1. Home
  2. Software
  3. EvilBunny

EvilBunny

EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[1]

ID: S0396
Type: MALWARE
Platforms: Windows
Contributors: ESET
Version: 1.3
Created: 28 June 2019
Last Modified: 05 August 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

EvilBunny has used WMI to gather information about the system.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

EvilBunny has created Registry keys for persistence in [HKLM|HKCU]\…\CurrentVersion\Run.[1]

Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

EvilBunny has an integrated scripting engine to download and execute Lua scripts.[1]
.011 命令与脚本解释器: Lua

EvilBunny has used Lua scripts to execute payloads.[2]
Enterprise T1203 客户端执行漏洞利用

EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

EvilBunny has executed C2 commands directly via HTTP.[1]
Enterprise T1106 本机API

EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.[1]

Enterprise T1070 .004 移除指标: File Deletion

EvilBunny has deleted the initial dropper after running through the environment checks.[1]
Enterprise T1124 系统时间发现

EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.[1]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.[1]

.003 虚拟化/沙盒规避: Time Based Evasion

EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

EvilBunny has been observed querying installed antivirus software.[1]
Enterprise T1105 输入工具传输

EvilBunny has downloaded additional Lua scripts from the C2.[1]
Enterprise T1057 进程发现

EvilBunny has used EnumProcesses() to identify how many process are running in the environment.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

EvilBunny has executed commands via scheduled tasks.[1]

References

  1. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  1. Marschalek, Marion. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved August 5, 2024.