SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hellokitty (Back to overview)

HelloKitty

aka: KittyCrypt

There is no description at this point.

References
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty hive LockBit
2021-07-17Bleeping ComputerSergiu Gatlan
@online{gatlan:20210717:hellokitty:96a6fe5, author = {Sergiu Gatlan}, title = {{HelloKitty ransomware is targeting vulnerable SonicWall devices}}, date = {2021-07-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/}, language = {English}, urldate = {2021-07-20} } HelloKitty ransomware is targeting vulnerable SonicWall devices
HelloKitty
2021-06-28CrowdStrikeAlexandru Ghita
@online{ghita:20210628:new:85c558c, author = {Alexandru Ghita}, title = {{New Ransomware Variant Uses Golang Packer}}, date = {2021-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/}, language = {English}, urldate = {2021-06-29} } New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty
2021-05-31DataBreaches.netDissent
@online{dissent:20210531:babuk:4915c4b, author = {Dissent}, title = {{Babuk re-organizes as Payload Bin, offers its first leak}}, date = {2021-05-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/}, language = {English}, urldate = {2021-06-04} } Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty
2021-04-29FireEyeTyler McLellan, Justin Moore, Raymond Leong
@online{mclellan:20210429:unc2447:2ad0d96, author = {Tyler McLellan and Justin Moore and Raymond Leong}, title = {{UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat}}, date = {2021-04-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html}, language = {English}, urldate = {2021-09-09} } UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
FiveHands HelloKitty
2021-03-18MalwarebytesJovi Umawing
@online{umawing:20210318:hellokitty:1527547, author = {Jovi Umawing}, title = {{HelloKitty: When Cyberpunk met cy-purr-crime}}, date = {2021-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/}, language = {English}, urldate = {2021-03-19} } HelloKitty: When Cyberpunk met cy-purr-crime
HelloKitty
2021-03-08Sentinel LABSJim Walter
@online{walter:20210308:hellokitty:e063f92, author = {Jim Walter}, title = {{HelloKitty Ransomware Lacks Stealth, But Still Strikes Home}}, date = {2021-03-08}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/}, language = {English}, urldate = {2021-03-11} } HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
HelloKitty
2021-02-10Cado SecurityChristopher Doman
@online{doman:20210210:punk:dd2c142, author = {Christopher Doman}, title = {{Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks}}, date = {2021-02-10}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks}, language = {English}, urldate = {2021-02-17} } Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks
HelloKitty
2021-02-09Twitter (@fwosar)Fabian Wosar
@online{wosar:20210209:cd:5b066a6, author = {Fabian Wosar}, title = {{Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group}}, date = {2021-02-09}, organization = {Twitter (@fwosar)}, url = {https://twitter.com/fwosar/status/1359167108727332868}, language = {English}, urldate = {2021-02-17} } Tweet on CD PROJEKT RED targeted by HelloKitty ransomware group
HelloKitty
2020-11-13ID RansomwareAndrew Ivanov
@online{ivanov:20201113:hellokitty:d65136d, author = {Andrew Ivanov}, title = {{HelloKitty Ransomware}}, date = {2020-11-13}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html}, language = {English}, urldate = {2021-02-10} } HelloKitty Ransomware
HelloKitty
Yara Rules
[TLP:WHITE] win_hellokitty_auto (20211008 | Detects win.hellokitty.)
rule win_hellokitty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.hellokitty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8955f8 895028 8bcb c1e918 89582c }
            // n = 5, score = 100
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   895028               | mov                 dword ptr [eax + 0x28], edx
            //   8bcb                 | mov                 ecx, ebx
            //   c1e918               | shr                 ecx, 0x18
            //   89582c               | mov                 dword ptr [eax + 0x2c], ebx

        $sequence_1 = { 8b4048 f00fc118 4b 7515 8b45fc 817848c0044200 7409 }
            // n = 7, score = 100
            //   8b4048               | mov                 eax, dword ptr [eax + 0x48]
            //   f00fc118             | lock xadd           dword ptr [eax], ebx
            //   4b                   | dec                 ebx
            //   7515                 | jne                 0x17
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   817848c0044200       | cmp                 dword ptr [eax + 0x48], 0x4204c0
            //   7409                 | je                  0xb

        $sequence_2 = { 8b500c 0fb6ca 8b7004 8b7808 0fb699303b4200 8bca c1e918 }
            // n = 7, score = 100
            //   8b500c               | mov                 edx, dword ptr [eax + 0xc]
            //   0fb6ca               | movzx               ecx, dl
            //   8b7004               | mov                 esi, dword ptr [eax + 4]
            //   8b7808               | mov                 edi, dword ptr [eax + 8]
            //   0fb699303b4200       | movzx               ebx, byte ptr [ecx + 0x423b30]
            //   8bca                 | mov                 ecx, edx
            //   c1e918               | shr                 ecx, 0x18

        $sequence_3 = { 331c8560414200 8b45f0 0fb6c0 331c8560554200 331a 83c204 }
            // n = 6, score = 100
            //   331c8560414200       | xor                 ebx, dword ptr [eax*4 + 0x424160]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   0fb6c0               | movzx               eax, al
            //   331c8560554200       | xor                 ebx, dword ptr [eax*4 + 0x425560]
            //   331a                 | xor                 ebx, dword ptr [edx]
            //   83c204               | add                 edx, 4

        $sequence_4 = { 8d44241c 57 50 e8???????? 83c40c 8d7b08 8d542418 }
            // n = 7, score = 100
            //   8d44241c             | lea                 eax, dword ptr [esp + 0x1c]
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d7b08               | lea                 edi, dword ptr [ebx + 8]
            //   8d542418             | lea                 edx, dword ptr [esp + 0x18]

        $sequence_5 = { 59 c60600 83c202 83ef01 75e4 5f 5e }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   c60600               | mov                 byte ptr [esi], 0
            //   83c202               | add                 edx, 2
            //   83ef01               | sub                 edi, 1
            //   75e4                 | jne                 0xffffffe6
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_6 = { 56 33db 894df4 8b30 a1???????? 57 3b8604000000 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   33db                 | xor                 ebx, ebx
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   a1????????           |                     
            //   57                   | push                edi
            //   3b8604000000         | cmp                 eax, dword ptr [esi + 4]

        $sequence_7 = { 85f6 0f84f3000000 832000 6a78 e8???????? 8bf8 59 }
            // n = 7, score = 100
            //   85f6                 | test                esi, esi
            //   0f84f3000000         | je                  0xf9
            //   832000               | and                 dword ptr [eax], 0
            //   6a78                 | push                0x78
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   59                   | pop                 ecx

        $sequence_8 = { 3345c0 3345f8 d1c0 8945c8 89856cffffff 8bc7 }
            // n = 6, score = 100
            //   3345c0               | xor                 eax, dword ptr [ebp - 0x40]
            //   3345f8               | xor                 eax, dword ptr [ebp - 8]
            //   d1c0                 | rol                 eax, 1
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   89856cffffff         | mov                 dword ptr [ebp - 0x94], eax
            //   8bc7                 | mov                 eax, edi

        $sequence_9 = { 8bc3 3345e8 03f1 8b4dec 23c2 33c3 8bd1 }
            // n = 7, score = 100
            //   8bc3                 | mov                 eax, ebx
            //   3345e8               | xor                 eax, dword ptr [ebp - 0x18]
            //   03f1                 | add                 esi, ecx
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   23c2                 | and                 eax, edx
            //   33c3                 | xor                 eax, ebx
            //   8bd1                 | mov                 edx, ecx

    condition:
        7 of them and filesize < 319488
}
Download all Yara Rules