BendyBear
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
BendyBear communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.[1] |
|
| Enterprise | T1001 | .001 | 数据混淆: Junk Data |
BendyBear has used byte randomization to obscure its behavior.[1] |
| Enterprise | T1106 | 本机API |
BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing.[1] |
|
| Enterprise | T1012 | 查询注册表 |
BendyBear can query the host's Registry key at |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File | |
| .014 | 混淆文件或信息: Polymorphic Code |
BendyBear changes its runtime footprint during code execution to evade signature-based defenses.[1] |
||
| Enterprise | T1124 | 系统时间发现 |
BendyBear has the ability to determine local time on a compromised host.[1] |
|
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
BendyBear can check for analysis environments and signs of debugging using the Windows API |
| Enterprise | T1105 | 输入工具传输 |
BendyBear is designed to download an implant from a C2 server.[1] |
|
| Enterprise | T1571 | 非标准端口 |
BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.[1] |
|