Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

1. Configuration: Performed by the operator on a Windows 7 machine using
Emotional_Simian_Config.exe. This tool generates the required .cfg file
containing all the payloads and configuration information required for ES
Server(64).exe.
2. Transfer: ES Server(64).exe (depending on target bitness) is installed on the
primary host with the configuration (.cfg) file via some deployment method.
These two files can be placed wherever the operator desires and named whatever
the operator desires, but they must be named the same (e.g. clevername.exe and
clevername.cfg). ES Server(64).exe should then be executed and persistence must
be setup by the operator.
3. Infection: Upon introduction of a whitelist drive, ES Server(64).exe will place the
DllPayload(64).dll with the appropriate lnk files on the thumb drive (Named
whatever the user configured them). The lnk files will cause DllPayload(64).exe
to run when the user views the lnk file in explorer.
4. Execution: If the whitelist drive is introduced to the proper OS for the generated
lnk files and viewed in an explorer window, DllPayload(64).dll will gain
execution. DllPayload(64).dll will then launch itself under rundll32.exe, attempt
to escalate privileges, and begin to check the configured kill date, master black
list, and if the computer had been seen before. Execution will always occur due to
the exploit; however, if any of the previous conditions are met then the program
will immediately exit.
5. Deployment: If the initial requirements are met, ES will attempt to deploy the
configured payloads. Each payload has a unique configured decision criteria. The
7
SECRET//X1
CL BY: 2397517
REASON: 1.4(c)
DECL: 20361019
DRV: COL S-06

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh