Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
32 bit machines use ES Server.exe. 64 bit machines use ES Server64.exe. Put the
appropriate version of ES Sever(64).exe on the target Primary Host computer. Both *.cfg
files are identical. ES Sever(64).cfg has to be the same name as ES Server(64).exe.
ES Server(64).exe will load and rename the *.cfg file to *.ini file. A new *.cfg is installed
by placing it on the primary host beside ES Server(64).exe. ES Server(64).exe does not
need to be shut down; just drop the new *.cfg file and wait at most 3 seconds. The old
*.ini file will be deleted, and the new *.cfg file will be loaded into ES Server(64).exe and
renamed to *.ini. The hash list of all infected thumb drives is stored in the *.ini file, so
deleting this file will allow ES Server(64).exe to infect thumb drives it has already
infected.
4.4 Left behind data
4.4.1 Primary Host Data
The following things are left behind or altered by ES Server on the Primary Host:
1. ES_Server.exe -> wherever installed
2. ES_Server.cfg -> wherever installed
3. Collection Folder -> Created after seeing the first thumb drive with collected
data, placed where configured (Collection Directory on Primary Host
Target).
4.4.2 Secondary Host Data
The following files and Reg keys are created by ES Dll Payload on the Secondary Host:
1. Reg Key -> HKCU\Software\Microsoft\Active Setup
a. Value: Parameters
2. Reg Key If “Persist Completed Reg Key” is checked:
HKLM\Software\Microsoft\Active Setup
a. Value: Some random GUID
3. Reg Key if not persistent: HKLM\Software\Microsoft\MNU
a. Value: Some random GUID
4. Hash File: Located where configured (Hash Collection Directory Location
on Secondary Target)
5. Payloads: Wherever they were dropped.
4.5 Retrieval of Collected Files
4.5.1 If a whitelisted drive returns to the Primary Host
1. All data files (Surveys, Directory listings, and/or File collections) will be placed
in the folder specified by the Collection Directory on Primary Host Target
parameter in the configuration program and deleted off the covert storage on the
thumb drive.
20
SECRET//X1
CL BY: 2397517
REASON: 1.4(c)
DECL: 20361019
DRV: COL S-06