The sub-techniques beta is now live! Read the release blog post for more info.


EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[1]

ID: S0396
Platforms: Windows
Contributors: ESET
Version: 1.0
Created: 28 June 2019
Last Modified: 01 July 2019

Techniques Used

Domain ID Name Use
Enterprise T1203 Exploitation for Client Execution

EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.[1]

Enterprise T1107 File Deletion

EvilBunny has deleted the initial dropper after running through the environment checks.[1]

Enterprise T1057 Process Discovery

EvilBunny has used EnumProcesses() to identify how many process are running in the environment.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

EvilBunny has created Registry keys for persistence in [HKLM|HKCU]\…\CurrentVersion\Run. [1]

Enterprise T1105 Remote File Copy

EvilBunny has downloaded additional Lua scripts from the C2.[1]

Enterprise T1053 Scheduled Task

EvilBunny has executed commands via scheduled tasks.[1]

Enterprise T1064 Scripting

EvilBunny has an integrated scripting engine to download and execute Lua scripts.[1]

Enterprise T1063 Security Software Discovery

EvilBunny has been observed querying installed antivirus software.[1]

Enterprise T1071 Standard Application Layer Protocol

EvilBunny has executed C2 commands directly via HTTP.[1]

Enterprise T1124 System Time Discovery

EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to check to see if the malware is running in a sandbox.[1]

Enterprise T1497 Virtualization/Sandbox Evasion

EvilBunny has checks in place to identify if the malware is in a sandbox environment. [1]

Enterprise T1047 Windows Management Instrumentation

EvilBunny has used WMI to gather information about the system.[1]