Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

4.2 Configuring Emotional Simian
To configure Emotional Simian the operator must run Emotional_Simian_Config.exe
which must be run on XP SP3 or later, preferably on Windows 7.
Emotional_Simian_Config.exe will generate a ES Server.exe and ES Server.cfg file
which will be laid down on the Primary Host, and a XML file of all the configurations
from the configuration tool along with the public private keys.
NOTE: DO NOT LOSE THE PRIVATE KEY! IF THIS IS LOST YOU WILL NOT
BE ABLE TO DECRYPT ANY FILES COLLECTED.
4.3 Left behind data
The following things are left behind or altered by ES Server:
1. ES_Server.exe -> wherever you placed it
2. ES_Server.cfg -> wherever you placed it
3. Collection Folder -> Created after seeing the first thumbdrive placed wherever
you configured it to drop in field Collection Directory on Primary Host
Target.
The following files and Reg keys are created by ES Dll Payload:
1. Reg Key -> HKCU\Software\Microsoft\Active Setup
a. Value: Parameters
2. Reg Key If persist Completed Reg key is checked:
HKLM\Software\Microsoft\Active Setup
a. Value: Some random GUID
3. Reg Key if not persistent: HKLM\Software\Microsoft\MNU
a. Value: Some random GUID
4. Hash File: Located wherever you configured in field Hash Collection
Directory Location on Secondary Target
5. Payloads: Wherever you drop them.
8
SECRET//X1
CL BY: 2397517
REASON: 1.4(c)
DECL: 20361019
DRV: COL S-06

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh