]HackingTeam[ KnowledgeBase Product
Search:     Advanced search
If I have the phone/PC with me, is there a way to know if it is infected (from the device)?
  • The best option is to build an offline CD from the same factory and boot from it; it will report with a red cross or a green check if the Elite or Soldier are installed or not.

  • Check how they installed the agent.

  • For the phone the procedure is different, check mobile phone platform.

After activating the scanning of the file system we realized that some files were missing. For example, in c:\windows\system32\drivers, the etc folder was missing as well as a few dozen files on the target machine. We also tried to Retrieve Subtree directly from the drivers folder with a deep equal to 3. The missing files did not seem to be neither hidden nor system files.
  • The malfunction of this module is due to 64-bit operating system infected (the 32 bit agent accesses a Windows virtualized file system).

How does the infection "self deleting executable" for Windows PC work?
  • It is an agent that can be created by selecting the file type * and the exploit Self deleting executable.

The system generates an executable file that installs the Scout. After installation, the executable file is automatically deleted without a trace.

!!! ⇒ The Scout runs and installs automatically, there is no need to reboot the machine.

During an offline installation from CD, the procedure installed Soldier instead of Elite. Why did it happen considering that it was an offline installation?
  • If the AV installed in the OS is blacklisted, the soldier gets installed. The rule of the blacklist is the same as for the scout.

In a Windows PC that is joined to a domain, does the agent work ?
  • There is no problem with the Windows domain per se.

  • Check if there is any strong limitation (group policies) to be evaluated for that particular scenario.