Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
<Jitter>10s</Jitter>
</Beacon>
<HibernateSeconds>1m</HibernateSeconds>
<Uninstall>
<UninstallTimer />
<UninstallDate />
</Uninstall>
<MaxConsecutiveFails>10</MaxConsecutiveFails>
</Implant>
Field Definitions
Beacon
Assassin provides a series of settings to control the beacon timing. Those
settings are, the back off multiple, initial wait, default interval, maximum
interval, and jitter. The back off multiple is the value to multiply the current
beacon interval by when a failure occurs. Generally this value is greater than 1,
so the interval will increase with each consecutive failure. The initial wait is the
time to wait upon boot before attempting to beacon. The default interval is the
standard beacon wait time used when no failures have occurred. This time is also
used when a successful communication occurs after a series of failures. The
maximum interval defines the absolute maximum value the beacon interval can
be set to at any point. Jitter defines the amount of variance to use for each
beacon. This value must be less than the default interval.
In the example above, the back off multiple has been set to 1.5, the initial wait is
defined as 1 minute, the default interval is 1 minute, the maximum interval is 5
minutes, and the jitter is 10 seconds.
Blacklist
The Assassin Implant allows for an optional blacklist of programs to be set.
During a beacon attempt, if any of the programs listed in the blacklist are
running, and listed in the process list, the beacon will be stopped, and the
beacon failure count will be incremented. This will not affect the transport failure
count, since the transport was never attempted.
In the example above, the blacklist has the two programs, “avira.exe” and
“avg.exe”, added to the list. If either of these shows up in the process list, the
beacon will not occur.
Chunk Size
The Assassin chunk size is defined as the maximum size of each data file to be
sent back to the LP. Any files that are larger than this size will be broken into
chunks to meet this requirement. If the chunk size is changed, only new data will
be chunked using the new size, existing files will not be re-chunked.
In the example above, the chunk size has been set to 1 mebibyte, using the
Assassin complex numbering system.
Crypto Key
147
SECRET//ORCON//NOFORN