Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//ORCON//NOFORN
In the example above, the blacklist has the two programs, “avira.exe” and
“avg.exe”, added to the list. If either of these shows up in the process list, the
beacon will not occur.
Chunk Size
The Assassin chunk size is defined as the maximum size of each data file to be
sent back to the LP. Any files that are larger than this size will be broken into
chunks to meet this requirement. If the chunk size is changed, only new data will
be chunked using the new size, existing files will not be re-chunked.
In the example above, the chunk size has been set to 1 mebibyte, using the
Assassin complex numbering system.
Crypto Key
The Assassin Implant uses RC4 128-bit encryption utilizing a 4-bit nonce to
further obfuscate the key. In the example above, the crypto key will be set to all
null values. The value stored in XML is a 16-byte hex representation of the key.
In the example above, the crypto key is set to
“00000000000000000000000000000000”.
Hibernate
Assassin allows for an initial hibernation time to be set at build time. This time
define the time which the Implant will remain inactive. Once the time has
expired, the Implant will begin processing tasks and attempting to communicate
with the defined LP.
In the example above,hibernate time has been set to 1 minute using the
Assassin complex numbering system.
ID
The ID tag contains information describing what the target ID for the configured
Implant will be. The ID consists of a parent and child ID, each of which consists of
4 alpha-numeric characters. The parent ID is required and the child ID can be set
to be generated automatically at build time if it is left blank.
In the example above, the parent ID will be set to ‘assn’ and the child ID will be
generated on target. The example below shows the XML for a defined child ID:
<ID>
<Parent>assn</Parent>
<Child>0001</Child>
</ID>
In the example above, the child ID is defined as ‘0001’ so the complete ID that
will be displayed in the LP is ‘assn0001’.
Paths
The Assassin Implant uses a series of directories to receive, store, and send data
to the assigned LP. The directories required for every Assassin installation are:
input, output, startup, staging, and push. The input directory is where all files
130
SECRET//ORCON//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh