Sponsored by Hudson Rock – Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are leading to ransomware attacks
APT_UNC2447_MAL_RANSOM_HelloKitty_May21_2.yarrule APT_UNC2447_MAL_RANSOM_HelloKitty_May21_2
{
meta:
description = "Detects HelloKitty Ransomware samples from UNC2447 campaign"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
date = "2021-05-01"
hash1 = "10887d13dba1f83ef34e047455a04416d25a83079a7f3798ce3483e0526e3768"
hash2 = "3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9"
hash3 = "501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe"
hash4 = "9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0"
id = "82aaabc6-102a-512e-8c2a-4d6fda864c68"
strings:
$xop1 = { 50 8d 45 f8 50 ff 75 fc ff 15 ?? ?? 42 00 3d ea 00 00 00 75 18 83 7d f8 00 }
$s1 = "HelloKittyMutex" wide
$s2 = "%s\\read_me_lkd.txt" wide fullword
$s3 = "/C ping 127.0.0.1 & del %s" wide fullword
$s4 = "(%d) [%d] %s: STOP DOUBLE PROCESS RUN" ascii fullword
$sop1 = { 6a 00 6a 01 ff 75 fc ff 15 ?? ?? 42 00 85 c0 0f 94 c3 ff 75 fc ff 15 ?? ?? 42 00 }
$sop2 = { 74 12 6a 00 6a 01 ff 75 fc ff 15 ?? ?? 42 00 85 c0 0f 94 c3 ff 75 fc }
condition:
uint16( 0 ) == 0x5a4d and filesize < 600KB and 1 of ( $x* ) or 2 of them
}