SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hellokitty (Back to overview)

HelloKitty

aka: KittyCrypt

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

References
2023-02-14IntrinsecIntrinsec, CTI Intrinsec
@online{intrinsec:20230214:vicesociety:2dffe2e, author = {Intrinsec and CTI Intrinsec}, title = {{Vice-Society spreads its own ransomware}}, date = {2023-02-14}, organization = {Intrinsec}, url = {https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/}, language = {English}, urldate = {2023-02-15} } Vice-Society spreads its own ransomware
HelloKitty PolyVice Zeppelin
2023-01-04cocomelonc
@online{cocomelonc:20230104:malware:7653c80, author = {cocomelonc}, title = {{Malware development tricks: part 26. Mutex. C++ example.}}, date = {2023-01-04}, url = {https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html}, language = {English}, urldate = {2023-01-10} } Malware development tricks: part 26. Mutex. C++ example.
AsyncRAT Conti HelloKitty
2022-09-20vmwareDana Behling
@online{behling:20220920:threat:099a73a, author = {Dana Behling}, title = {{Threat Report: Illuminating Volume Shadow Deletion}}, date = {2022-09-20}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html}, language = {English}, urldate = {2022-09-26} } Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty
2022-09-06CISAUS-CERT, FBI, CISA, MS-ISAC
@online{uscert:20220906:alert:4058a6d, author = {US-CERT and FBI and CISA and MS-ISAC}, title = {{Alert (AA22-249A) #StopRansomware: Vice Society}}, date = {2022-09-06}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-249a}, language = {English}, urldate = {2022-09-16} } Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-01BushidoTokenBushidoToken
@online{bushidotoken:20220501:gamer:0acfc22, author = {BushidoToken}, title = {{Gamer Cheater Hacker Spy}}, date = {2022-05-01}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html}, language = {English}, urldate = {2022-05-03} } Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-04-25Medium proferosec-osmBrenton Morris
@online{morris:20220425:static:ae1f9c2, author = {Brenton Morris}, title = {{Static unpacker and decoder for Hello Kitty Packer}}, date = {2022-04-25}, organization = {Medium proferosec-osm}, url = {https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7}, language = {English}, urldate = {2022-04-29} } Static unpacker and decoder for Hello Kitty Packer
HelloKitty
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-03-21eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220321:conti:507fdf9, author = {eSentire Threat Response Unit (TRU)}, title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire}, language = {English}, urldate = {2022-05-23} } Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2021-11-02SpearTipChris Swagler
@online{swagler:20211102:fbi:6fe349f, author = {Chris Swagler}, title = {{FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal}}, date = {2021-11-02}, organization = {SpearTip}, url = {https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/}, language = {English}, urldate = {2021-11-03} } FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal
HelloKitty
2021-10-28FBIFBI
@techreport{fbi:20211028:cu000154mw:086d032, author = {FBI}, title = {{CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware}}, date = {2021-10-28}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211029.pdf}, language = {English}, urldate = {2021-11-03} } CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
HelloKitty
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-07-17Bleeping ComputerSergiu Gatlan
@online{gatlan:20210717:hellokitty:96a6fe5, author = {Sergiu Gatlan}, title = {{HelloKitty ransomware is targeting vulnerable SonicWall devices}}, date = {2021-07-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/}, language = {English}, urldate = {2021-07-20} } HelloKitty ransomware is targeting vulnerable SonicWall devices
HelloKitty
2021-06-28CrowdStrikeAlexandru Ghita
@online{ghita:20210628:new:85c558c, author = {Alexandru Ghita}, title = {{New Ransomware Variant Uses Golang Packer}}, date = {2021-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/}, language = {English}, urldate = {2021-06-29} } New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty
2021-05-31DataBreaches.netDissent
@online{dissent:20210531:babuk:4915c4b, author = {Dissent}, title = {{Babuk re-organizes as Payload Bin, offers its first leak}}, date = {2021-05-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/}, language = {English}, urldate = {2021-06-04} } Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty
2021-04-29FireEyeTyler McLellan, Justin Moore, Raymond Leong
@online{mclellan:20210429:unc2447:2ad0d96, author = {Tyler McLellan and Justin Moore and Raymond Leong}, title = {{UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat}}, date = {2021-04-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html}, language = {English}, urldate = {2022-03-07} } UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty
2021-03-18MalwarebytesJovi Umawing
@online{umawing:20210318:hellokitty:1527547, author = {Jovi Umawing}, title = {{HelloKitty: When Cyberpunk met cy-purr-crime}}, date = {2021-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/}, language = {English}, urldate = {2021-03-19} } HelloKitty: When Cyberpunk met cy-purr-crime
HelloKitty
2021-03-08Sentinel LABSJim Walter
@online{walter:20210308:hellokitty:e063f92, author = {Jim Walter}, title = {{HelloKitty Ransomware Lacks Stealth, But Still Strikes Home}}, date = {2021-03-08}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/}, language = {English}, urldate = {2021-03-11} } HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
HelloKitty
2021-02-10Cado SecurityChristopher Doman
@online{doman:20210210:punk:dd2c142, author = {Christopher Doman}, title = {{Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks}}, date = {2021-02-10}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks}, language = {English}, urldate = {2021-02-17} } Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
HelloKitty
2021-02-09Twitter (@fwosar)Fabian Wosar
@online{wosar:20210209:cd:5b066a6, author = {Fabian Wosar}, title = {{Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group}}, date = {2021-02-09}, organization = {Twitter (@fwosar)}, url = {https://twitter.com/fwosar/status/1359167108727332868}, language = {English}, urldate = {2021-02-17} } Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group
HelloKitty
2020-11-13ID RansomwareAndrew Ivanov
@online{ivanov:20201113:hellokitty:d65136d, author = {Andrew Ivanov}, title = {{HelloKitty Ransomware}}, date = {2020-11-13}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html}, language = {English}, urldate = {2021-02-10} } HelloKitty Ransomware
HelloKitty
Yara Rules
[TLP:WHITE] win_hellokitty_auto (20230715 | Detects win.hellokitty.)
rule win_hellokitty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.hellokitty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33d0 03fe 03fa 8b55b4 8bca 897dfc c1c10f }
            // n = 7, score = 100
            //   33d0                 | xor                 edx, eax
            //   03fe                 | add                 edi, esi
            //   03fa                 | add                 edi, edx
            //   8b55b4               | mov                 edx, dword ptr [ebp - 0x4c]
            //   8bca                 | mov                 ecx, edx
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   c1c10f               | rol                 ecx, 0xf

        $sequence_1 = { 8945d8 8b412c 8945fc 8b4130 8945c4 8b4134 8945f8 }
            // n = 7, score = 100
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   8b412c               | mov                 eax, dword ptr [ecx + 0x2c]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4130               | mov                 eax, dword ptr [ecx + 0x30]
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax
            //   8b4134               | mov                 eax, dword ptr [ecx + 0x34]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_2 = { 8b04b2 c1e808 8841fe 8a04b2 46 }
            // n = 5, score = 100
            //   8b04b2               | mov                 eax, dword ptr [edx + esi*4]
            //   c1e808               | shr                 eax, 8
            //   8841fe               | mov                 byte ptr [ecx - 2], al
            //   8a04b2               | mov                 al, byte ptr [edx + esi*4]
            //   46                   | inc                 esi

        $sequence_3 = { 234de4 0bc1 03c6 03c2 8b55d8 8945ec }
            // n = 6, score = 100
            //   234de4               | and                 ecx, dword ptr [ebp - 0x1c]
            //   0bc1                 | or                  eax, ecx
            //   03c6                 | add                 eax, esi
            //   03c2                 | add                 eax, edx
            //   8b55d8               | mov                 edx, dword ptr [ebp - 0x28]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_4 = { 7518 395df8 7413 53 6a01 ff75fc ff15???????? }
            // n = 7, score = 100
            //   7518                 | jne                 0x1a
            //   395df8               | cmp                 dword ptr [ebp - 8], ebx
            //   7413                 | je                  0x15
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     

        $sequence_5 = { 3355b0 3355d4 3355c0 c1c802 8bc8 }
            // n = 5, score = 100
            //   3355b0               | xor                 edx, dword ptr [ebp - 0x50]
            //   3355d4               | xor                 edx, dword ptr [ebp - 0x2c]
            //   3355c0               | xor                 edx, dword ptr [ebp - 0x40]
            //   c1c802               | ror                 eax, 2
            //   8bc8                 | mov                 ecx, eax

        $sequence_6 = { 334dbc 334da8 d1c1 894de4 8bcf 0bc8 c1c205 }
            // n = 7, score = 100
            //   334dbc               | xor                 ecx, dword ptr [ebp - 0x44]
            //   334da8               | xor                 ecx, dword ptr [ebp - 0x58]
            //   d1c1                 | rol                 ecx, 1
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8bcf                 | mov                 ecx, edi
            //   0bc8                 | or                  ecx, eax
            //   c1c205               | rol                 edx, 5

        $sequence_7 = { 0fb74712 83c40c 03f0 807f2502 }
            // n = 4, score = 100
            //   0fb74712             | movzx               eax, word ptr [edi + 0x12]
            //   83c40c               | add                 esp, 0xc
            //   03f0                 | add                 esi, eax
            //   807f2502             | cmp                 byte ptr [edi + 0x25], 2

        $sequence_8 = { 8bc8 894f70 85c9 7507 be21020000 eb63 0fb703 }
            // n = 7, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   894f70               | mov                 dword ptr [edi + 0x70], ecx
            //   85c9                 | test                ecx, ecx
            //   7507                 | jne                 9
            //   be21020000           | mov                 esi, 0x221
            //   eb63                 | jmp                 0x65
            //   0fb703               | movzx               eax, word ptr [ebx]

        $sequence_9 = { 59 50 8d4c2458 e8???????? 8d4c2470 e8???????? 8d8c2488000000 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   8d4c2458             | lea                 ecx, [esp + 0x58]
            //   e8????????           |                     
            //   8d4c2470             | lea                 ecx, [esp + 0x70]
            //   e8????????           |                     
            //   8d8c2488000000       | lea                 ecx, [esp + 0x88]

    condition:
        7 of them and filesize < 319488
}
Download all Yara Rules