Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
When the stub detects the presence of the kill file, it will execute the kill file
uninstall procedure. The stub checks for the kill file every minute. The uninstall
proceeds through the following steps:
1. Wait half a minute before starting uninstall.
2. Attempt to signal and/or stop the payload for uninstall.
3. Secure delete the payload. If this fails, arrange to delete on reboot.
4. Remove the service from the SCM.
5. Remove the kill file.
6. Delete itself from the filesystem.
NOTE: If the payload is a DLL, the stub will attempt to free library. If the payload has
not performed a “safety load” on itself and does not shutdown, it may crash the
host process.
NOTE: If the payload is a NOD-persisted DLL, it will have been memory loaded. On
uninstall, the stub will call DLLMain with DLL_DETACH_PROCESS to notify the
payload of the uninstall event. However, the memory is leaked and the payload left
running to avoid potentially crashing the host process.
NOTE: If payload is an EXE payload, the payload will be terminated using
TerminateProcess and securely deleted.
NOTE: If the uninstall fails, the kill file remains and the uninstall will be attempted
again on the next boot.
3 Footprint
File System
- Service Stub Executable, located at a user specified location <STUB_PATH>
- Service Stub Directory, may have been created
- Nodpersist interface payloads are not on disk but are an obfuscated resource
in the stub
- Standard Payload Executables are located at (for default Stub A)
<STUB_PATH.tlb> or (for default Stub B) <STUB_PATH>hlp.<exe|dll> depending on
payload type
- Payload Directory, may have been created
- Unhijack Executable, located at a user specified location <UNHIJACK_PATH>
- Unhijack Directory, may have been created
Registry Keys
Created
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>\ImagePath
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>\ObjectName
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>\DelayedAutoStart
- HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>\ErrorControl
4
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh