Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
If the stub is unable to locate or start the payload, it will uninstall. During
uninstallation, Scrub will delete the payload and self delete the stub.
A DLL payload is responsible for deleting itself from the target to trigger
uninstallation.
3.3 GH1
If the payload supports the GH1 interface, Scrub deploys a stub as the task
executable. During installation, Bermuda embeds the payload as a resource in the
stub. Upon execution by the Windows OS, the stub will load the payload DLL in
memory.
The stub will uninstall the payload on demand or on failure to start the payload.
During uninstallation, Scrub will remove the run key and self delete the stub and
payload.
4 Footprint
Scrub writes unobfuscated binaries to the target filesystem. If the payload is an
EXE, it is written to a user-specified location. If the payload is a DLL, both the
payload and a Scrub stub are written to user-specified locations. If the payload
implements GH1, the payload is embedded as a resource in a Scrub stub, which is
written to a user-specified location.
The process of the run key executable, whether payload or stub, is visible in the
Task Manager during execution.
A registry key will be placed at
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Name>. The name of the run key
matches the user-specified name of the run key executable, whether the stub or
payload.
5 Receipt XML Format
Scrub's configuration is recorded in the Grasshopper receipt at build time under
build.xml. An example and description of the xml format is provided below.
5.1 XML Example
<PersistModule>
<UUID>9d03da02ab3a47d7bd28c9a776ba9806</UUID>
<RunKey>
<StartupExePath>C:\Target\stub.exe</StartupExePath>
<PayloadPath>C:\Target\payload.dll</PayloadPath>
<StartNow />
</RunKey>
</PersistModule>
5.2 Field Definitions
UUID
The universally unique identifier for the module variant used in the build.
4
SECRET//ORCON//NOFORN