Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

EvilBunny

EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)
ID: S0396
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 28 Jun 2019
Last Modified: 05 Aug 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

EvilBunny has executed C2 commands directly via HTTP.(Citation: Cyphort EvilBunny Dec 2014)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

EvilBunny has created Registry keys for persistence in [HKLM|HKCU]\…\CurrentVersion\Run.(Citation: Cyphort EvilBunny Dec 2014)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

EvilBunny has an integrated scripting engine to download and execute Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)

.011 Command and Scripting Interpreter: Lua

EvilBunny has used Lua scripts to execute payloads.(Citation: Cyphort EvilBunny)

Enterprise T1070 .004 Indicator Removal: File Deletion

EvilBunny has deleted the initial dropper after running through the environment checks.(Citation: Cyphort EvilBunny Dec 2014)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

EvilBunny has executed commands via scheduled tasks.(Citation: Cyphort EvilBunny Dec 2014)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

EvilBunny has been observed querying installed antivirus software.(Citation: Cyphort EvilBunny Dec 2014)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.(Citation: Cyphort EvilBunny Dec 2014)

.003 Virtualization/Sandbox Evasion: Time Based Evasion

EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.(Citation: Cyphort EvilBunny Dec 2014)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.