Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150904-275-Cisco Rombertik
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 2 04 Se
p
tember 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
2.0 (U) Description of the Technique
(S//NF) The techniques recommended for PoC development are anti-analysis techniques. One is
an improved method for waiting-out a sandbox using memory write routine 960 Million times
instead of using sleep(). The other PoC recommendation is an anti-analysis technique that checks
for a specific return value from ZwGetWriteWatch().
3.0 (U) Identification of Affected Applications
(U) Windows and a variety (un-named sandbox products).
4.0 (U) Related Techniques
(S//NF) Anti-analysis and anti-sandboxing.
5.0 (U) Configurable Parameters
(U) Varied.
6.0 (U) Exploitation Method and Vectors
(S//NF) No exploitation methods are discussed in this blog post. The attack vector mentioned is
spam and spear phishing email campaigns.
7.0 (U) Caveats
(U) None.
8.0 (U) Risks
(S//NF) The risk associated with the development of both recommended PoCs is deemed to be
low due to technical complexity. We estimate that each PoC will take one FTE week each to
complete for a total of two FTE weeks.
9.0 (U) Recommendations
(S//NF) We recommend the following anti-analysis techniques be developed as PoCs:
Rombertik’s method for stalling to wait-out sandboxes by writing a random byte of data to
memory 960 Million times.
Rombertik’s method for checking anti-analysis by checking to see if ZwGetWriteWatch()
returns the expected value.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh