Skip to content


FELIXROOT is a backdoor that has been used to target Ukrainian victims. 1

Item Value
ID S0267
Associated Names GreyEnergy mini
Version 2.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
GreyEnergy mini 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.12
enterprise T1560 Archive Collected Data FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FELIXROOT adds a shortcut file to the startup folder for persistence.2
enterprise T1547.009 Shortcut Modification FELIXROOT creates a .LNK file for persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.12
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.1
enterprise T1105 Ingress Tool Transfer FELIXROOT downloads and uploads files to and from the victim’s machine.12
enterprise T1112 Modify Registry FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open.1
enterprise T1027 Obfuscated Files or Information FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.12
enterprise T1057 Process Discovery FELIXROOT collects a list of running processes.2
enterprise T1012 Query Registry FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.12
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery FELIXROOT checks for installed security software like antivirus and firewall.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 FELIXROOT uses Rundll32 for executing the dropper program.12
enterprise T1082 System Information Discovery FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type.12
enterprise T1016 System Network Configuration Discovery FELIXROOT collects information about the network including the IP address and DHCP server.2
enterprise T1033 System Owner/User Discovery FELIXROOT collects the username from the victim’s machine.12
enterprise T1124 System Time Discovery FELIXROOT gathers the time zone information from the victim’s machine.2
enterprise T1047 Windows Management Instrumentation FELIXROOT uses WMI to query the Windows Registry.2


Back to top