Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
3.3 (U) File/Registry Access
(S//NF) Pandemic registers a minifilter driver using Windows' Flt* functions. As a
result, FltMgr requires that all drivers registering as minifilters contain certain registry
keys. Pandemic uses the 'Null' service key (on all Windows systems) as its own driver
service key. Pandemic will create 2 sub keys and 3 values under the 'Null' service key in
the registry. These values and sub keys are deleted when Pandemic is uninstalled at the
end of its configured run timer, or when it is uninstalled via a special F&F (v2) DLL.
These keys will NOT//NOT be deleted if the system is rebooted before the
aforementioned scenarios occur.
3.4 (U) Configuration
(S//NF) Pandemic comes with a configuration utility (unclassified in 1.1) which builds a
binary file for execution via ShellTerm. Pandemic_Builder has the following arguments:
• -t <string name> [<string name 2> … <string name 20>]: This is a search string
to use when watching for the target file to 'replace' on the file server. Pandemic
only matches if the string given here is the last part of the file path. For example:
◦ -t Winhex\WinHex.exe will match in the following case
▪ C:\users\administrator\desktop\winhex\winhex.exe
◦ It will not match if the file being opened is:
▪ C:\users\administrator\desktop\winhex\winhex.exe.dll
◦ Be sure to choose this string carefully, so only the targeted PE is replaced.
• -r <string path> [<string name 2> … <string name 20>]: Path to the local file that
will be used to replace the targeted PE. This should be a file on the configuration
machine. This file will be opened, and its contents read and stored in the payload
binary. The current limit for a single replacement PE file is 800 MB
• --timer <32-bit number>: This is the effective time to live (in MINUTES) for
Pandemic on target. Once Pandemic has been running for the given amount of
minutes, Pandemic will uninstall itself. It can be uninstalled before this time by
either a system shutdown, or the Pandemic_Uninstall DLL.
• --delay <32-bit number>: This is the time, in minutes, that Pandemic will wait
before it begins replacing the targeted PE with the payload PE. Pandemic can be
manually uninstalled in this time period. This time period does not//not count
against any --timer value.
• -n <device name string> <link name string>: Two arguments that tell Pandemic
how to name the device object and link name for the uninstall device. Pandemic
creates a device and device symbolic link for on-demand uninstalling.
◦ Ex. --name NTPNP_PCI0046 Scsi3:
• -s <list of SIDs, space separated>: List of SIDs to target when performing file
replacement. Should be in the standard Windows string SID format.
◦ Ex. -s S-1-5-21-708247480-2834978148-2381576337-1001 S-1-5-21-
708247480-2834978148-2381576337-1003
◦ Current limit is 64 SIDs
• --bs <list of SIDs, space separated): List of SIDs to NOT target when performing
file replacement. Users with these SIDs will NOT//NOT get the replacement PE
SECRET//NOFORN
4