SOFTWARE
Overview 3PARA RAT 4H RAT adbupd Adups ADVSTORESHELL Agent Tesla Agent.btz Allwinner Android Overlay Malware Android/Chuli.A ANDROIDOS_ANSERVER.A AndroRAT Arp ASPXSpy Astaroth at AuditCred AutoIt backdoor Azorult Backdoor.Oldrea BACKSPACE BADCALL BADNEWS BadPatch Bandook Bankshot BBSRAT BISCUIT Bisonal BITSAdmin BLACKCOFFEE BlackEnergy BONDUPDATER BOOTRASH BrainTest Brave Prince Briba BS2005 BUBBLEWRAP Cachedump CALENDAR Calisto CallMe Cannon Carbanak Carbon Cardinal RAT Catchamas CCBkdr certutil Chaos Charger ChChes Cherry Picker China Chopper CHOPSTICK CloudDuke cmd Cobalt Strike Cobian RAT CoinTicker Comnie ComRAT CORALDECK CORESHELL CosmicDuke CozyCar Crimson CrossRAT DarkComet Daserf DDKONG DealersChoice Dendroid Denis Derusbi Dipsind DOGCALL Dok Downdelph DownPaper DressCode Dridex DroidJack dsquery DualToy Duqu DustySky Dyre Ebury Elise ELMER Emissary Emotet Empire Epic EvilBunny EvilGrab Exaramel Expand FakeM FALLCHILL Felismus FELIXROOT Fgdump Final1stspy FinFisher Flame FLASHFLOOD FlawedAmmyy FlawedGrace FLIPSIDE Forfiles FruitFly FTP Gazer GeminiDuke gh0st RAT GLOOXMAIL Gold Dragon Gooligan GravityRAT GreyEnergy gsecdump H1N1 Hacking Team UEFI Rootkit HALFBAKED HAMMERTOSS HAPPYWORK HARDRAIN Havij HAWKBALL hcdLoader HDoor Helminth Hi-Zor HiddenWasp HIDEDRV Hikit HOMEFRY HOPLIGHT HTRAN HTTPBrowser httpclient HummingBad HummingWhale Hydraq HyperBro ifconfig iKitten Impacket InnaputRAT InvisiMole Invoke-PSImage ipconfig ISMInjector Ixeshe Janicab JCry JHUHUGIT JPIN jRAT Judy KARAE Kasidet Kazuar KeyBoy Keydnap KEYMARBLE KeyRaider Koadic Komplex KOMPROGO KONNI Kwampirs LaZagne LightNeuron Linfo Linux Rabbit LockerGoga LoJax LOWBALL Lslsass Lurid MacSpy Marcher Matroyshka MazarBOT meek Micropsia Mimikatz MimiPenguin Miner-C MiniDuke MirageFox Mis-Type Misdat Mivast MobileOrder MoonWind More_eggs Mosquito MURKYTOP Naid NanHaiShu NanoCore NavRAT nbtstat NDiskMonitor Nerex Net Net Crawler NETEAGLE netsh netstat NetTraveler NETWIRE Nidiran njRAT Nltest NOKKI NotCompatible NotPetya OBAD OceanSalt Octopus OLDBAIT OldBoot Olympic Destroyer OnionDuke OopsIE Orz OSInfo OSX_OCEANLOTUS.D OwaAuth P2P ZeuS Pallas Pasam Pass-The-Hash Toolkit Pegasus for Android Pegasus for iOS PHOREAL PinchDuke Ping Pisloader PJApps PLAINTEE PlugX pngdowner PoisonIvy POORAIM PoshC2 POSHSPY Power Loader PowerDuke POWERSOURCE PowerSploit PowerStallion POWERSTATS POWERTON POWRUNER Prikormka Proton Proxysvc PsExec Psylo Pteranodon PUNCHBUGGY PUNCHTRACK Pupy pwdump QUADAGENT QuasarRAT RARSTONE RATANKBA RawDisk RawPOS RCSAndroid Reaver RedDrop RedLeaves Reg Regin Remcos Remexi RemoteCMD Remsec Responder Revenge RAT RGDoor RIPTIDE ROCKBOOT RogueRobin ROKRAT route Rover RTM Ruler RuMMS RunningRAT S-Type Sakula SamSam schtasks SDelete SeaDuke Seasalt SEASHARPEE ServHelper Shamoon ShiftyBug SHIPSHAPE SHOTPUT SHUTTERSPEED Skeleton Key Skygofree SLOWDRIFT Smoke Loader SNUGRIDE Socksbot SOUNDBITE SPACESHIP SpeakUp spwebmember SpyDealer SpyNote RAT sqlmap SQLRat SslMM Starloader Stealth Mango StoneDrill StreamEx Sykipot SynAck Sys10 Systeminfo T9000 Taidoor Tangelo Tasklist TDTESS TEXTMATE TINYTYPHON TinyZBot Tor TrickBot Trojan-SMS.AndroidOS.Agent.ao Trojan-SMS.AndroidOS.FakeInst.a Trojan-SMS.AndroidOS.OpFake.a Trojan.Karagany Trojan.Mebromi Truvasys TURNEDUP Twitoor TYPEFRAME UACMe UBoatRAT Umbreon Unknown Logger UPPERCUT Uroburos Ursnif USBStealer Vasport VERMIN Volgmer WannaCry WEBC2 Wiarp Windows Credential Editor WINDSHIELD WINERACK Winexe Wingbird WinMM Winnti Wiper WireLurker X-Agent for Android XAgentOSX Xbash Xbot xCmd XcodeGhost XLoader XTunnel Yahoyah YiSpecter yty Zebrocy ZergHelper Zeroaccess ZeroT Zeus Panda ZLib zwShell
  1. Home
  2. Software
  3. FELIXROOT

FELIXROOT

FELIXROOT is a backdoor that has been used to target Ukrainian victims. [1]

ID: S0267
Associated Software: GreyEnergy mini
Type: MALWARE
Platforms: Windows
Version: 2.0

Associated Software Descriptions

Name Description
GreyEnergy mini [2]

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface FELIXROOT opens a remote shell to execute commands on the infected system.[1][2]
Enterprise T1043 Commonly Used Port FELIXROOT uses Port Numbers 443, 8443, and 8080 for C2 communications.[1][2]
Enterprise T1022 Data Encrypted FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.[1]
Enterprise T1107 File Deletion FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.[1]
Enterprise T1112 Modify Registry FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open.[1]
Enterprise T1027 Obfuscated Files or Information FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.[1][2]
Enterprise T1057 Process Discovery FELIXROOT collects a list of running processes.[2]
Enterprise T1012 Query Registry FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.[1][2]
Enterprise T1060 Registry Run Keys / Startup Folder FELIXROOT adds a shortcut file to the startup folder for persistence.[2]
Enterprise T1105 Remote File Copy FELIXROOT downloads and uploads files to and from the victim’s machine.[1][2]
Enterprise T1085 Rundll32 FELIXROOT uses Rundll32 for executing the dropper program.[1][2]
Enterprise T1064 Scripting FELIXROOT executes batch scripts on the victim’s machine.[1]
Enterprise T1063 Security Software Discovery FELIXROOT checks for installed security software like antivirus and firewall.[2]
Enterprise T1023 Shortcut Modification FELIXROOT creates a .LNK file for persistence.[2]
Enterprise T1071 Standard Application Layer Protocol FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.[1][2]
Enterprise T1082 System Information Discovery FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type.[1][2]
Enterprise T1016 System Network Configuration Discovery FELIXROOT collects information about the network including the IP address and DHCP server.[2]
Enterprise T1033 System Owner/User Discovery FELIXROOT collects the username from the victim’s machine.[1][2]
Enterprise T1124 System Time Discovery FELIXROOT gathers the time zone information from the victim’s machine.[2]
Enterprise T1047 Windows Management Instrumentation FELIXROOT uses WMI to query the Windows Registry.[2]

References

  1. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  1. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.