Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Checking the global objects on the system. Look for a device with the name
configured in Pandemic, or a symbolic link with the name configured in
Pandemic
3.6 (U) Verification/Uninstall
(S//NF) The DLL Control.dll is included in the delivery. This DLL is a simply Fire and
Forget (v2) DLL which can perform two different functions: Checking that Pandemic is
installed, and uninstalling Pandemic. The usage information through Shellterm is simply
'loaddll -a “<uninstall string configured above> [-c | -u]” <DLL path>
-c: Returns successful status (0) if the Pandemic device exists on the target. If the
device was not found, the value 0x2 will be returned. The latter indicates that
Pandemic either isn't finished setting up (unlikely) or Pandemic is not running.
-u: Instructs Pandemic to exit as soon as possible. Pandemic will check every 15
seconds to see if it should exit or not (up to any --timer value configured). The
time to complete uninstall (when a -c command would return 0x2) could take
roughly 15 seconds after issuing a -u command.
(S//NF) The uninstall string needed is the device link name that was used when
configuring Pandemic (--name <device name> <device link name>). This value should
be in your receipt file for the binary. Without this value, you cannot uninstall Pandemic
short of guessing the value, figuring out the value (listing the system's objects and
guessing), or rebooting the machine. If Pandemic has a --timer value configured, it will
exit upon that timer expiring.
3.7 (U) Known issues
(S//NF) The following are known/potential issues that may arise while using Pandemic:
(S//NF) If the remote user goes to copy the targeted PE on the file server to their
local machine, and the remote user has a file with the same name as the targeted
PE in the destination folder, Windows will ask the user if they wish to replace the
file or cancel the copy operation. The issue is the Windows alert box will report
that the new file's size being the size of the targeted PE, not the replacement PE.
For example: The targeted file is Pexplorer.exe, size 4.5 MB. The
replacement file is NOTEPAD.exe, size 67 KB. If the remote user copies
down pexplorer.exe to a local folder with that same file name, Windows will
ask the user if they wish to overwrite/cancel the copy. When it does this, it
will say that the size of the remote copy is 4.5 MB. However, after the
operation is complete, the user will have only downloaded the replacement PE
file of size 500 KB.
SECRET//NOFORN
6

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh