Register to stream ATT&CKcon 2.0 October 29-30

More_eggs

More_eggs is a JScript backdoor used by Cobalt Group. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1]

ID: S0284
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1107 File Deletion More_eggs can remove itself from a system. [1]
Enterprise T1105 Remote File Copy More_eggs can download and launch additional payloads. [1]
Enterprise T1063 Security Software Discovery More_eggs can obtain information on installed anti-malware programs. [1]
Enterprise T1071 Standard Application Layer Protocol More_eggs uses HTTPS for C2. [1]
Enterprise T1082 System Information Discovery More_eggs has the capability to gather the OS version and computer name. [1]
Enterprise T1016 System Network Configuration Discovery More_eggs has the capability to gather the IP address from the victim's machine. [1]
Enterprise T1033 System Owner/User Discovery More_eggs has the capability to gather the username from the victim's machine. [1]

Groups That Use This Software

ID Name References
G0080 Cobalt Group [1]

References