Technical Analysis & Remediation
The malware operates as a standalone executable compiled via PyInstaller, meaning the host does not require Python to be natively installed. Upon execution, it leverages threading to launch multiple concurrent data collection modules.
MITRE ATT&CK Mapping
T1082 (System Information Discovery)
Executes SYSTEMINFO.EXE and WHOAMI.EXE to fingerprint the host.
T1555.003 (Credentials from Password Stores) Targets SQLite databases in Chromium and Gecko-based browsers (extracting the master encryption key from the 'Local State' file to decrypt AES-GCM secured passwords).
T1202 (Indirect Command Execution)
Heavy reliance on LOLBins (Living-Off-the-Land Binaries) such as TASKKILL.EXE to unlock database files.
T1053.005 (Scheduled Task)
Uses schtasks /sc onlogon to establish persistence.
T1567.002 (Exfiltration to Cloud Storage) Archives stolen data and uploads it to GoFile, forwarding the download link via Discord Webhooks or Telegram Bot APIs.
CVE Profile
N/A + [CISA KEV Status: Inactive].
This threat relies on user-execution and operational abuse of native tools, not software vulnerability exploitation.
Telemetry
Hashes
MD5: "598adf7491ff46f6b88d83841609b5cc"
SHA256 "f56afcdfd07386ecc127aa237c1a045332e4cc5822a9bcc77994d8882f074dd1"
File Paths
Creates a staging directory at %LOCALAPPDATA%\Temp named "KIRK_administrator".
Registry/Processes
Executes Add-MpPreference -ExclusionPath via PowerShell to add Microsoft Defender exclusions if elevated privileges are obtained.
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)
GOVERN (GV) – Crisis Management & Oversight
Command
Initiate incident response protocols for credential compromise and session hijacking; notify legal and compliance teams if exposed data included customer PII or proprietary source code.
DETECT (DE) – Monitoring & Analysis
Command
Hunt for Event ID 4688 (Process Creation) indicating TASKKILL.EXE targeting multiple browser processes in rapid succession.
Command
Monitor SIEM for abnormal volume of file access events within the %LOCALAPPDATA%\Temp directory followed by archive creation.
Command
Alert on outbound HTTPS connections to GoFile APIs and unsanctioned Discord Webhooks or Telegram Bot endpoints.
RESPOND (RS) – Mitigation & Containment
Command
Isolate the affected endpoint(s) from the corporate network immediately.
Command
Kill unauthorized Python or PowerShell interpreter processes and delete the "KIRK_administrator" staging directory.
RECOVER (RC) – Restoration & Trust
Command
Force immediate credential rotation and MFA token revocation for all identities associated with the compromised host (including VPN, Email, and Cloud environments).
Command
Validate the clean state by verifying the removal of malicious logon Scheduled Tasks.
IDENTIFY & PROTECT (ID/PR) – The Feedback Loop
Command
Implement Windows Defender Application Control (WDAC) or AppLocker to explicitly restrict the execution of unsigned binaries originating from %TEMP%, %APPDATA%, and %LOCALAPPDATA%.
Command
Enable Microsoft Defender Attack Surface Reduction (ASR) rules to block Office applications or unrecognized scripts from spawning child processes.
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Safety
Command
Disconnect from the internet immediately. (This severs the malware's ability to exfiltrate the generated ZIP archive to the attacker's cloud hosting).
Command
Do not log into banking/email until verified clean.
Priority 2: Identity
Command
Reset passwords/MFA using a known clean device (e.g., your smartphone connected to 5G cellular data). Ensure you specifically rotate credentials for Discord, Steam, Minecraft, and all accounts saved in your web browsers, as these are actively targeted by this payload.
Priority 3: Persistence
Command
Check Scheduled Tasks (taskschd.msc) for any abnormal tasks set to run at user logon.
Command
Verify Microsoft Defender exclusion lists (Settings > Privacy & Security > Windows Security > Virus & threat protection settings > Exclusions) and remove any unauthorized paths.
Hardening & References
Baseline
CIS Microsoft Windows 11 Benchmark (v3.0.0) - Focus on disabling unnecessary administrative utilities for standard users.
Framework
NIST CSF 2.0 / SP 800-61r3.
Style
Zero-Trust architecture implementation regarding locally stored session tokens. Limit browser password storage natively where password managers with hardware-backed encryption can be utilized.
Source
CYFIRMA Threat Intelligence Report
www.cyfirma.com
