S0396 EvilBunny
EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.1
| Item | Value |
|---|---|
| ID | S0396 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 28 June 2019 |
| Last Modified | 02 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | EvilBunny has executed C2 commands directly via HTTP.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | EvilBunny has created Registry keys for persistence in [HKLM |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | EvilBunny has an integrated scripting engine to download and execute Lua scripts.1 |
| enterprise | T1203 | Exploitation for Client Execution | EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | EvilBunny has deleted the initial dropper after running through the environment checks.1 |
| enterprise | T1105 | Ingress Tool Transfer | EvilBunny has downloaded additional Lua scripts from the C2.1 |
| enterprise | T1106 | Native API | EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.1 |
| enterprise | T1057 | Process Discovery | EvilBunny has used EnumProcesses() to identify how many process are running in the environment.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | EvilBunny has executed commands via scheduled tasks.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | EvilBunny has been observed querying installed antivirus software.1 |
| enterprise | T1124 | System Time Discovery | EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | EvilBunny‘s dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.1 |
| enterprise | T1497.003 | Time Based Evasion | EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.1 |
| enterprise | T1047 | Windows Management Instrumentation | EvilBunny has used WMI to gather information about the system.1 |