BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)

BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	1
BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	1
BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866)	Malpedia	1
BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	Private Cluster (3df08e23-1d0b-41ed-b735-c4eca46ce48e)	Unknown	1
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	Private Cluster (3df08e23-1d0b-41ed-b735-c4eca46ce48e)	Unknown	2
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866)	Malpedia	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866)	Malpedia	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3