Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
4 Footprint
WUPS writes unobfuscated binaries to the target filesystem. The WUPS Stub DLL
and payload EXE are both written to user-specified locations.
The process of the payload executable is visible in the Task Manager during
execution. A process running the WUPS Stub within RunDll32 is briefly visible in the
Task Manager while it re-submits itself to the list of Windows Update DLLs.
WUPS will create a registry key in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
WindowsUpdate\Setup\ServiceStartup\<WUPSKeyName> storing the path to the WUPS Stub
DLL.
The WUPS startup will create a log entry in the Windows Update log in the Windows
directory. The entry indicates a non-critical error, but such errors are common in the
log.
5 Receipt XML Format
WUPS's configuration is recorded in the Grasshopper receipt at build time under
build.xml. An example and description of the xml format is provided below.
5.1 XML Example
<PersistModule>
<UUID>9d03da02ab3a47d7bd28c9a776ba9806</UUID>
<WUPS>
<WUPSKeyName>Cover Name</WUPSKeyName>
<WUPSDllPath>C:\Target\stub.dll</WUPSDllPath>
<PayloadPath>C:\Target\payload.exe</PayloadPath>
<StartNow />
</WUPS>
</PersistModule>
5.2 Field Definitions
UUID
The universally unique identifier for the module variant used in the build.
WUPS
The Windows Update configuration information used by the WUPS module.
WUPSKeyName
The overt name of the registry key used to persist the WUPS stub.
WUPSDllPath
The path to the WUPS Stub DLL on the target filesystem.
PayloadPath
The path to the payload EXE on the target filesystem.
4
SECRET//ORCON//NOFORN