Forensic Entry Purpose Changeable
File: encrypted container file Holds boot code Yes
Boot Sector: partition boot sector modification Holds boot code No
LOOK FOR THIS KEY TO KNOW IF CLOWN MALWARE PLANTED
Registry key:
HKLM\System\CurrentControlSet\Control\Windows\
SystemLookup
Holds BadMFS
parameters
No
Covert Store: BadMFS will create an encrypted
covert file system in the file specified in the zf file.
Alternatively, the covert file system can be placed at
the end of the active partition.
Holds driver and
user-mode
implants
No
https://wikileaks.org/vault7/document/Angelfire-2_0-UserGuide/page-5/#pagination