Register to stream ATT&CKcon 2.0 October 29-30


FELIXROOT is a backdoor that has been used to target Ukrainian victims. [1]

ID: S0267
Associated Software: GreyEnergy mini
Platforms: Windows
Version: 2.0

Associated Software Descriptions

Name Description
GreyEnergy mini [2]

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface FELIXROOT opens a remote shell to execute commands on the infected system. [1] [2]
Enterprise T1043 Commonly Used Port FELIXROOT uses Port Numbers 443, 8443, and 8080 for C2 communications. [1] [2]
Enterprise T1022 Data Encrypted FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server. [1]
Enterprise T1107 File Deletion FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components. [1]
Enterprise T1112 Modify Registry FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open. [1]
Enterprise T1027 Obfuscated Files or Information FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm. [1] [2]
Enterprise T1057 Process Discovery FELIXROOT collects a list of running processes. [2]
Enterprise T1012 Query Registry FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry. [1] [2]
Enterprise T1060 Registry Run Keys / Startup Folder FELIXROOT adds a shortcut file to the startup folder for persistence. [2]
Enterprise T1105 Remote File Copy FELIXROOT downloads and uploads files to and from the victim’s machine. [1] [2]
Enterprise T1085 Rundll32 FELIXROOT uses Rundll32 for executing the dropper program. [1] [2]
Enterprise T1064 Scripting FELIXROOT executes batch scripts on the victim’s machine. [1]
Enterprise T1063 Security Software Discovery FELIXROOT checks for installed security software like antivirus and firewall. [2]
Enterprise T1023 Shortcut Modification FELIXROOT creates a .LNK file for persistence. [2]
Enterprise T1071 Standard Application Layer Protocol FELIXROOT uses HTTP and HTTPS to communicate with the C2 server. [1] [2]
Enterprise T1082 System Information Discovery FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type. [1] [2]
Enterprise T1016 System Network Configuration Discovery FELIXROOT collects information about the network including the IP address and DHCP server. [2]
Enterprise T1033 System Owner/User Discovery FELIXROOT collects the username from the victim’s machine. [1] [2]
Enterprise T1124 System Time Discovery FELIXROOT gathers the time zone information from the victim’s machine. [2]
Enterprise T1047 Windows Management Instrumentation FELIXROOT uses WMI to query the Windows Registry. [2]