EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[1]

ID: S0396
Platforms: Windows
Contributors: ESET
Version: 1.1
Created: 28 June 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

EvilBunny has executed C2 commands directly via HTTP.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

EvilBunny has created Registry keys for persistence in [HKLM|HKCU]\…\CurrentVersion\Run.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

EvilBunny has an integrated scripting engine to download and execute Lua scripts.[1]

Enterprise T1203 Exploitation for Client Execution

EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

EvilBunny has deleted the initial dropper after running through the environment checks.[1]

Enterprise T1105 Ingress Tool Transfer

EvilBunny has downloaded additional Lua scripts from the C2.[1]

Enterprise T1057 Process Discovery

EvilBunny has used EnumProcesses() to identify how many process are running in the environment.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

EvilBunny has executed commands via scheduled tasks.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

EvilBunny has been observed querying installed antivirus software.[1]

Enterprise T1124 System Time Discovery

EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to check to see if the malware is running in a sandbox.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

EvilBunny for a number of specific processes and the length of its own name to identify if the malware is in a sandbox environment.[1]

Enterprise T1047 Windows Management Instrumentation

EvilBunny has used WMI to gather information about the system.[1]