Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350629
(U) Appendix A: System Footprint
(S) The following files are added to the operational flash drive:
File Size MD5 Hash
Exe file varies varies
Dll file varies varies
Link file varies varies
Note: Due to configurability, the size and MD5 hash of any configured file will vary.
(U) Appendix B: PSP Findings
(S) For full PSP findings, please consult the IV&V slides that were delivered with
EZCheese 6.1 (Phase 2). Here is a brief summary:
BitDefender: Alerts will pop up! On Windows XP, Vista, and 7 32-bit and 64-bit an
ALERT popped up immediately upon inserting the USB drive on both low and high
settings.
Avast! Internet Security: Alerts will pop up! On Windows XP, Vista, and 7 32-bit and
64 bit the execution of an .exe file from a USB drive triggers a pop up. If you know your
target is running Avast! you can use EZCheese 6.1b which mitigates this pop up.
Kaspersky Internet Security 2012: On Windows XP, Vista, and 7 Kasperksy logged
behavior of EZCheese at both low and high settings.
ESET Smart Security: On Windows XP 32-bit not all survey information was collected,
possibly due to ESET protecting information or blocking the survey process.
Trend Micro Titanium Internet Security: On Windows XP 32-bit at high settings the
payload was not deployed.
Norton Internet Security: On high settings an entry is recorded in the log file.
(U) Appendix B: Artifacts Left Behind
(S) After executing EZCheese there will be information left behind in memory. This
includes the name of executables, paths to those executables, and the name and path of
link files.
SECRET//20350629
17