FELIXROOT
ID: S0267
Aliases: FELIXROOT
Type: MALWARE
Platforms: Windows
Version: 1.0
Alias Descriptions
Name | Description |
---|---|
FELIXROOT | [1] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1059 | Command-Line Interface | FELIXROOT opens a remote shell to execute commands on the infected system.[1] |
Enterprise | T1043 | Commonly Used Port | FELIXROOT uses port 443 for C2 communications.[1] |
Enterprise | T1022 | Data Encrypted | FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.[1] |
Enterprise | T1107 | File Deletion | FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.[1] |
Enterprise | T1112 | Modify Registry | FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open .[1] |
Enterprise | T1027 | Obfuscated Files or Information | FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.[1] |
Enterprise | T1012 | Query Registry | FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information.[1] |
Enterprise | T1105 | Remote File Copy | FELIXROOT downloads and uploads files to and from the victim’s machine.[1] |
Enterprise | T1085 | Rundll32 | FELIXROOT uses Rundll32 for executing the dropper program.[1] |
Enterprise | T1064 | Scripting | FELIXROOT executes batch scripts on the victim’s machine.[1] |
Enterprise | T1071 | Standard Application Layer Protocol | FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.[1] |
Enterprise | T1082 | System Information Discovery | FELIXROOT collects the victim’s computer name, processor architecture, OS version, and volume serial number.[1] |
Enterprise | T1033 | System Owner/User Discovery | FELIXROOT collects the username from the victim’s machine.[1] |