477C2     str_V:
UPX1:00000001400477C2             text "UTF-16LE", 'V:\',0
UPX1:00000001400477CA     str_B:
UPX1:00000001400477CA             text "UTF-16LE", 'B:\',0
UPX1:00000001400477D2     str_N:
UPX1:00000001400477D2             text "UTF-16LE", 'N:\',0
UPX1:00000001400477DA     str_M_0:
UPX1:00000001400477DA             text "UTF-16LE", 'M:\',0

Then it uses the function GetDriveTypeW to find drives with type DRIVE_NO_ROOT_DIR.

Next Pandora calls the FindFirstVolumeW, GetVolumePathNamesForVolumeNameW, SetVolumeMountPointW, FindNextVolumeW functions to mount the drives.

4.10. Drop ransom note

Pandora decrypts the ransom note, then writes it to a file named Restore_My_Files.txt:

The full content of Ransom note is as follows:

### What happened?
#### !!!Your files are encrypted!!!
*All your files are protected by strong encryption with RSA-2048.*
*There is no public decryption software.*
*We have successfully stolen your confidential document data, finances, emails, employee information, customers, research and development products...*
#### What is the price?
*The price depends on how fast you can write to us.*
*After payment, we will send you the decryption tool which will decrypt all your files.*
#### What should I do?

*There is only one way to get your files back -->>Contact us, pay and get decryption software.*
*If you decline payment, we will share your data files with the world.*
*You can browse your data breach here: http://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onion*
(you should download and install TOR browser first hxxps://torproject.org)
#### !!!Decryption Guaranteed!!!
*Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.*
#### !!!Contact us!!!
#### !!!Warning!!!
*Do not attempt to decrypt your data using third-party software, this may result in permanent data loss.*
*Decrypting your files with the help of a third party may result in a price increase (they charge us a fee), or you may fall victim to a scam.*
*Don't try to delete programs or run antivirus tools. It won't work.*
*Attempting to self-decrypt the file will result in the loss of your data.*

4.11. List of file extension and directories to avoid

Before performing encryption, Pandora will check if the filename is not in the list of files and directories to avoid.

Here is the complete avoid list:

UPX1:000000014004828C 2E 00 68 00 74 00 61 00+        text "UTF-16LE", '.hta',0
UPX1:0000000140048296                         str_exe:
UPX1:0000000140048296 2E 00 65 00 78 00 65 00+        text "UTF-16LE", '.exe',0
UPX1:00000001400482A0                         str_dll:
UPX1:00000001400482A0 2E 00 64 00 6C 00 6C 00+        text "UTF-16LE", '.dll',0
UPX1:00000001400482AA                         str_cpl:
UPX1:00000001400482AA 2E 00 63 00 70 00 6C 00+        text "UTF-16LE", '.cpl',0
UPX1:00000001400482B4                         str_ini:
UPX1:00000001400482B4 2E 00 69 00 6E 00 69 00+        text "UTF-16LE", '.ini',0
UPX1:00000001400482BE                         str_cab:
UPX1:00000001400482BE 2E 00 63 00 61 00 62 00+        text "UTF-16LE", '.cab',0
UPX1:00000001400482C8                         str_cur:
UPX1:00000001400482C8 2E 00 63 00 75 00 72 00+        text "UTF-16LE", '.cur',0
UPX1:00000001400482D2                         str_drv:
UPX1:00000001400482D2 2E 00 64 00 72 00 76 00+        text "UTF-16LE", '.drv',0
UPX1:00000001400482DC                         str_hlp:
UPX1:00000001400482DC 2E 00 68 00 6C 00 70 00+        text "UTF-16LE", '.hlp',0
UPX1:00000001400482E6                         str_icl:
UPX1:00000001400482E6 2E 00 69 00 63 00 6C 00+        text "UTF-16LE", '.icl',0
UPX1:00000001400482F0                         str_icns:
UPX1:00000001400482F0 2E 00 69 00 63 00 6E 00+        text "UTF-16LE", '.icns',0
UPX1:00000001400482FC                         str_ico:
UPX1:00000001400482FC 2E 00 69 00 63 00 6F 00+        text "UTF-16LE", '.ico',0
UPX1:0000000140048306                         str_idx:
UPX1:0000000140048306 2E 00 69 00 64 00 78 00+        text "UTF-16LE", '.idx',0
UPX1:0000000140048310                         str_sys:
UPX1:0000000140048310 2E 00 73 00 79 00 73 00+        text "UTF-16LE", '.sys',0
UPX1:000000014004831A                         str_spl:
UPX1:000000014004831A 2E 00 73 00 70 00 6C 00+        text "UTF-16LE", '.spl',0
UPX1:0000000140048324                         str_ocx:
UPX1:0000000140048324 2E 00 6F 00 63 00 78 00+        text "UTF-16LE", '.ocx',0

UPX1:0000000140048334                         str_AppData:
UPX1:0000000140048334 41 00 70 00 70 00 44 00+        text "UTF-16LE", 'AppData',0
UPX1:0000000140048344                         str_Boot:
UPX1:0000000140048344 42 00 6F 00 6F 00 74 00+        text "UTF-16LE", 'Boot',0
UPX1:000000014004834E                         str_Windows:
UPX1:000000014004834E 57 00 69 00 6E 00 64 00+        text "UTF-16LE", 'Windows',0
UPX1:000000014004835E                         str_Windowsold:
UPX1:000000014004835E 57 00 69 00 6E 00 64 00+        text "UTF-16LE", 'Windows.old',0
UPX1:0000000140048376                         str_TorBrowser:
UPX1:0000000140048376 54 00 6F 00 72 00 20 00+        text "UTF-16LE", 'Tor Browser',0
UPX1:000000014004838E                         str_InternetExplorer:
UPX1:000000014004838E 49 00 6E 00 74 00 65 00+        text "UTF-16LE", 'Internet Explorer',0
UPX1:00000001400483B2                         str_Google:
UPX1:00000001400483B2 47 00 6F 00 6F 00 67 00+        text "UTF-16LE", 'Google',0
UPX1:00000001400483C0                         str_Opera:
UPX1:00000001400483C0 4F 00 70 00 65 00 72 00+        text "UTF-16LE", 'Opera',0
UPX1:00000001400483CC                         str_OperaSoftware:
UPX1:00000001400483CC 4F 00 70 00 65 00 72 00+        text "UTF-16LE", 'Opera Software',0
UPX1:00000001400483EA                         str_Mozilla:
UPX1:00000001400483EA 4D 00 6F 00 7A 00 69 00+        text "UTF-16LE", 'Mozilla',0
UPX1:00000001400483FA                         str_MozillaFirefox:
UPX1:00000001400483FA 4D 00 6F 00 7A 00 69 00+        text "UTF-16LE", 'Mozilla Firefox',0
UPX1:000000014004841A                         str_RecycleBin:
UPX1:000000014004841A 24 00 52 00 65 00 63 00+        text "UTF-16LE", '$Recycle.Bin',0
UPX1:0000000140048434                         str_ProgramData:
UPX1:0000000140048434 50 00 72 00 6F 00 67 00+        text "UTF-16LE", 'ProgramData',0
UPX1:000000014004844C                         str_AllUsers:
UPX1:000000014004844C 41 00 6C 00 6C 00 20 00+        text "UTF-16LE", 'All Users',0
UPX1:0000000140048460                         str_autoruninf:
UPX1:0000000140048460 61 00 75 00 74 00 6F 00+        text "UTF-16LE", 'autorun.inf',0
UPX1:0000000140048478                         str_bootini:
UPX1:0000000140048478 62 00 6F 00 6F 00 74 00+        text "UTF-16LE", 'boot.ini',0
UPX1:000000014004848A                         str_bootfontbin:
UPX1:000000014004848A 62 00 6F 00 6F 00 74 00+        text "UTF-16LE", 'bootfont.bin',0
UPX1:00000001400484A4                         str_bootsectbak:
UPX1:00000001400484A4 62 00 6F 00 6F 00 74 00+        text "UTF-16LE", 'bootsect.bak',0
UPX1:00000001400484BE                         str_bootmgr:
UPX1:00000001400484BE 62 00 6F 00 6F 00 74 00+        text "UTF-16LE", 'bootmgr',0
UPX1:00000001400484CE                         str_bootmgrefi:
UPX1:00000001400484CE 62 00 6F 00 6F 00 74 00+        text "UTF-16LE", 'bootmgr.efi',0
UPX1:00000001400484E6                         str_bootmgfwefi:
UPX1:00000001400484E6 62 00 6F 00 6F 00 74 00+        text "UTF-16LE", 'bootmgfw.efi',0
UPX1:0000000140048500                         str_desktopini:
UPX1:0000000140048500 64 00 65 00 73 00 6B 00+        text "UTF-16LE", 'desktop.ini',0
UPX1:0000000140048518                         str_iconcachedb:
UPX1:0000000140048518 69 00 63 00 6F 00 6E 00+        text "UTF-16LE", 'iconcache.db',0
UPX1:0000000140048532                         str_ntldr:
UPX1:0000000140048532 6E 00 74 00 6C 00 64 00+        text "UTF-16LE", 'ntldr',0
UPX1:000000014004853E                         str_ntuserdat:
UPX1:000000014004853E 6E 00 74 00 75 00 73 00+        text "UTF-16LE", 'ntuser.dat',0
UPX1:0000000140048554                         str_ntuserdatlog:
UPX1:0000000140048554 6E 00 74 00 75 00 73 00+        text "UTF-16LE", 'ntuser.dat.log',0
UPX1:0000000140048572                         str_ntuserini:
UPX1:0000000140048572 6E 00 74 00 75 00 73 00+        text "UTF-16LE", 'ntuser.ini',0
UPX1:0000000140048588                         str_thumbsdb:
UPX1:0000000140048588 74 00 68 00 75 00 6D 00+        text "UTF-16LE", 'thumbs.db',0
UPX1:000000014004859C                         str_ProgramFiles:
UPX1:000000014004859C 50 00 72 00 6F 00 67 00+        text "UTF-16LE", 'Program Files',0
UPX1:00000001400485B8                         str_ProgramFilesx86:
UPX1:00000001400485B8 50 00 72 00 6F 00 67 00+        text "UTF-16LE", 'Program Files (x86)',0
UPX1:00000001400485E0                         str_recycle:
UPX1:00000001400485E0 23 00 72 00 65 00 63 00+        text "UTF-16LE", '#recycle',0
UPX1:00000001400485F2 2E 00 2E 00 00 00               text "UTF-16LE", '..',0
UPX1:00000001400485F8 2E 00 00 00                     text "UTF-16LE", '.',0
Source: vx-underground (@vxunderground)



  1. […] 0day in {REA_TEAM}[QuickNote] Analysis of Pandora ransomware […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.