Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
2. If the Recharge Number of Runs check box was selected then all payloads and
survey will have their max number of runs reset back to their original amount.
3. If the Allow Retasking on Previous Targets check box was selected then a new
GUID will be supplied to the DllPayload(64).dll allowing that dll to infect
secondary hosts previously infected.
Other tools are required to recover collected data from the Primary Host.
4.6 Post Process of Collected Files
4.6.1 Postprocess ES collected files:
Run Post processor.exe as Admin with the following arguments:
PostProcessor -d <IN:PEM File> <IN:Folder to decrypt> <OUT:Name of output Folder>
4.6.2 Postprocess ES .LOG Release Logging Files:
PostProcessor -l <IN:LOG File>
4.7 Additional Software
4.7.1 Keygen.exe:
Keygen.exe produces a Public / Private key pair. The arguments are below:
KenGen.exe <file_to_store_pem.pem>
4.7.2 Extract WM Files.exe
This tool extracts files from the covert storage space on a thumb drive. The
arguments are below:
ExtractWMFile.exe <Drive Letter> Optional:<Directory to store files>
If the Directory to store files is not filled out, then the files will be stored in a
folder named 1111 right next to the Extract WM Files.exe.
4.7.3 Get SN.exe
This tool finds the serial number of a thumb drive, either on the target or back at
station. The arguments are below:
GetSN.exe <Drive Letter>
4.7.4 Whack_Thumbdrive.exe
This tool is used by the GUI to infect a local thumb drive plugged into the
computer.
Whack_Thumbdrive.exe <Config.xml> <Drive letter>
21
SECRET//X1
CL BY: 2397517
REASON: 1.4(c)
DECL: 20361019
DRV: COL S-06