Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
(S//NF) Stolen Goods 2 will drop at most 1 file to disk (stub DLL). The stub DLL
contains open-source memory load code, and code to initialize a GH1 payload (if used).
It also contains code to contact the stub driver for downloading the decrypted DLL
payload, and for triggering an uninstall.
(S//NF) Stolen Goods 2 saves the stub driver, payload driver (if any) and payload DLL (if
any) in free space on the disk. Usually this space is between the MBR and partition
entries, or in unpartitioned space at the end of the disk. The stub driver is XOR
obfuscated. The payload driver and payload DLL are encrypted with a host-key that is
based off information in the Bios Partition Block in the partition block. If this host-key
information is changed, decryption will fail and SG2 will uninstall immediately.
(S//NF) If SG2 is installed through the shellcode installer, the payload are XOR
obfuscated upon initial installation. After the first reboot, SG2 will figure out that the
payloads are only XOR obfuscated, and will rewrite them to disk encrypted. Therefore,
after the first reboot, all the payloads will be encrypted, regardless of install method.
(S//NF) SG2 will create registry keys for the NULL driver for use with JediMindTricks.
If the payload driver is not JediMindTricks, the registry creation will still occur, and will
cause no side effects on the system. The registry keys are not out of the ordinary; they are
standard registry keys/values needed for a filter driver. The values do not contain file
names or other information that relates to JediMindTricks, SG2, or any paths used by
those tools. The keys are created for the NULL service/driver entry.
(S//NF) During the uninstall process, SG2 will write a registry key to schedule the disk
stub for deletion after the next reboot. This key will be removed by Windows after
reboot.
5.2 (U) Troubleshooting
(S//NF) Q: The Grasshopper/Cricket installer blew up on me when I tried to
generate/build a binary (after answering all the SG2 questions)
(S//NF) A: Make sure all paths to binaries you want to use on your box are valid and the
files exist. Typically the configuration tool will blow up if a file you gave it doesn't exist
when the config tool goes to find and read the file.
(S//NF) Q: Does this work on Windows 8?
(S//NF) A: No. Do not use this on Windows 8. The box will be unbootable if you install
SG2 on Windows 8/8.1. This likely applies to Windows Server 2012 as well.
(S//NF) Q: This works on Win 7/Win XP, does it work on Windows Server 20XX?
(S//NF) A: I do not know. SG2 will likely work just fine on Server 2003. It is untested
on any OS outside of Win XP/Win 7/Win 8.X (does not work on 8.x). Chances are if it's
a Server version that is similar to Win XP or Win 7, there's a good chance it will work,
and if it's a server version that is similar to Win 8, it probably wont work. You should
SECRET//NOFORN
- x -