Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
________________________________________________________________________
3.1 (U) Summary of Capabilities
(S//NF) The following is a summary of the system capabilities:
Executes on the Windows XP (SP3)/7/8.1/2008/2012/10 (x86/x64) operating systems.
Provides a beaconing capability that provides configuration and task handling
Provides memory loading/unloading of NOD Persistence Specification DLLs on the
target system
Provides delivery and retrieval of files to/from a specified directory on the target system
Allows the operator to configure settings during runtime (while the implant is on target)
4. (S//NF) System Versions
(S//NF) The system was designed to allow a base installation (Athena) and an extended
installation (Hera). Both versions contain the full command set defined in this document. This
section will describe the differences between the implementations and configurations.
4.1 (S//NF) Athena
(S//NF) Athena is the primary implementation for use on WinXP through Win10 operating
systems. This implementation uses the RemoteAccess service for persistence, ZLIB for
compression and XTEA for encryption on disk.
4.1.1 ((S//NF) On-Target Footprint
(S//NF) The Athena implant is compliant with the NOD Persistence Specification for persistent
DLLs and provides its own persistence mechanism. Athena will be hosted by the RemoteAccess
service. There is an external DLL that this service will load that is not a service DLL.
Table 3 - (U) Installed File and Registry Resources
File System Modification Location Configuration Item Description
%SystemRoot%\\System32\\
Microsoft\\Crypto\\RAS\\iprcache.dll
TARGET_FILENAME The overt target file location on disk that is
referenced by the RemoteAccess service.
%SystemRoot%\\System32\\
CodeIntegrity\\ras.cache
DATA_FILENAME The overt data file location on disk that
contains the package file (config, engine,
etc.).
SYSTEM\\CurrentControlSet\\Services\\
RemoteAccess\RouterManagers\\IP
Start = 2
Type = 20
DLLPath This overt registry entry forces the
RemoteAccess service to load the target
DLL before loading the true support DLL.
SYSTEM\\CurrentControlSet\\Services\\
RasMan
Start = 2
Type = 20
None This overt registry entry is updated to
allow this dependent service to start when
the RemoteAccess service starts.
SYSTEM\\CurrentControlSet\\Services\\
SStpSvc
Start = 2
Type = 20
None This overt registry entry is updated to
allow this dependent service to start when
the RemoteAccess service starts.
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\
RouterManagers\\Ip
DLLPath= %SystemRoot%\\System32\\iprtrmgr.dll
None
(Windows10 Only)
Used by RemoteAccess Service
SECRET//NOFORN 3

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh