Register to stream ATT&CKcon 2.0 October 29-30


EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[1]

ID: S0396
Platforms: Windows
Contributors: ESET
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1203 Exploitation for Client Execution EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader. [1]
Enterprise T1107 File Deletion EvilBunny has deleted the initial dropper after running through the environment checks. [1]
Enterprise T1057 Process Discovery EvilBunny has used EnumProcesses() to identify how many process are running in the environment. [1]
Enterprise T1060 Registry Run Keys / Startup Folder EvilBunny has created Registry keys for persistence in [HKLM|HKCU]\…\CurrentVersion\Run. [1]
Enterprise T1105 Remote File Copy EvilBunny has downloaded additional Lua scripts from the C2. [1]
Enterprise T1053 Scheduled Task EvilBunny has executed commands via scheduled tasks. [1]
Enterprise T1064 Scripting EvilBunny has an integrated scripting engine to download and execute Lua scripts. [1]
Enterprise T1063 Security Software Discovery EvilBunny has been observed querying installed antivirus software. [1]
Enterprise T1071 Standard Application Layer Protocol EvilBunny has executed C2 commands directly via HTTP. [1]
Enterprise T1124 System Time Discovery EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to check to see if the malware is running in a sandbox. [1]
Enterprise T1497 Virtualization/Sandbox Evasion EvilBunny has checks in place to identify if the malware is in a sandbox environment. [1]
Enterprise T1047 Windows Management Instrumentation EvilBunny has used WMI to gather information about the system. [1]