The Pandora rule detects potential adversary behavior involving suspicious file execution or network communication that may indicate initial compromise or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.
YARA Rule
rule Pandora
{
meta:
author = " Kevin Breen <[email protected]>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Pandora"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "Can't get the Windows version"
$b = "=M=Q=U=Y=]=a=e=i=m=q=u=y=}="
$c = "JPEG error #%d" wide
$d = "Cannot assign a %s to a %s" wide
$g = "%s, ProgID:"
$h = "clave"
$i = "Shell_TrayWnd"
$j = "melt.bat"
$k = "\\StubPath"
$l = "\\logs.dat"
$m = "1027|Operation has been canceled!"
$n = "466|You need to plug-in! Double click to install... |"
$0 = "33|[Keylogger Not Activated!]"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: Scheduled system maintenance or patching using Ansible or Chef
ansible or chef in the command line, or filter by process parent process (e.g., systemd or cron)Scenario: Regular logrotate job execution
logrotate or check for presence of /etc/logrotate.conf in the command lineScenario: PowerShell script running as part of a routine system cleanup task
powershell.exe and check for known cleanup scripts or paths like C:\Windows\System32\ or C:\Program Files\Scenario: Windows Task Scheduler running a legitimate administrative script
schtasks.exe or check for task names that match known administrative tasks (e.g., DailyDiskCleanup)Scenario: Docker container lifecycle management (e.g., docker stop, docker rm)
docker in the command line or check for presence of container IDs or names in the process context