Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
end of its configured run timer, or when it is uninstalled via a special F&F DLL. These
keys will NOT//NOT be deleted if the system is rebooted before the aforementioned
scenarios occur.
3.4 (U) Configuration
(S//NF) Pandemic comes with a configuration utility which builds a binary file for
execution via ShellTerm. Pandemic_Builder has the following arguments:
• --target <string name>: This is a search string to use when watching for the target
file to 'replace' on the file server. Pandemic only matches if the string given here
is the last part of the file path. For example:
◦ --target Winhex\WinHex.exe will match in the following case
▪ C:\users\administrator\desktop\winhex\winhex.exe
◦ It will not match if the file being opened is:
▪ C:\users\administrator\desktop\winhex\winhex.exe.dll
◦ Be sure to choose this string carefully, so only the targeted PE is replaced.
• --replace <string path>: Path to the local file that will be used to replace the
targeted PE. This should be a file on the configuration machine. This file will be
opened, and its contents read and stored in the payload binary. The current limit
for the replacement PE is 30 MB
• --timer <32-bit number>: This is the effective time to live (in MINUTES) for
Pandemic on target. Once Pandemic has been running for the given amount of
minutes, Pandemic will uninstall itself. It can be uninstalled before this time by
either a system shutdown, or the Pandemic_Uninstall DLL.
• --delay <32-bit number>: This is the time, in minutes, that Pandemic will wait
before it begins replacing the targeted PE with the payload PE. Pandemic can be
manually uninstalled in this time period. This time period does not//not count
against any --timer value.
• --name <device name string> <link name string>: Two arguments that tell
Pandemic how to name the device object and link name for the uninstall device.
Pandemic creates a device and device symbolic link for on-demand uninstalling.
◦ Ex. --name NTPNP_PCI0046 Scsi3:
• --sids <list of SIDs, space separated>: List of SIDs to target when performing file
replacement. Should be in the standard Windows string SID format.
◦ Ex. --sids S-1-5-21-708247480-2834978148-2381576337-1001 S-1-5-21-
708247480-2834978148-2381576337-1003
◦ Current limit is 64 SIDs
• --badsids <list of SIDs, space separated): List of SIDs to NOT target when
performing file replacement. Users with these SIDs will NOT//NOT get the
replacement PE (even if no --sids list is given). Blacklist will TRUMP the
whitelist. Ex. A SID on --sids will be ignored if it also appears in --badsids
• --logfile <log file path on target>: Path on target to save the log file to. The log
will contain a timestamp-SID entry for each read operation performed on the
target PE file by a targeted SID.
• --writetime <MM/DD/YYYY HH:MM:SS>: Optional. Value used to set the log's
write time value after updating the log. If using --writetime, you must include a
SECRET//NOFORN
4