BendyBear
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1001 | .001 | Data Obfuscation: Junk Data |
BendyBear has used byte randomization to obscure its behavior.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
BendyBear communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
BendyBear is designed to download an implant from a C2 server.[1] |
|
| Enterprise | T1106 | Native API |
BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing.[1] |
|
| Enterprise | T1571 | Non-Standard Port |
BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.[1] |
|
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File | |
| Enterprise | T1012 | Query Registry |
BendyBear can query the host's Registry key at |
|
| Enterprise | T1124 | System Time Discovery |
BendyBear has the ability to determine local time on a compromised host.[1] |
|
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
BendyBear can check for analysis environments and signs of debugging using the Windows API |