| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
FELIXROOT uses HTTP and HTTPS to communicate with the C2 server. |
| enterprise |
T1560 |
Archive Collected Data |
FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
FELIXROOT adds a shortcut file to the startup folder for persistence. |
| enterprise |
T1547.009 |
Shortcut Modification |
FELIXROOT creates a .LNK file for persistence. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components. |
| enterprise |
T1105 |
Ingress Tool Transfer |
FELIXROOT downloads and uploads files to and from the victim’s machine. |
| enterprise |
T1112 |
Modify Registry |
FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open. |
| enterprise |
T1027 |
Obfuscated Files or Information |
FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm. |
| enterprise |
T1057 |
Process Discovery |
FELIXROOT collects a list of running processes. |
| enterprise |
T1012 |
Query Registry |
FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
FELIXROOT checks for installed security software like antivirus and firewall. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.011 |
Rundll32 |
FELIXROOT uses Rundll32 for executing the dropper program. |
| enterprise |
T1082 |
System Information Discovery |
FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type. |
| enterprise |
T1016 |
System Network Configuration Discovery |
FELIXROOT collects information about the network including the IP address and DHCP server. |
| enterprise |
T1033 |
System Owner/User Discovery |
FELIXROOT collects the username from the victim’s machine. |
| enterprise |
T1124 |
System Time Discovery |
FELIXROOT gathers the time zone information from the victim’s machine. |
| enterprise |
T1047 |
Windows Management Instrumentation |
FELIXROOT uses WMI to query the Windows Registry. |