Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
5. Encryption File: This is the location of the encryption file on the config
system. This file contains the public and private keys necessary for
encryption and decryption.
6. Generate Encryption File: This is an easy button to create a new pem file.
Warning: Losing this key and the XML config file will cause all data
collected to be useless. Old pem files cannot be reproduced. It would be
wise to reuse the same pem file for the same ongoing op.
7. Global ES_Dll File Collection Configuration for Stored File Hashes:
These global configurations pertain to the DllPayload(64).dll.
8. Generate Unique File Hashes per Whitelisted Drive: This option
specifies whether you want every thumbdrive that executes on target to
collect and hash files, or for all of them to use the same hash list. If this box
is checked, then every thumbdrive will store its own hash list for files it has
collected, thus allowing additional ES drives to collect the same files.
For example, let’s say you configure 5 ES drives to collect all files named
Secret.doc. If you check this configuration box, then all 5 ES drives will
collect all the Secret.doc files from the target. However, these files are then
hashed and subsequent returns to the target will not yield collection of these
files again (unless they’ve changed).
If you do not check this box, then only the first ES drive will collect all
files named Secret.doc. The four other drives and subsequent returns of all
five drives to the system will not yield collect of the files again (unless
they’ve changed).
9. Location of File Hashes on Target: This is the location of the hash file on
the secondary host. The default file location is %appdata
%/Microsoft/Internet Explorer/hret.cfg. The hash file will always be named
hret.cfg.
10. Pre Build Batch File: These fields enable a bat script or executable to run
before building an ES Payload.
11. Post Build Batch File: These fields enable a bat script or executable to run
to clean up the pre build process.
4.3 Deployment to Primary Host
Select “Build ES” to create the configuration (*.cfg) and executable (*.exe) files. Try to
run the configuration program as Admin because Emotional Simian needs to be at least
admin or greater to infect a local thumb drive.
19
SECRET//X1
CL BY: 2397517
REASON: 1.4(c)
DECL: 20361019
DRV: COL S-06