Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Example
(gh) add component scheduledtask
-n ExampleTask
–t “c:\windows\task.exe”
–p “c:\windows\payload.exe”
-d “An example of how to create a scheduled task component.”
-r logon
2.2 Supported Payload Types
ScheduledTask accepts input payloads in EXE or DLL formats for the x86 or x64
architectures. ScheduledTask is a terminating component and does not output a
payload.
Input Type Output Type(s)
x86 EXE None
x64 EXE None
x86 DLL None
x64 DLL None
2.3 Supported Variant Stub Names
As part of the ScheduledTask component 1.1 version, variant stubs were added.
Three stubs are available the default stub (Stub A), Stub B, and Stub ESET.
1. The default stub (A) uses the grasshopper common code base and uses
resources data to store configuration information.
2. Stub B uses data segment variable to for configuration data, and calls
schtask.exe to manipulate scheduled tasks.
3. ESET stub uses the signed ESETCRACKME executable as a task and a stub dll
with the same name which it will automatically load, as well as a separate
code base from the default base.
2.4 Uninstall Procedure
Manual
The manual uninstall procedure consists of the following steps:
1. Stop the scheduled task, if it is running.
schtasks /End /TN <TASK_NAME>
2. Kill the process executing the payload (if payload was an EXE).
taskkill /F /IM <PAYLOAD_NAME>
3. Remove the scheduled task from the Windows Task Scheduler.
schtasks /Delete /TN <TASK_NAME>
4. Delete the stub and payload executables from the filesystem.
del /F <TASK_PATH> <PAYLOAD_PATH>
Autonomous
The autonomous uninstall procedure consists of the following steps:
1. Delete the payload from the filesystem.
3
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh