Vault 7: Projects

SECRET//20330530
(S) Once the iPhone has been activated, the trigger application (or trigger folders) should be edited to
trigger NightSkies.
(S) Post Processing
(S) responseprocessor.py
Once packages are received, they need to be processed. This tool can be found in the tarball under the
LP folder. Currently, post processing must be done on an OS X platform.
./responseprocessor.py encryption-key payload-package-file > logfile
This command will generate a folder named pay and extract the downloaded files from the payload. It
will send the output to logfile.
(S) readpay
A convenience script is also available that will parse the downloaded sqlite db files retrieved from the
iPhone. Run the following command:
./readpay.sh ../pay/
This will output a human readable format of the address book, call history and SMS database.
(S) Program Update Protocol (PUP) Reference
The implant has a minimal command set that allows it to perform a variety of actions. Commands are
defined by a type and subtype followed by command specific data. The end user should not have to
worry about these settings as pkgcreator will set them. This section is here for reference only.
PUP Types:
• PTYPE_PUT: used to set, write, or upload a file to the target implant
• PTYPE_GET: used to read, or download a file from the target
• PTYPE_CMD: used to interact with commands on the target
• PTYPE_INFO: used to identify responses from the target (acknowledgments).
PUP SubTypes:
• PSUB_FILENAME: specify a filename
• PSUB_FILE: specify contents of a file
• PSUB_CONFIG: modify or read config values
• PSUB_EXECFILENAME: used for command execution.
The following is a matrix of valid command types and subtypes.
Type Subtype Data Purpose
PTYPE_GET PSUB_FILENAME <filename> Download/Retrieve file
from target
PTYPE_GET PSUB_CONFIG <config key> 1-6 are valid values.
Reads config value
from target
SECRET//20330530
11