EvilBunny
December 21, 2023 ยท View on GitHub
| ID | X0036 |
| Type | Bot/Botnet |
| Aliases | None |
| Platforms | Windows |
| Year | 2011 |
| Associated ATT&CK Software | EvilBunny |
EvilBunny
The malware is written in C++ and designed to be an execution platform for Lua scripts.
ATT&CK Techniques
See ATT&CK: EvilBunny - Techniques Used.
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Execution::Command and Scripting Interpreter (E1059) | EvilBunny executes Lua scripts. [1] |
| Command and Control::C2 Communication (B0030) | EvilBunny communicates C2 via HTTP. [1] |
MBC Behaviors
| Name | Use |
|---|---|
| Anti-Behavioral Analysis::Sandbox Detection (B0007) | EvilBunny hooks time retrieval APIs and calls each API twice to calculate a delta. Execution aborts depending on the delta value. [1] |
| Defense Evasion::Polymorphic Code (B0029) | EvilBunny utilizes Lua scripts to exhibit polymorphism. [1] |
Indicators of Compromise
SHA256 Hashes
- be14d781b85125a6074724964622ab05f89f41e6bacbda398bc7709d1d98a2ef
References
[1] https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/