HelloKitty (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.hellokitty (Back to overview)

HelloKitty

aka: KittyCrypt

VTCollection

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

References

2023-12-13 ⋅ cocomelonc ⋅ cocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer

2023-02-14 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec
Vice-Society spreads its own ransomware
HelloKitty PolyVice Zeppelin

2023-01-04 ⋅ cocomelonc
Malware development tricks: part 26. Mutex. C++ example.
AsyncRAT Conti HelloKitty

2022-09-20 ⋅ vmware ⋅ Dana Behling
Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty

2022-09-06 ⋅ CISA ⋅ CISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin

2022-05-20 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-01 ⋅ BushidoToken ⋅ BushidoToken
Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti

2022-04-25 ⋅ Medium proferosec-osm ⋅ Brenton Morris
Static unpacker and decoder for Hello Kitty Packer
HelloKitty

2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2021-11-02 ⋅ SpearTip ⋅ Chris Swagler
FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal
HelloKitty

2021-10-28 ⋅ FBI ⋅ FBI
CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
HelloKitty

2021-08-24 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos, Ruchna Nigam
Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit

2021-07-17 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
HelloKitty ransomware is targeting vulnerable SonicWall devices
HelloKitty

2021-06-28 ⋅ CrowdStrike ⋅ Alexandru Ghita
New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty

2021-05-31 ⋅ DataBreaches.net ⋅ Dissent
Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty

2021-04-29 ⋅ FireEye ⋅ Justin Moore, Raymond Leong, Tyler McLellan
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty

2021-03-18 ⋅ Malwarebytes ⋅ Jovi Umawing
HelloKitty: When Cyberpunk met cy-purr-crime
HelloKitty

2021-03-08 ⋅ Sentinel LABS ⋅ Jim Walter
HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
HelloKitty

2021-02-10 ⋅ Cado Security ⋅ Christopher Doman
Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
HelloKitty

2021-02-09 ⋅ Twitter (@fwosar) ⋅ Fabian Wosar
Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group
HelloKitty

2020-11-13 ⋅ ID Ransomware ⋅ Andrew Ivanov
HelloKitty Ransomware
HelloKitty

Yara Rules

[TLP:WHITE] win_hellokitty_auto (20241030 | Detects win.hellokitty.)

rule win_hellokitty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.hellokitty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b45c8 0bf1 3345dc 33de 2345d0 33fa 3345c8 }
            // n = 7, score = 100
            //   8b45c8               | mov                 eax, dword ptr [ebp - 0x38]
            //   0bf1                 | or                  esi, ecx
            //   3345dc               | xor                 eax, dword ptr [ebp - 0x24]
            //   33de                 | xor                 ebx, esi
            //   2345d0               | and                 eax, dword ptr [ebp - 0x30]
            //   33fa                 | xor                 edi, edx
            //   3345c8               | xor                 eax, dword ptr [ebp - 0x38]

        $sequence_1 = { 66d3e0 0fb7c0 0bf0 8875fe 84f6 0f856effffff }
            // n = 6, score = 100
            //   66d3e0               | shl                 ax, cl
            //   0fb7c0               | movzx               eax, ax
            //   0bf0                 | or                  esi, eax
            //   8875fe               | mov                 byte ptr [ebp - 2], dh
            //   84f6                 | test                dh, dh
            //   0f856effffff         | jne                 0xffffff74

        $sequence_2 = { 8bcb c1c90b 33c8 8975c4 8bc3 89b560ffffff }
            // n = 6, score = 100
            //   8bcb                 | mov                 ecx, ebx
            //   c1c90b               | ror                 ecx, 0xb
            //   33c8                 | xor                 ecx, eax
            //   8975c4               | mov                 dword ptr [ebp - 0x3c], esi
            //   8bc3                 | mov                 eax, ebx
            //   89b560ffffff         | mov                 dword ptr [ebp - 0xa0], esi

        $sequence_3 = { 03f3 8b5df4 33d0 8bc1 03de c1c802 33d0 }
            // n = 7, score = 100
            //   03f3                 | add                 esi, ebx
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   33d0                 | xor                 edx, eax
            //   8bc1                 | mov                 eax, ecx
            //   03de                 | add                 ebx, esi
            //   c1c802               | ror                 eax, 2
            //   33d0                 | xor                 edx, eax

        $sequence_4 = { c1c802 33d0 8b75b8 8bc1 03da c1c807 8bd1 }
            // n = 7, score = 100
            //   c1c802               | ror                 eax, 2
            //   33d0                 | xor                 edx, eax
            //   8b75b8               | mov                 esi, dword ptr [ebp - 0x48]
            //   8bc1                 | mov                 eax, ecx
            //   03da                 | add                 ebx, edx
            //   c1c807               | ror                 eax, 7
            //   8bd1                 | mov                 edx, ecx

        $sequence_5 = { 894df8 894de0 8955f4 0fb688303b4200 8b45e8 c1e818 0fb680303b4200 }
            // n = 7, score = 100
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   0fb688303b4200       | movzx               ecx, byte ptr [eax + 0x423b30]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c1e818               | shr                 eax, 0x18
            //   0fb680303b4200       | movzx               eax, byte ptr [eax + 0x423b30]

        $sequence_6 = { 50 56 8d4dd8 e8???????? 8b5de0 8b75dc }
            // n = 6, score = 100
            //   50                   | push                eax
            //   56                   | push                esi
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   8b5de0               | mov                 ebx, dword ptr [ebp - 0x20]
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]

        $sequence_7 = { 8988a4000000 0fb6c9 0fb699303b4200 0fb688a7000000 c1e308 0fb689303b4200 33d9 }
            // n = 7, score = 100
            //   8988a4000000         | mov                 dword ptr [eax + 0xa4], ecx
            //   0fb6c9               | movzx               ecx, cl
            //   0fb699303b4200       | movzx               ebx, byte ptr [ecx + 0x423b30]
            //   0fb688a7000000       | movzx               ecx, byte ptr [eax + 0xa7]
            //   c1e308               | shl                 ebx, 8
            //   0fb689303b4200       | movzx               ecx, byte ptr [ecx + 0x423b30]
            //   33d9                 | xor                 ebx, ecx

        $sequence_8 = { ffd3 68???????? 8945e4 ffd3 8b55f8 8d75f0 56 }
            // n = 7, score = 100
            //   ffd3                 | call                ebx
            //   68????????           |                     
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   ffd3                 | call                ebx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8d75f0               | lea                 esi, [ebp - 0x10]
            //   56                   | push                esi

        $sequence_9 = { 33d2 6689544802 eb11 6a28 c645fc00 ff75fc }
            // n = 6, score = 100
            //   33d2                 | xor                 edx, edx
            //   6689544802           | mov                 word ptr [eax + ecx*2 + 2], dx
            //   eb11                 | jmp                 0x13
            //   6a28                 | push                0x28
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0
            //   ff75fc               | push                dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 319488
}

Download all Yara Rules

HelloKitty Propose Change

References

Yara Rules

HelloKitty