Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
date AND time as shown above, you cannot use partial information. This will also
be used as the file's last Changed time.
• --createtime <MM/DD/YYYY HH:MM:SS>: Optional. Value used to set the log's
create time value after updating the log.
• --accesstime <MM/DD/YYYY HH:MM:SS>: Optional. Value used to set the
log's access time value after updating the log.
(S//NF) Pandemic_Builder will spit out the file pandemic_AMD64.bin (or
pandemic_x86.bin for 32-bit version). This file will be used by Shellterm for installation.
(S//NF) *NOTE* Pandemic_Builder does not do any checks on the replacement file
beyond that it exists. If the –replace file does not exist, an error will be printed to screen
(even though a .bin file is generated). If the file does exist, then the file is used. If you
accidentally give a .txt file to replace an EXE, that will cause issues. Make sure you
double check which file you're using for replacement.
3.5 (U) Installation and Operation
(S//NF) Pandemic will install via Shellterm's shellcode installer. Included with Pandemic
is a sample python script that enables the shellcode installer functionality within
Shellterm. This script is not//not required to use Pandemic, but *some* script is required
to use Shellterm's shellcode loader functionality.
(S//NF) To use the sample python script, first drop it into Shellterm's script folder. This
folder is determined in Shellterm's configuration file. Once installed, attach to an active
session on the target, and make sure the .bin file generated earlier is on the Shellterm
machine. Run the following command to install Pandemic on target:
> kshellcode '<path to .bin file>/pandemic_AMD64.bin'
(S//NF) Pandemic can take ~10-15 seconds to install and return back. An error code in
the 500-550 range indicates that a required API function could not be loaded. This is an
issue that is likely to not resolve itself by re-trying the install, and you should talk to the
developer (remember the exact code). Pandemic will return 0 if it was able to kick off
the installation thread. *This does not mean that Pandemic was successfully installed*.
Shellterm's shellcode launcher specification prevents Pandemic from doing the full install
in the initial thread Shellterm provides (could cause Shellterm instability/crash).
Therefore, there are several installation steps that happen in a new thread, and can't report
error codes back to Shellterm. The following methods are good ways to verify successful
installation:
• Through Shellterm, use the reg command to check for the existence of the
Pandemic keys/values.
◦ Command: reg -q HKLM\SYSTEM\CurrentControlSet\Services\Null
◦ You should see a sub-key called 'Instances' Quering that, you should see
another sub-key called 'Null'.
SECRET//NOFORN
5