{
	"id": "7548db07-2fac-4a4a-9e2b-39155c83f7ca",
	"created_at": "2026-04-06T00:06:41.89978Z",
	"updated_at": "2026-04-10T13:11:22.403816Z",
	"deleted_at": null,
	"sha1_hash": "5e6d03bd1ffa16c52edd544293aaca483274c47b",
	"title": "Static unpacker and decoder for Hello Kitty Packer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 627401,
	"plain_text": "Static unpacker and decoder for Hello Kitty Packer\r\nBy Brenton Morris\r\nPublished: 2022-04-25 · Archived: 2026-04-05 17:56:57 UTC\r\nDuring a recent incident response engagement, the Profero IR team observed a sample of Hello Kitty ransomware.\r\nThis version of ransomware is intriguing as this sample is packed with a packer written in Go. This packer\r\ndecrypts the final Hello Kitty payload, which is written in C++, before executing it in memory. The Hello Kitty\r\nransomware is written as a simple tool that an attacker can use to encrypt data on the victim’s machine and not as\r\na full-fledged malware with persistence methods of its own. This malware has been covered by previous\r\nresearchers in-depth, however, there is much less information about the packer used by this ransomware gang.\r\nDue to this fact, we are releasing this report along with a tool that can be used to unpack the payload contained\r\nwithin the Go packer.\r\nAnalysis\r\nOverview\r\nThe use of a Go packer makes it hard for reverse engineers to analyze the binary and assists the malware in\r\nevading detection by antivirus and other detection systems. This is due to the low detection rate on Go binaries\r\nand due to the nature of packers themselves, as they encrypt the final malicious payload to prevent signature-based\r\ndetections.\r\nGet Brenton Morris’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nBelow is an example of the ransom note used by HelloKitty (extracted using the https://hatching.io/ sandbox):\r\nhttps://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7\r\nPage 1 of 4\n\nRansom note used in this attack\r\nWhen analyzing the unpacked payload, we can see that the ransomware is not written to install on a machine but\r\nrather it is written as a command-line tool that attackers will use after gaining access to target machines. The\r\nunpacked tool even provides a command-line help message. This can be seen in the screenshot below.\r\nPress enter or click to view image in full size\r\nCommand help message\r\nPacker Decryption\r\nThe packer’s decryption process is as follows:\r\nThe packed binary is executed and passed a 16-byte decryption key as a command-line parameter which\r\nthe packer will use to decrypt the payload\r\nThe encrypted blob is located at the overlay of the packed binary. The location in the file is obtained by\r\nparsing the PE header from the binary:\r\nPress enter or click to view image in full size\r\nParsing PE headers\r\nThis encrypted blob is then decrypted using the AES-128-CBC algorithm with IV passed as an embedded\r\nstring from the binary, this can be seen in the image below:\r\nhttps://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7\r\nPage 2 of 4\n\nLocating the IV\r\nThe packer then resolves the entry point of the payload and passes execution to it:\r\nFinding and jumping to the entry point of the packed binary\r\nUnpacking Tool\r\nTo assist in the analysis, the Profero team has developed a tool that can be used to unpack the binary and do the\r\nfollowing:\r\nCheck if the packed binary is a hello kitty binary\r\nExtracts the RSA key, C2 server used, IV, etc\r\nUnpacks the packed file\r\nThe tool can be executed as follows:\r\n./HelloKittyUnpacker.exe [input] [key] [dump]\r\nhttps://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7\r\nPage 3 of 4\n\nWe hope that this tool will assist in speeding up analysis in any future incidents involving this malware. In\r\naddition, we wanted to open source the code so it can be used as a blueprint for similar malware.\r\nIt can be found on GitHub:\r\nhttps://github.com/proferosec/HelloKittyUnpacker\r\nSource: https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7\r\nhttps://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7"
	],
	"report_names": [
		"static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7"
	],
	"threat_actors": [],
	"ts_created_at": 1775434001,
	"ts_updated_at": 1775826682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e6d03bd1ffa16c52edd544293aaca483274c47b.pdf",
		"text": "https://archive.orkl.eu/5e6d03bd1ffa16c52edd544293aaca483274c47b.txt",
		"img": "https://archive.orkl.eu/5e6d03bd1ffa16c52edd544293aaca483274c47b.jpg"
	}
}