BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)

BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	1
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	1
RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866)	Malpedia	BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	1
BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	Private Cluster (3df08e23-1d0b-41ed-b735-c4eca46ce48e)	Unknown	1
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	Private Cluster (3df08e23-1d0b-41ed-b735-c4eca46ce48e)	Unknown	2
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866)	Malpedia	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866)	Malpedia	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3