# [QuickNote] Analysis of Pandora ransomware **[kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/](https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/)** ## FOREWORD: March 21, 2022 ## Pandora’s code looks very weird and obfuscate complicated, so this analysis does not cover all its functions. I’m not a crypto expert, so I won’t dive into Pandora’s function like generating encryption key, process of creating threads to do its main task of encrypting files, writing file footer,.. During malware code analysis, I found that Pandora and Rook ransomware (https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware) shared a lot of similarities. 1. Pandora sample The analyzed sample is a 64-bit executable: 0c4a84b66832a08dccc42b478d9d5e1b 2. Manual unpacking Quick check the sample with some tools like ExeInfo PE, DiE, all results show that this sample is packed by UPX. Checking more information about sections shows that the names of sections have been changed, not UPX0, UPX1, it changed to pppp and cccc. Additionally, the information behind the 3.00 UPX! strings were stripped by the attacker: ----- ## Therefore, we can not use the upx -d command to auto unpack this sample: For manually unpacking, I used x64dbg to find OEP and Scylla to dump the file and fix the IAT: ----- ## Here is the unpacked file that can run normally: 1497ac198a13de8c4e6d1a1e73eaa50f 3. Pandora Code Obfuscation Pandora developer makes it very difficult for static analysis, its code uses indirect calls through registers rax, rdx, rbp, etc. Important strings such as Mutex name, Dll Name, PUBLIC KEY info, Ransom note, are already encrypted and decrypted when the malicious code executes. Related to indirect calls, it can be seen as follows: The calls to the decrypt string function will take the rdx and rcx registers as parameters. The rdx register will point to the memory area containing the encrypted string. The rcx register will point to the memory area containing the decoded string. ----- ## The calls to the API functions or Pandora’s function should look like this: Besides, Pandora also applies control flow obfuscation technique. For example, the pseudo- code of function that decrypt the string is as follows: ----- ## 4. Analyze some of the main functions of Pandora To be able to analyze, I use IDA in combination with Bochs debugger. 4.1. Create Mutex ## First, Pandora decrypts the mutex name is “ ThisIsMutexa ”, then call the ### OpenMutexA function to check the existence of this mutex. ----- ## If the mutex has not been created, call the CreateMutexA function to create the mutex to ensure that only one instance of the malware is running in the system. 4.2. Call NtSetInformationProcess ## Pandora decrypts the string “ NtSetInformationProcess “, calls the GetProcAddress function to retrieve the address. Then call the function NtSetInformationProcess with the ProcessInformationClass parameter passed as “ ProcessInstrumentationCallback ”: I still do not know the purpose of using this function of Pandora. 4.3. Patching EtwEventWrite function ## To disable ETW logging, Pandora decrypts the string “ EtwEventWrite ” and uses ### GetProcAddress to get the address of the function. Then use WriteProcessMemory to ## replace the first byte of the EtwEventWrite function with the opcode 0xC3 for the purpose to return immediately stopping the user-mode loggers. ----- 4.4. Defeat AmsiScanBuffer function ## Pandora decrypts the string “ amsi.dll ” and calls the GetModuleHandleA function to get the amsi handle. ----- ## Decrypts the string AmsiScanBuffer and get the address of the function. Then use ### VirtualProtectEx to change the protection at the AmsiScanBuffer . 4.5. Generate RSA key ## Pandora decrypts the string “ fast_test “, then uses the CryptAcquireContext, ### CryptGenRandom functions to generate a random bytes buffer: ----- ## Pandora calls the function to decrypt the RSA public key. Then call the ### mbedtls_pk_parse_public_key function to parse this public key: ## The decrypted content of the Public key is as follows: ----- ``` BEGIN PUBLIC KEY MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtOGL76JTNo3yXAbjtopL brBpAUvxyCd40aYBq9xWKpHHBHxOC+adOFKIAjJVSu/Bm5JdA9v7efN/RkfFbhKa N7ZOn1ueEqUz5cVU52ptduO12YlxnRobq0EMjA0CBpS94j/qkURFlTRktyQNOfJF kSPd497k2xqkq5fXqJYftwXky7nJeXyji+mIyhMFQFS9Uq2mI7plnRAVJIE1LASH D1tAg9SNIA0SsyuazkWwHRefWo0z3YBBxP1r+7E/gQqMFVX8odLyq+yTIXFY0P9b V7WnBRrBimY5KMcPRgKusLzXPTO0xA+RDxWbFkUcPmpnp498MYcfH9wBu83mHpWW 1wIDAQAB -----END PUBLIC KEY--- ## Use the RegCreateKeyExW function to open the “ Software ” subkey in the HKEY_CURRENT_USER branch. Then call the RegQueryValueExW function to check if the registry value “ Public ” exists in there: If it does not, the malware generates a public-private key pair for the victim. ``` ----- 4.6. Update shutdown priority ## Pandora calls the SetProcessShutdownParameters function to sets a shutdown order: 4.7. Empty all Recycle Bins on all drives ## For empty all recycle bins, Pandora calls the function SHEmptyRecycleBinA : 4.8. Deleting Shadow Copies ## By calling IsWow64Process, Pandora checks if its process is running under a 64-bit system. If it is, then it calls Wow64DisableWow64FsRedirection to disable file system redirection for its process. Finally, it calls ShellExecuteW to launch a command for deleting all shadow copies: The command is: ----- ``` cmd.exe /c vssadmin.exe delete shadows /all /quiet ``` 4.9. Manually mount drives ## Pandora provides a built-in list of drive letters: The complete list is as follows: ----- ``` UPX1:0000000140047712 str_Q: UPX1:0000000140047712 text "UTF-16LE", 'Q:\',0 UPX1:000000014004771A str_W: UPX1:000000014004771A text "UTF-16LE", 'W:\',0 UPX1:0000000140047722 str_E: UPX1:0000000140047722 text "UTF-16LE", 'E:\',0 UPX1:000000014004772A str_R: UPX1:000000014004772A text "UTF-16LE", 'R:\',0 UPX1:0000000140047732 str_T: UPX1:0000000140047732 text "UTF-16LE", 'T:\',0 UPX1:000000014004773A str_Y: UPX1:000000014004773A text "UTF-16LE", 'Y:\',0 UPX1:0000000140047742 str_U: UPX1:0000000140047742 text "UTF-16LE", 'U:\',0 UPX1:000000014004774A str_I: UPX1:000000014004774A text "UTF-16LE", 'I:\',0 UPX1:0000000140047752 str_O_0: UPX1:0000000140047752 text "UTF-16LE", 'O:\',0 UPX1:000000014004775A str_P_0: UPX1:000000014004775A text "UTF-16LE", 'P:\',0 UPX1:0000000140047762 str_A: UPX1:0000000140047762 text "UTF-16LE", 'A:\',0 UPX1:000000014004776A str_S: UPX1:000000014004776A text "UTF-16LE", 'S:\',0 UPX1:0000000140047772 str_D: UPX1:0000000140047772 text "UTF-16LE", 'D:\',0 UPX1:000000014004777A str_F: UPX1:000000014004777A text "UTF-16LE", 'F:\',0 UPX1:0000000140047782 str_G: UPX1:0000000140047782 text "UTF-16LE", 'G:\',0 UPX1:000000014004778A str_H: UPX1:000000014004778A text "UTF-16LE", 'H:\',0 UPX1:0000000140047792 str_J: UPX1:0000000140047792 text "UTF-16LE", 'J:\',0 UPX1:000000014004779A str_K: UPX1:000000014004779A text "UTF-16LE", 'K:\',0 UPX1:00000001400477A2 str_L_0: UPX1:00000001400477A2 text "UTF-16LE", 'L:\',0 UPX1:00000001400477AA str_Z: UPX1:00000001400477AA text "UTF-16LE", 'Z:\',0 UPX1:00000001400477B2 str_X: UPX1:00000001400477B2 text "UTF-16LE", 'X:\',0 UPX1:00000001400477BA str_C_0: UPX1:00000001400477BA text "UTF-16LE", 'C:\',0 UPX1:00000001400477C2 str_V: UPX1:00000001400477C2 text "UTF-16LE", 'V:\',0 UPX1:00000001400477CA str_B: UPX1:00000001400477CA text "UTF-16LE", 'B:\',0 UPX1:00000001400477D2 str_N: UPX1:00000001400477D2 text "UTF-16LE", 'N:\',0 UPX1:00000001400477DA str_M_0: UPX1:00000001400477DA text "UTF-16LE", 'M:\',0 ## Then it uses the function GetDriveTypeW to find drives with type DRIVE_NO_ROOT_DIR . ``` ----- ## Next Pandora calls the FindFirstVolumeW, GetVolumePathNamesForVolumeNameW, ### SetVolumeMountPointW, FindNextVolumeW functions to mount the drives. 4.10. Drop ransom note ## Pandora decrypts the ransom note, then writes it to a file named R estore_My_Files.txt : The full content of Ransom note is as follows: ----- ``` ### What happened? #### !!!Your files are encrypted!!! *All your files are protected by strong encryption with RSA-2048.* *There is no public decryption software.* *We have successfully stolen your confidential document data, finances, emails, employee information, customers, research and development products...* #### What is the price? *The price depends on how fast you can write to us.* *After payment, we will send you the decryption tool which will decrypt all your files.* #### What should I do? *There is only one way to get your files back -->>Contact us, pay and get decryption software.* *If you decline payment, we will share your data files with the world.* *You can browse your data breach here: http://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onion* (you should download and install TOR browser first hxxps://torproject.org) #### !!!Decryption Guaranteed!!! *Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.* #### !!!Contact us!!! email: contact@pandoraxyz.xyz #### !!!Warning!!! *Do not attempt to decrypt your data using third-party software, this may result in permanent data loss.* *Decrypting your files with the help of a third party may result in a price increase (they charge us a fee), or you may fall victim to a scam.* *Don't try to delete programs or run antivirus tools. It won't work.* *Attempting to self-decrypt the file will result in the loss of your data.* ``` 4.11. List of file extension and directories to avoid ## Before performing encryption, Pandora will check if the filename is not in the list of files and directories to avoid. Here is the complete avoid list: ----- ``` UPX1:000000014004828C 2E 00 68 00 74 00 61 00+ text UTF 16LE, .hta,0 UPX1:0000000140048296 str_exe: UPX1:0000000140048296 2E 00 65 00 78 00 65 00+ text "UTF-16LE", '.exe',0 UPX1:00000001400482A0 str_dll: UPX1:00000001400482A0 2E 00 64 00 6C 00 6C 00+ text "UTF-16LE", '.dll',0 UPX1:00000001400482AA str_cpl: UPX1:00000001400482AA 2E 00 63 00 70 00 6C 00+ text "UTF-16LE", '.cpl',0 UPX1:00000001400482B4 str_ini: UPX1:00000001400482B4 2E 00 69 00 6E 00 69 00+ text "UTF-16LE", '.ini',0 UPX1:00000001400482BE str_cab: UPX1:00000001400482BE 2E 00 63 00 61 00 62 00+ text "UTF-16LE", '.cab',0 UPX1:00000001400482C8 str_cur: UPX1:00000001400482C8 2E 00 63 00 75 00 72 00+ text "UTF-16LE", '.cur',0 UPX1:00000001400482D2 str_drv: UPX1:00000001400482D2 2E 00 64 00 72 00 76 00+ text "UTF-16LE", '.drv',0 UPX1:00000001400482DC str_hlp: UPX1:00000001400482DC 2E 00 68 00 6C 00 70 00+ text "UTF-16LE", '.hlp',0 UPX1:00000001400482E6 str_icl: UPX1:00000001400482E6 2E 00 69 00 63 00 6C 00+ text "UTF-16LE", '.icl',0 UPX1:00000001400482F0 str_icns: UPX1:00000001400482F0 2E 00 69 00 63 00 6E 00+ text "UTF-16LE", '.icns',0 UPX1:00000001400482FC str_ico: UPX1:00000001400482FC 2E 00 69 00 63 00 6F 00+ text "UTF-16LE", '.ico',0 UPX1:0000000140048306 str_idx: UPX1:0000000140048306 2E 00 69 00 64 00 78 00+ text "UTF-16LE", '.idx',0 UPX1:0000000140048310 str_sys: UPX1:0000000140048310 2E 00 73 00 79 00 73 00+ text "UTF-16LE", '.sys',0 UPX1:000000014004831A str_spl: UPX1:000000014004831A 2E 00 73 00 70 00 6C 00+ text "UTF-16LE", '.spl',0 UPX1:0000000140048324 str_ocx: UPX1:0000000140048324 2E 00 6F 00 63 00 78 00+ text "UTF-16LE", '.ocx',0 UPX1:0000000140048334 str_AppData: UPX1:0000000140048334 41 00 70 00 70 00 44 00+ text "UTF-16LE", 'AppData',0 UPX1:0000000140048344 str_Boot: UPX1:0000000140048344 42 00 6F 00 6F 00 74 00+ text "UTF-16LE", 'Boot',0 UPX1:000000014004834E str_Windows: UPX1:000000014004834E 57 00 69 00 6E 00 64 00+ text "UTF-16LE", 'Windows',0 UPX1:000000014004835E str_Windowsold: UPX1:000000014004835E 57 00 69 00 6E 00 64 00+ text "UTF-16LE", 'Windows.old',0 UPX1:0000000140048376 str_TorBrowser: UPX1:0000000140048376 54 00 6F 00 72 00 20 00+ text "UTF-16LE", 'Tor Browser',0 UPX1:000000014004838E str_InternetExplorer: UPX1:000000014004838E 49 00 6E 00 74 00 65 00+ text "UTF-16LE", 'Internet Explorer',0 UPX1:00000001400483B2 str_Google: UPX1:00000001400483B2 47 00 6F 00 6F 00 67 00+ text "UTF-16LE", 'Google',0 UPX1:00000001400483C0 str_Opera: UPX1:00000001400483C0 4F 00 70 00 65 00 72 00+ text "UTF-16LE", 'Opera',0 UPX1:00000001400483CC str_OperaSoftware: UPX1:00000001400483CC 4F 00 70 00 65 00 72 00+ text "UTF-16LE", 'Opera Software',0 UPX1:00000001400483EA str_Mozilla: ``` ----- ``` UPX1:00000001400483EA 4D 00 6F 00 7A 00 69 00+ text UTF 16LE, Mozilla,0 UPX1:00000001400483FA str_MozillaFirefox: UPX1:00000001400483FA 4D 00 6F 00 7A 00 69 00+ text "UTF-16LE", 'Mozilla Firefox',0 UPX1:000000014004841A str_RecycleBin: UPX1:000000014004841A 24 00 52 00 65 00 63 00+ text "UTF-16LE", '$Recycle.Bin',0 UPX1:0000000140048434 str_ProgramData: UPX1:0000000140048434 50 00 72 00 6F 00 67 00+ text "UTF-16LE", 'ProgramData',0 UPX1:000000014004844C str_AllUsers: UPX1:000000014004844C 41 00 6C 00 6C 00 20 00+ text "UTF-16LE", 'All Users',0 UPX1:0000000140048460 str_autoruninf: UPX1:0000000140048460 61 00 75 00 74 00 6F 00+ text "UTF-16LE", 'autorun.inf',0 UPX1:0000000140048478 str_bootini: UPX1:0000000140048478 62 00 6F 00 6F 00 74 00+ text "UTF-16LE", 'boot.ini',0 UPX1:000000014004848A str_bootfontbin: UPX1:000000014004848A 62 00 6F 00 6F 00 74 00+ text "UTF-16LE", 'bootfont.bin',0 UPX1:00000001400484A4 str_bootsectbak: UPX1:00000001400484A4 62 00 6F 00 6F 00 74 00+ text "UTF-16LE", 'bootsect.bak',0 UPX1:00000001400484BE str_bootmgr: UPX1:00000001400484BE 62 00 6F 00 6F 00 74 00+ text "UTF-16LE", 'bootmgr',0 UPX1:00000001400484CE str_bootmgrefi: UPX1:00000001400484CE 62 00 6F 00 6F 00 74 00+ text "UTF-16LE", 'bootmgr.efi',0 UPX1:00000001400484E6 str_bootmgfwefi: UPX1:00000001400484E6 62 00 6F 00 6F 00 74 00+ text "UTF-16LE", 'bootmgfw.efi',0 UPX1:0000000140048500 str_desktopini: UPX1:0000000140048500 64 00 65 00 73 00 6B 00+ text "UTF-16LE", 'desktop.ini',0 UPX1:0000000140048518 str_iconcachedb: UPX1:0000000140048518 69 00 63 00 6F 00 6E 00+ text "UTF-16LE", 'iconcache.db',0 UPX1:0000000140048532 str_ntldr: UPX1:0000000140048532 6E 00 74 00 6C 00 64 00+ text "UTF-16LE", 'ntldr',0 UPX1:000000014004853E str_ntuserdat: UPX1:000000014004853E 6E 00 74 00 75 00 73 00+ text "UTF-16LE", 'ntuser.dat',0 UPX1:0000000140048554 str_ntuserdatlog: UPX1:0000000140048554 6E 00 74 00 75 00 73 00+ text "UTF-16LE", 'ntuser.dat.log',0 UPX1:0000000140048572 str_ntuserini: UPX1:0000000140048572 6E 00 74 00 75 00 73 00+ text "UTF-16LE", 'ntuser.ini',0 UPX1:0000000140048588 str_thumbsdb: UPX1:0000000140048588 74 00 68 00 75 00 6D 00+ text "UTF-16LE", 'thumbs.db',0 UPX1:000000014004859C str_ProgramFiles: UPX1:000000014004859C 50 00 72 00 6F 00 67 00+ text "UTF-16LE", 'Program Files',0 UPX1:00000001400485B8 str_ProgramFilesx86: UPX1:00000001400485B8 50 00 72 00 6F 00 67 00+ text "UTF-16LE", 'Program Files (x86)',0 UPX1:00000001400485E0 str_recycle: ``` ----- ``` UPX1:00000001400485E0 23 00 72 00 65 00 63 00+ text UTF 16LE, #recycle,0 UPX1:00000001400485F2 2E 00 2E 00 00 00 text "UTF-16LE", '..',0 UPX1:00000001400485F8 2E 00 00 00 text "UTF-16LE", '.',0 ## Source: vx underground (@vxunderground) End. m4n0w4r ``` -----