Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
(S//NF) The base file name should include '{}' in the name. This is the location in the file
name where BothanSpy will put the PID of the process it stole credentials from. This
allows BothanSpy to create a unique file per execution of the DLL.
(S//NF) A quick and easy example to use:
>BothanSpy /home/dev/Desktop/bothans/BothanSpy.dll Forget c:\temp\creds{}.txt
secretpassphrase
(S//NF) The above example will output encrypted files to the path C:\temp on the target
(this path must exist already and be writable by Xshell). The files will be named
credsXXXX.txt where XXXX is a PID of an Xshell process. The AES key used to
encrypt each file will be a hash derived form the password 'secretpassphrase'. Don't
forget this password or you'll be out of luck.
(S//NF) After all encrypted files have been exfil'd back to the attack machine. You'll
need to use the fnf_unpack.py script to decrypt the files. The usage for fnf_unpack.py
will print if you run it with no parameters. Below is a copy of that usage information:
• fnf_unpack.py <input file/folder> <output file> <password>
(S//NF) The input file/folder can be an individual encrypted file, or a folder containing
BothanSpy encrypted files. The script will extract all credential information and write it
to the output file. Make sure you use the correct password that was used to encrypt the
files. NOTE: fnf_unpack.py will overwrite <output file> if it already exists!
SECRET//NOFORN
8