Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
Grasshoper gives you. Therefore, the shellcode installer should only be used by someone
who is comfortable and confident with its use.
2.3 (U) MD5 Hashes
(U) Hashes of the Stolen Goods v2.0 binaries
aplib32.lib 6384c4870c896f532b1f3ea206833579
aplib64.lib 0f7974ae87a23c8432a1aaf15e9c777d
GH_PM32.dll eb22416167a53bf5557b09e79f80a756
GH_PM64.dll b6c60af4ae0c0367e33e98477f5b6022
MemStub32-GH1.dll e319577e9e80624b9699b01dcb97bfe0
MemStub32.dll d625f211d19a0e75120b5c5c06aeb673
MemStub64-GH1.dll 17f0e0e890db1cc27d751fabe4c135ee
MemStub64.dll dd77dbf610160fa72947d10507ca2d21
RabbitStew32.exe 9b6b3a0efc106fb2ca9673d3a17ae12c
RabbitStew64.exe 37ac0beca1f710e1438bc0a11eef47d7
stubdriver_Win7AMD64.sys 978d022b343eb1ead548b3ba9e26d65f
stubdriver_Win7x86.sys d0b8b3428b00f30ef2aa1213942a751a
stubdriver_WinXPx86.sys 48e2b598eb61f0f06daa59189b3581ac
Uninstall_DLL32.dll 360ab324522d8622acff9de06cd0582f
Uninstall_DLL64.dll 1b5bfcb13ce45abf52dc50f4179986b6
Vbr.exe 0d907f1ff6866cb001c4edbf24f8a285
3. (U) Operation
3.1 (S//NF) Payload Types
(S//NF) SG2 can persist up to 2 payloads: A driver payload (.sys) and a DLL payload
(.dll). The latter can come in 2 forms:
− Standard Persistence Specification compliant DLLs
− Grasshopper-1 interface compliant DLLs
(S//NF) The driver payload MUST//MUST match the bitness of the target, and should be
compatible with the target OS. No driver signing is required.
3.2 (S//NF) Grasshopper installation
(S//NF) The following steps describe how to install the Stolen Goods persistence module
to an existing Grasshopper build:
1. Navigate to the main folder of an existing Grasshopper build. This is the folder
containing the Grasshopper builder scripts and other Grasshopper components.
2. There should be a “Modules” folder here. Copy the “StolenGoods2” directory to
the “Modules” folder.
3. In the Grasshopper build folder (where “Modules” was located) there should also
be a folder named “Payloads”. Copy the following provided folders into
“Payloads”: Generic_DLL, Generic_GH1
3.3 (U) Configuration
SECRET//NOFORN
- v -