Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

3. Collection Directory on Primary Host Target: This is the folder where
you want all of your collected data to go to. The default location is right
beside ES Server(64).exe in a system hidden folder named 0000. The
system hidden folder 0000 will always be created in a folder that you
choose e.g. if you choose %appdata% your data will be stored in %appdata
%/0000/.
4. Percent of Primary Host’s Hard Drive to Keep Free: This is to protect
you from filling up your target’s hard drive and being detected. The
formula for this logic is [(Size_of_File_to_be_added +
Amount_of_space_taken_on_harddrive) / Total_amount_of_storage]*100.
So, if ES Server(64).exe is trying to collect a very large file but adding that
file will put you over the limit the file will stay on the thumb drive;
however, if the next file is a small one and it doesn’t put you over then it
will be collected. This is the reason the files are collected in 10MB chunks.
You might get files back that all of the pieces are not there. The post-
processor will be able to sort this out for you.
5. Encryption File: This is the location of the encryption file on your
computer. This file contains the public and private necessary for
encryption. If this file does not exist, but there is a pem file located in your
XML file, Emotional_Simian_Config.exe will ask you where you would
like to store the pem file in the XML document.
6. Generate Encryption File: This is an easy button to create a new pem file.
Warning: Losing this key and the XML config file will cause all data
collected to be useless. You will never be able to reproduce your old pem
files. It would be wise to reuse the same pem file for the same ongoing op.
7. Dll Payload Configurations: These configurations pertain to the
DllPayload(64).dll. These configurations were placed here to make the
same settings apply to all DllPayloads so that you don’t have to search all
of the target boxes to clean up after DllPayload(64).dll. The hash files of
all collected files will be saved, but it is up to you were and how they are
interpreted.
8. Generate Unique Hash Name for each Thumb drive: If this box is
checked and you are trying to collect a file named Secret.doc, every
infected thumb drive will collect that file. If this box is not checked, then
the first thumb drive to collect the file will hold on to it and future infected
thumb drives with this box not checked will not collect the file. However,
if the file changes in any way the hash will change and any of the infected
thumb drives will be able to collect the file again.
9. Hash Collection Directory Location on Secondary Target: This is the
location of the hash file that records the hash all the files collected from
that machine. The default file location is %appdata%/Microsoft/Internet
Explorer/hret.cfg. The hash file will always be named hret.cfg; it is the
location that you pick.
21
SECRET//X1
CL BY: 2397517
REASON: 1.4(c)
DECL: 20361019
DRV: COL S-06

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh