The PikaBot execution chain related to malware is a series of steps that the malware takes to infiltrate and compromise a system. PikaBot is a new malware family in the early stages of development, and it has some similarities with the Matanbuchus malware family1. The execution chain for PikaBot is as follows:
- Initial execution:
rundll32.exe <PikaBot_payload>.dll,Test234 - Connection to PikaBot Command and Control (C2) server:
WerFault.execonnects to the C2 server, in this case,45.85.235[.]39234 - Information gathering:
whoami.exe /allandipconfig.exe /allare used to collect information about the infected system234 - Persistence:
schtasks.exe /Create /F /TN…is used to create a scheduled task for maintaining persistence on the infected system234
It is important to note that PikaBot is still in its early stages of development, and its capabilities and execution chain may evolve over time. The malware is distributed similarly to Qakbot, but it is not distributed by Qakbot itself1.
The Pikabot malware connects to its Command and Control (C2) server using the WerFault.exe process. This process establishes a connection to the C2 server, which in a specific case was found to be 45.85.235[.]39
The malware then communicates with the C2 server to receive further instructions and perform malicious activities on the infected system. It is important to note that the malware is still in its early stages of development, and its capabilities and execution chain may evolve over time1.