Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
6.3.2 (U) GLYPH
(S) Dumps all data to a file on the drive. Specify filename with "GLYPH Config".
6.3.3 (U) PICTOGRAM
(S) This module transfers or stores data by appending the data to an already existing file
such as a jpg or png. You specify the filename and a 32-byte signature (generated
randomly on the fly).
6.3.4 (U) Local Binary
(S) Launches an arbitrary executable.
(S) Execution Method: how to launch the payload.
6.3.5 (U) Survey RR
(S) Performs full system survey including basic computer information, drive information,
running processes, etc.
6.3.6 (U) File Collection ORevFCC
(S) Performs File Collection against all fixed drives in the system
(S) Sample File pattern matching:
"*.sle;*.xls*;*\big*;*\ndi*;*\ses*;*\mend*;*\xmendf*;*\dre*;*\ipc*;*\pds*;*\radlib*;*\r
mc*;*\rmo*;*\y21*;*\drmccs*;*\libmix*;*\libphy*;*\librad*;*\libmdf*;*\libmcn*;*\libg
andolf*;*\libclams*;*\libhyd*;*\libheplus*;*\mcnp*;*\origen*;*.f;*.c;*.cpp;*.dwg;"
(S) Sample Folder Exclusion pattern matching:
*\Windows\*;*\system32\*;*\program files*\*;*\$Recycle*;
6.3.7 (U) SPOL USB SURV
(S) Performs USB survey on target to collect all inserted USB drives since the OS has
been installed. The survey produces two files: One which orders by insertion date and the
other which orders by the drive.
6.4 (U) Utilizing “System Volume Information” for links and/or DLL payloads
(S) To hide DriftingDeadline directly on the USB drive, you can directly utilize the
locked system directory “System Volume Information” on NTFS thumbdrives that
Windows uses for System Restore.
• The BK Deployment can be configured to hide all its files from the user by
directly residing within the System Volume Information folder. HOWEVER, you
must be *at least* one folder deep into the System Volume Information folder in
order to keep its lock intact.
SECRET//NOFORN
19