{"description": "Enterprise techniques used by EvilBunny, ATT&CK software S0396 (v1.3)", "name": "EvilBunny (S0396)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has executed C2 commands directly via HTTP.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has created Registry keys for persistence in [HKLM|HKCU]\\\u2026\\CurrentVersion\\Run.(Citation: Cyphort EvilBunny Dec 2014)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has an integrated scripting engine to download and execute Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.011", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has used Lua scripts to execute payloads.(Citation: Cyphort EvilBunny)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1203", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has deleted the initial dropper after running through the environment checks.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has downloaded additional Lua scripts from the C2.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has used various API calls as part of its checks to see if the malware is running in a sandbox.(Citation: Cyphort EvilBunny Dec 2014)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has used EnumProcesses() to identify how many process are running in the environment.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has executed commands via scheduled tasks.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has been observed querying installed antivirus software.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1124", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396)'s dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.(Citation: Cyphort EvilBunny Dec 2014)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[EvilBunny](https://attack.mitre.org/software/S0396) has used WMI to gather information about the system.(Citation: Cyphort EvilBunny Dec 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by EvilBunny", "color": "#66b1ff"}]}