Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
1. Configuration: Done by the operator on a Windows 7 machine. During this
stage Emotional_Simian_Config.exe is run and the desired settings are filled in.
The tool will then generate the required .cfg file, this file contains all the payloads
and configuration information required for ES Server(64).exe.
2. Transfer: ES Server(64).exe (depending what bitness your target is) is
transferred downstream with the configuration (.cfg) file via some deployment
method. These two files can be put wherever the operator desires and named
whatever the operator desires, but they must be named the same e.g.
clevername.exe and clevername.cfg. ES Server(64).exe should then be executed
and persistence must be setup by the operator.
3. Infection: Upon introduction of a white list drive ES Server(64).exe will place the
DllPayload(64).dll with the appropriate lnk files on the thumb drive. The lnk files
will cause DllPayload(64).exe to run when the user sees the lnk file in explorer.
4. Execution: If the white list drive is introduced to the proper OS for the generated
lnk files and viewed in an explorer window; DllPayload(64).dll will gain
execution. Immediately following execution, DllPayload(64).dll will launch
itself as rundll32.exe, attempt to escalate privileges and begin to check the
configured kill date, master black list, and if the computer has been seen before.
Note execution will always happen but if the blacklist, kill date, or if the computer
has been whacked before; the program will immediately quit.
5. Deployment: If the initial requirements are met, ES will attempt to deploy the
payloads based upon the conditions configured earlier. A unique black list for
each payload will be checked and a decision will be made based upon if the
computer connects to the internet or not as well as if the process has
administrative privileges. The payload also can conduct a survey, or collect files
based on the configurations set by Emotional_Simian_Config.exe.
6. Collection: If DllPayload(64).dll does collects files and/or a system survey.
These files will be chunked up and written back to the covert partition that exists
on the thumb drive.
7. Unload: Upon return to the primary host, ES Server(64).exe will pull any
collected files off the covert partition and store them as hidden system files in the
folder designated during configuration. Default is right beside ES Server(64).exe.
8. Retrieval: The operator will then pull the desired files from the Primary Host and
place them on the Base End for post processing.
9. Post Process: To decrypt, decompress, and stitch the files back together
PostProcess.exe is ran. The recreated files will be dumped into the desired
location.
7
SECRET//X1
CL BY: 2397517
REASON: 1.4(c)
DECL: 20361019
DRV: COL S-06