HelloKitty (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.hellokitty (Back to overview)

HelloKitty

aka: KittyCrypt

VTCollection

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

References

2023-12-13 ⋅ cocomelonc ⋅ cocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer

2023-02-14 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec
Vice-Society spreads its own ransomware
HelloKitty PolyVice Zeppelin

2023-01-04 ⋅ cocomelonc
Malware development tricks: part 26. Mutex. C++ example.
AsyncRAT Conti HelloKitty

2022-09-20 ⋅ vmware ⋅ Dana Behling
Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty

2022-09-06 ⋅ CISA ⋅ CISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin

2022-05-20 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-01 ⋅ BushidoToken ⋅ BushidoToken
Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti

2022-04-25 ⋅ Medium proferosec-osm ⋅ Brenton Morris
Static unpacker and decoder for Hello Kitty Packer
HelloKitty

2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2021-11-02 ⋅ SpearTip ⋅ Chris Swagler
FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal
HelloKitty

2021-10-28 ⋅ FBI ⋅ FBI
CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
HelloKitty

2021-08-24 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos, Ruchna Nigam
Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit

2021-07-17 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
HelloKitty ransomware is targeting vulnerable SonicWall devices
HelloKitty

2021-06-28 ⋅ CrowdStrike ⋅ Alexandru Ghita
New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty

2021-05-31 ⋅ DataBreaches.net ⋅ Dissent
Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty

2021-04-29 ⋅ FireEye ⋅ Justin Moore, Raymond Leong, Tyler McLellan
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty

2021-03-18 ⋅ Malwarebytes ⋅ Jovi Umawing
HelloKitty: When Cyberpunk met cy-purr-crime
HelloKitty

2021-03-08 ⋅ Sentinel LABS ⋅ Jim Walter
HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
HelloKitty

2021-02-10 ⋅ Cado Security ⋅ Christopher Doman
Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
HelloKitty

2021-02-09 ⋅ Twitter (@fwosar) ⋅ Fabian Wosar
Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group
HelloKitty

2020-11-13 ⋅ ID Ransomware ⋅ Andrew Ivanov
HelloKitty Ransomware
HelloKitty

Yara Rules

[TLP:WHITE] win_hellokitty_auto (20230808 | Detects win.hellokitty.)

rule win_hellokitty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.hellokitty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8975fc 8d4e08 c706???????? e8???????? 6818010000 8d86d0030000 6a00 }
            // n = 7, score = 100
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   8d4e08               | lea                 ecx, [esi + 8]
            //   c706????????         |                     
            //   e8????????           |                     
            //   6818010000           | push                0x118
            //   8d86d0030000         | lea                 eax, [esi + 0x3d0]
            //   6a00                 | push                0

        $sequence_1 = { 23df 234df0 8bc7 c1c802 0bd9 33d0 03de }
            // n = 7, score = 100
            //   23df                 | and                 ebx, edi
            //   234df0               | and                 ecx, dword ptr [ebp - 0x10]
            //   8bc7                 | mov                 eax, edi
            //   c1c802               | ror                 eax, 2
            //   0bd9                 | or                  ebx, ecx
            //   33d0                 | xor                 edx, eax
            //   03de                 | add                 ebx, esi

        $sequence_2 = { 7509 0fb64702 3a4604 7411 83c32c 41 83c72c }
            // n = 7, score = 100
            //   7509                 | jne                 0xb
            //   0fb64702             | movzx               eax, byte ptr [edi + 2]
            //   3a4604               | cmp                 al, byte ptr [esi + 4]
            //   7411                 | je                  0x13
            //   83c32c               | add                 ebx, 0x2c
            //   41                   | inc                 ecx
            //   83c72c               | add                 edi, 0x2c

        $sequence_3 = { 33d2 8b45ec 8bf1 0fa4c11e c1ee02 0bd1 c1e01e }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8bf1                 | mov                 esi, ecx
            //   0fa4c11e             | shld                ecx, eax, 0x1e
            //   c1ee02               | shr                 esi, 2
            //   0bd1                 | or                  edx, ecx
            //   c1e01e               | shl                 eax, 0x1e

        $sequence_4 = { 8b048520364200 56 8b7508 57 8b4c0818 8b4514 832600 }
            // n = 7, score = 100
            //   8b048520364200       | mov                 eax, dword ptr [eax*4 + 0x423620]
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8b4c0818             | mov                 ecx, dword ptr [eax + ecx + 0x18]
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   832600               | and                 dword ptr [esi], 0

        $sequence_5 = { 33ca 8bd1 894dec 8988a8000000 33d3 }
            // n = 5, score = 100
            //   33ca                 | xor                 ecx, edx
            //   8bd1                 | mov                 edx, ecx
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8988a8000000         | mov                 dword ptr [eax + 0xa8], ecx
            //   33d3                 | xor                 edx, ebx

        $sequence_6 = { 8b759c 03c2 8bd1 8945f8 8bc1 c1c807 c1c20e }
            // n = 7, score = 100
            //   8b759c               | mov                 esi, dword ptr [ebp - 0x64]
            //   03c2                 | add                 eax, edx
            //   8bd1                 | mov                 edx, ecx
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8bc1                 | mov                 eax, ecx
            //   c1c807               | ror                 eax, 7
            //   c1c20e               | rol                 edx, 0xe

        $sequence_7 = { 8b45c0 3175c4 8bf0 0facc81c c1e604 0bd0 c1e91c }
            // n = 7, score = 100
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   3175c4               | xor                 dword ptr [ebp - 0x3c], esi
            //   8bf0                 | mov                 esi, eax
            //   0facc81c             | shrd                eax, ecx, 0x1c
            //   c1e604               | shl                 esi, 4
            //   0bd0                 | or                  edx, eax
            //   c1e91c               | shr                 ecx, 0x1c

        $sequence_8 = { 8bf8 83c020 59 f3a5 8b7508 83ee20 89450c }
            // n = 7, score = 100
            //   8bf8                 | mov                 edi, eax
            //   83c020               | add                 eax, 0x20
            //   59                   | pop                 ecx
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   83ee20               | sub                 esi, 0x20
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax

        $sequence_9 = { c1ce02 8b45d0 03cf 3345ec 3345c4 3345f0 8b7df4 }
            // n = 7, score = 100
            //   c1ce02               | ror                 esi, 2
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   03cf                 | add                 ecx, edi
            //   3345ec               | xor                 eax, dword ptr [ebp - 0x14]
            //   3345c4               | xor                 eax, dword ptr [ebp - 0x3c]
            //   3345f0               | xor                 eax, dword ptr [ebp - 0x10]
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]

    condition:
        7 of them and filesize < 319488
}

Download all Yara Rules

HelloKitty Propose Change

References

Yara Rules

HelloKitty