Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350629
3. (U) System Description
3.1 (U) Technical References
3.2 (U) System Concepts and Capabilities
• (S) The Giraffe exploit relies on the user inserting a USB flash drive into the
target machine and browsing to a specific folder using Windows Explorer. When
the specially crafted link files are rendered on the screen, a DLL file they specify
will be loaded.
• (S) EzCheese relies on a minimum of three files to be added to the operational
drive:
o the Giraffe link(s) (.lnk files) to load a DLL file
o the DLL file that is invoked by the link, that launches an executable
o the configured executable payload to perform the survey
Nine files are required to target all 32- and 64-bit OS combinations. The number of
files required on the thumb drive can be determined using this chart:
Link(s) Dll(s) Executable
32-bit WinXP
32-bit Vista 32-bit dll (if any 32-bit links)
32-bit Win7
32-bit executable (for any config)
64-bit WinXP
64-bit Vista 64-bit dll (if any 64-bit links)
64-bit Win7
• (S) Two different utilities are used for configuration: EzConfigUltimate
configures the executable, and Man-n-Cheese creates and configures the links
and Dlls.
• NOTE: To re-run the tool on the same machine you MUST kill the explorer.exe
process and restart it.
3.3 Prerequisites
• (S) The target system must be running a 32-bit or 64-bit version of Windows XP,
Windows Vista, or Windows 7.
4. (U) Operation
4.1 (U) Installation and Setup
1. (S) The EzConfigUltimate v6.3 GUI configures various parameters of the
operational files written to the flash drive. Various environment variables (such
SECRET//20350629
2