FELIXROOT is a backdoor that has been used to target Ukrainian victims. [1]

ID: S0267
Associated Software: GreyEnergy mini

Platforms: Windows

Version: 2.0

Associated Software Descriptions

GreyEnergy mini[2]

Techniques Used

EnterpriseT1059Command-Line InterfaceFELIXROOT opens a remote shell to execute commands on the infected system.[1][2]
EnterpriseT1043Commonly Used PortFELIXROOT uses Port Numbers 443, 8443, and 8080 for C2 communications.[1][2]
EnterpriseT1022Data EncryptedFELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.[1]
EnterpriseT1107File DeletionFELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.[1]
EnterpriseT1112Modify RegistryFELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open.[1]
EnterpriseT1027Obfuscated Files or InformationFELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.[1][2]
EnterpriseT1057Process DiscoveryFELIXROOT collects a list of running processes.[2]
EnterpriseT1012Query RegistryFELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.[1][2]
EnterpriseT1060Registry Run Keys / Startup FolderFELIXROOT adds a shortcut file to the startup folder for persistence.[2]
EnterpriseT1105Remote File CopyFELIXROOT downloads and uploads files to and from the victim’s machine.[1][2]
EnterpriseT1085Rundll32FELIXROOT uses Rundll32 for executing the dropper program.[1][2]
EnterpriseT1064ScriptingFELIXROOT executes batch scripts on the victim’s machine.[1]
EnterpriseT1063Security Software DiscoveryFELIXROOT checks for installed security software like antivirus and firewall.[2]
EnterpriseT1023Shortcut ModificationFELIXROOT creates a .LNK file for persistence.[2]
EnterpriseT1071Standard Application Layer ProtocolFELIXROOT uses HTTP and HTTPS to communicate with the C2 server.[1][2]
EnterpriseT1082System Information DiscoveryFELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type.[1][2]
EnterpriseT1016System Network Configuration DiscoveryFELIXROOT collects information about the network including the IP address and DHCP server.[2]
EnterpriseT1033System Owner/User DiscoveryFELIXROOT collects the username from the victim’s machine.[1][2]
EnterpriseT1124System Time DiscoveryFELIXROOT gathers the time zone information from the victim’s machine.[2]
EnterpriseT1047Windows Management InstrumentationFELIXROOT uses WMI to query the Windows Registry.[2]