COOKIEBAG (63be3d30-0c8d-4c0a-8eee-6c96880734cb)
his family of malware is a backdoor capable of file upload and download as well as providing remote interactive shell access to the compromised machine. Communication with the Command & Control (C2) servers uses a combination of single-byte XOR and Base64 encoded data in the Cookie and Set-Cookie HTTP header fields. Communication with the C2 servers is over port 80. Some variants install a registry key as means of a persistence mechanism. The hardcoded strings cited include a string of a command in common with several other APT1 families.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| COOKIEBAG (63be3d30-0c8d-4c0a-8eee-6c96880734cb) | Tool | CookieBag (9afa9b7e-e2c1-4725-8d8d-cec7933cc63b) | Malpedia | 1 |