Skip to content

Hide Navigation Hide TOC

BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6)

BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell.

Cluster A Galaxy A Cluster B Galaxy B Level
RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866) Malpedia BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6) Tool 1
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e) RAT BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6) Tool 1
BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6) Tool Private Cluster (3df08e23-1d0b-41ed-b735-c4eca46ce48e) Unknown 1
BUGJUICE (90124cc8-1205-4e63-83ad-5c45a110b1e6) Tool RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 1
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e) RAT Private Cluster (3df08e23-1d0b-41ed-b735-c4eca46ce48e) Unknown 2
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e) RAT RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866) Malpedia 2
RedLeaves (ad6a1b4a-6d79-40d4-adb7-1d7ca697347e) RAT RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
RedLeaves (a70e93a7-3578-47e1-9926-0818979ed866) Malpedia RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern RedLeaves - S0153 (17b40f60-729f-4fe8-8aea-cc9ee44a95d5) Malware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3