BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)

BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866)	Malpedia	BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	1
BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	Private Cluster (3df08e23-1d0b-41ed-b735-c4eca46ce48e)	Unknown	1
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	1
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)	Tool	1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866)	Malpedia	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5)	Malware	2
RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866)	Malpedia	RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	2
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e)	RAT	Private Cluster (3df08e23-1d0b-41ed-b735-c4eca46ce48e)	Unknown	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3