Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
x64 EXE None
2.3 Uninstall Procedure
Manual
The manual uninstall procedure consists of the following steps:
1. Stop the service, if it is running.
sc stop <SERVICE_NAME>
2. Delete the service from the Service Control Manager.
sc delete <SERVICE_NAME>
3. Reboot the target.
4. Delete the stub and payload executables from the filesystem.
del /F <SERVICE_PATH> <PAYLOAD_PATH>
Autonomous
The autonomous uninstall procedure consists of the following steps:
1. Delete the payload from the filesystem while the stub is running.
When the stub detects that the payload has been deleted, it will execute the
autonomous uninstall. The stub checks for the payload every 5 seconds. The
autonomous uninstall will perform the following steps:
1. Remove the service from the Windows registry.
2. Delete itself from the filesystem.
3 Footprint
File System
- Service Stub Executable, located at a user specified location <STUB_PATH>
- Service Stub Directory, may have been created
- Payload Executable, located at <STUB_PATH-“.dll”>.tlb
- Payload Directory, may have been created
- Unhijack Executable, located at a user specified location <UNHIJACK_PATH>
- Unhijack Directory, may have been created
Registry Keys
Created
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>\ImagePath
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>\ObjectName
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>\DelayedAutoStart
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>\ErrorControl
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>\Start
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>\Type
3
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh