Skip to content

S0396 EvilBunny

EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.1

Item Value
ID S0396
Associated Names
Version 1.2
Created 28 June 2019
Last Modified 02 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols EvilBunny has executed C2 commands directly via HTTP.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder EvilBunny has created Registry keys for persistence in [HKLM
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell EvilBunny has an integrated scripting engine to download and execute Lua scripts.1
enterprise T1203 Exploitation for Client Execution EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion EvilBunny has deleted the initial dropper after running through the environment checks.1
enterprise T1105 Ingress Tool Transfer EvilBunny has downloaded additional Lua scripts from the C2.1
enterprise T1106 Native API EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.1
enterprise T1057 Process Discovery EvilBunny has used EnumProcesses() to identify how many process are running in the environment.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task EvilBunny has executed commands via scheduled tasks.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery EvilBunny has been observed querying installed antivirus software.1
enterprise T1124 System Time Discovery EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks EvilBunny‘s dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.1
enterprise T1497.003 Time Based Evasion EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.1
enterprise T1047 Windows Management Instrumentation EvilBunny has used WMI to gather information about the system.1