{
	"id": "126adcf3-aafb-4be3-9170-5dfce35c8f65",
	"created_at": "2026-04-06T00:16:31.084908Z",
	"updated_at": "2026-04-10T03:21:56.276333Z",
	"deleted_at": null,
	"sha1_hash": "3c95178be41d8abb07a6a18656dbf6fd2dfcba8e",
	"title": "EvilBunny: Malware Instrumented By Lua - Cyphort",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 233658,
	"plain_text": "EvilBunny: Malware Instrumented By Lua - Cyphort\r\nPublished: 2014-12-16 · Archived: 2026-04-02 11:20:20 UTC\r\nCyphort Labs has come across a sophisticated malware sample, aiming to trick sandboxes and showing rather\r\nuncommon tricks to evade detection. The malware is dubbed ‘EvilBunny’ and is designed to be an execution\r\nplatform for Lua scripts injected by the attacker.\r\nEvilBunny is a technically fascinating piece of malware, among a set of targeted samples seen in the wild around\r\n2011. The name EvilBunny is derived from debug information embedded in the malware’s dropper. The malware\r\nitself is written in C++, multi-threaded, aims to detect installed anti-virus- and firewall solutions and accepts a vast\r\nnumber of different control commands. Furthermore, the specified piece incorporates a Lua 5.1 interpreter, which\r\nallows the malware to execute Lua scripts and change its behavior at runtime.\r\nBINARY DETAILS\r\nMalware Dropper\r\nMD5  c40e3ee23cf95d992b7cd0b7c01b8599\r\nSHA-1 1e8b4c374db03dcca026c5feba0a5c117f740233\r\nFile Size 943.5 KB (966144 bytes)\r\nCompile Time 2011-10-25 19:28:00\r\nEvilBunny Payload\r\nMD5  3bbb59afdf9bda4ffdc644d9d51c53e7\r\nSHA-1 1798985f4cc2398a482f2232e72e5817562530de\r\nFile Size 773.5 KB (792064 bytes)\r\nCompile Time  2011-10-25 19:28:39\r\nTHE DROPPER\r\nThe EvilBunny malware was originally delivered through a malicious PDF document, exploiting CVE-2011-4369\r\nas reported on http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/. After successful exploitation the\r\nmalware dropper would be loaded onto the system and infect the machine with EvilBunny.\r\nhttps://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/\r\nPage 1 of 6\n\nThe functionality of the dropper can be summarized in the following steps:\r\nSandbox check and anti-virus product enumeration\r\nDropping payload ‘netmgr.exe’\r\nCreating a registry key for persistence\r\nCreating a registry key for deletion of the dropper\r\nSearching for a sandbox environment, the malware tests the module file name to see if it is less than 5 characters\r\nlong or if it contains any of the four strings ‘klavme’, ‘myapp’, ‘TESTAPP’ or ‘afyjevmv.exe’. Also, it verifies if\r\nless than 15 processes are running in the environment, using the API call EnumProcesses. In case any of the\r\nconditions is met execution will abort.\r\nAccessing the systems WMI (Windows Management Interface) the malware queries the installed AntiVirus\r\nsoftware by issuing ‘SELECT * FROM AntiVirusProduct’. Names of AntiVirus products are represented as hard\r\ncoded SHA-256 hashes, namely the following:\r\nd4634c9d57c06983e1d2d6dc92e74e6103c132a97f8dc3e7158fa89420647ec3\r\n4db3801a45802041baa44334303e0498c2640cd5dfd6892545487bf7c8c9219f\r\nbfe74ca464620a62f11b8c47a3778bb132d84fecd90ce7c75817970f2eeeca51 Antivirus\r\n443b6fb65fa57d57ee3113e48e9b4ed1db2921d5352e27fa85064cd60553c3ff BitDefender\r\ne1625a7f2f6947ea8e9328e66562a8b255bc4d5721d427f943002bb2b9fc5645\r\nhttps://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/\r\nPage 2 of 6\n\n588730213eb6ace35caadcb651217bfbde3f615d94a9cca41a31ee9fa09b186c\r\nf1761a5e3856dceb3e14d4555af92d3d1ac47604841f69fc72328b53ab45ca56Kaspersky\r\nIf any of the indicated products is installed and active on the machine execution will abort.\r\nThe dropper will place the EvilBunny malware under %APPDATA%\\Perf Manager\\ or %WINDIR%\\msapps\\;\r\ndepending whether the dropper is running with administrative privileges or not. Persistence for the dropped\r\npayload is achieved by a registry key under [HKLM|HKCU]\\…\\CurrentVersion\\Run which points to the dropped\r\nbinary named netmgr.exe.\r\nEVIL BUNNY\r\nEvilBunny is a multi-threaded bot with an integrated scripting engine. It incorporates a Lua engine and downloads\r\nand executes Lua scripts to reach a certain level of polymorphism. The Lua scripts can call back into the C++ code\r\nto alter the malware behavior at runtime.\r\nThe malware seeks to keep a low profile on the infected machine, while executing the botmaster’s commands and\r\nLua scripts. In total Suspect #4 exhibits three different methods for receiving C\u0026C input and executing\r\ncommands; directly via HTTP, through a downloaded database file or as a scheduled task. Also, the malware will\r\ngenerate numerous files to help its execution and frequently reply back to the C\u0026C with status messages.\r\nThe initial purpose of the malware seems to be sharing execution load among infected host machines. However,\r\ndue to the lack of the original Lua scripts and the extensive functionality of the embedded Lua engine the original\r\nintentions of the attackers remain unknown.\r\nSimilar to its dropper, the binary seeks to evade sandboxes. In addition to the previously described trick\r\nEvilBunny performs hook detection to trick environments which hook time retrieval APIs. These are\r\nNtQuerySystemTime, GetSystemTimeAsFileTime and GetTickCount. Every API is called twice to calculate a\r\ndelta, while performing a sleep(1000) operation between iteration one and iteration two. The final condition is, if\r\nany of the three deltas is below 998 milliseconds execution will abort. This can only be the case if any of the three\r\nAPI’s return values is modified by a system monitoring solution, like a sandbox.\r\nhttps://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/\r\nPage 3 of 6\n\nAt start-up netmgr.exe decrypts a configuration file stored in its resource section, revealing three URLs, among\r\ntimeout settings and encryption keys:\r\nhttp://le-progres.net/images/php/test.php?rec=11206-01\r\nhttp://ghatreh.com/skins/php/test.php?rec=11206-01\r\nhttp://www.usthb-dz.org/includes/php/test.php?rec=11206-01\r\nhttps://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/\r\nPage 4 of 6\n\nAll three of these URLs served as C\u0026C contacts when the attack was still ongoing, sending commands or Lua\r\nscripts to the infected host. Two of them, le-progres.net and usthb-dz.org, are now sinkholed by Kaspersky Labs.\r\nTHE THREADING MODEL\r\nEvilBunny comes with a solid multi-threading model, which seeks to assure fail-safe and high-performance\r\nexecution. The malware runs a main thread, which manages four worker threads and performs C\u0026C command\r\nparsing and Lua script execution. The worker threads are dedicated to receive commands and scripts through\r\ndifferent ways. Next to that, the main thread also runs sub threads to maintain log files the malware creates during\r\nexecution and to keep track of the overall system load the malware creates. The worker threads are internally\r\ndubbed ‘hearer’, which is believed to stand for ‘listener’. It can be concluded thereafter that the malware authors\r\nwere no English native speakers.\r\nThe main action of the malware is carried out in the main thread, which parses commands and executes Lua\r\nscripts, provided by the worker threads via command files.\r\nThe hearer thread’s purpose is to receive instructions from the remote servers and provide them to the main thread.\r\nSuch instructions are commands and/or one or more Lua scripts. Each hearer has a dedicated method to receive\r\ninstructions which is either separately via HTTP from the server, aggregated through a downloaded data file or as\r\ntasks to be configured as scheduled tasks. The hearer threads dump the received instructions to their associated\r\nnet.cap-files, from where the main thread’s command parsing routine fetches and executes them.\r\nLUA MAGIC\r\nEvilBunny incorporates an interpreter for Lua 5.1, LuaSocket 2.0.2 and C/Invoke Lua bindings. Lua is a\r\nlightweight programming language designed as a scripting language which can be embedded into applications,\r\nproviding a C API for doing so. C bindings are provided through C/Invoke and enable Lua scripts to perform\r\ncallbacks to C/C++ code. This constellation can be found in many video game engines to provide polymorphic\r\nbehavior in games. Engine and game play features are injected through Lua scripts, which instrument the game\r\nengine code.\r\nhttps://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/\r\nPage 5 of 6\n\nThe Lua interpreter is very small, compiled roughly 180kB, thus can easily be integrated in an application. The\r\nC/Invoke bindings enable Lua to be completely independent from the C/C++ application, so injected scripts can\r\nbe pure Lua code.\r\nThe Lua interpreter is a powerful code base which enables EvilBunny to change functionality on the fly, as\r\ndifferent scripts are downloaded and executed. The scripts define the functionality as they perform callbacks to the\r\nC/C++ code in the malware binary. In general this is a rather uncommon technique, but it has been observed\r\nbefore, especially in connection with some adware variants. Lua scripts are text based, which under certain\r\nconditions might be easier to tunnel through intrusion detection and firewalls in place than binary content. Also\r\nthe scripts are much smaller than an entire binary, which might be used for updating the malware. These scripts\r\nare about 5-10Kb if big, while a binary has around 50-200Kb or more.\r\nSource: https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/\r\nhttps://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/"
	],
	"report_names": [
		"evilbunny-malware-instrumented-lua"
	],
	"threat_actors": [],
	"ts_created_at": 1775434591,
	"ts_updated_at": 1775791316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c95178be41d8abb07a6a18656dbf6fd2dfcba8e.pdf",
		"text": "https://archive.orkl.eu/3c95178be41d8abb07a6a18656dbf6fd2dfcba8e.txt",
		"img": "https://archive.orkl.eu/3c95178be41d8abb07a6a18656dbf6fd2dfcba8e.jpg"
	}
}