More_eggs

More_eggs is a JScript backdoor used by Cobalt Group. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1]

ID: S0284
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1107File DeletionMore_eggs can remove itself from a system.[1]
EnterpriseT1105Remote File CopyMore_eggs can download and launch additional payloads.[1]
EnterpriseT1063Security Software DiscoveryMore_eggs can obtain information on installed anti-malware programs.[1]
EnterpriseT1071Standard Application Layer ProtocolMore_eggs uses HTTPS for C2.[1]
EnterpriseT1082System Information DiscoveryMore_eggs has the capability to gather the OS version and computer name.[1]
EnterpriseT1016System Network Configuration DiscoveryMore_eggs has the capability to gather the IP address from the victim's machine.[1]
EnterpriseT1033System Owner/User DiscoveryMore_eggs has the capability to gather the username from the victim's machine.[1]

Groups

Groups that use this software:

Cobalt Group

References