EvilBunny
EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
EvilBunny has created Registry keys for persistence in |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
EvilBunny has an integrated scripting engine to download and execute Lua scripts.[1] |
| Enterprise | T1203 | Exploitation for Client Execution |
EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
EvilBunny has deleted the initial dropper after running through the environment checks.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
EvilBunny has downloaded additional Lua scripts from the C2.[1] |
|
| Enterprise | T1057 | Process Discovery |
EvilBunny has used EnumProcesses() to identify how many process are running in the environment.[1] |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task | |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
EvilBunny has been observed querying installed antivirus software.[1] |
| Enterprise | T1124 | System Time Discovery |
EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to check to see if the malware is running in a sandbox.[1] |
|
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
EvilBunny for a number of specific processes and the length of its own name to identify if the malware is in a sandbox environment.[1] |
| Enterprise | T1047 | Windows Management Instrumentation |
EvilBunny has used WMI to gather information about the system.[1] |
|