Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//ORCON//NOFORN
The Assassin Implant uses RC4 128-bit encryption utilizing a 4-bit nonce to
further obfuscate the key. In the example above, the crypto key will be set to all
null values. The value stored in XML is a 16-byte hex representation of the key.
In the example above, the crypto key is set to
“00000000000000000000000000000000”.
Hibernate
Assassin allows for an initial hibernation time to be set at build time. This time
define the time which the Implant will remain inactive. Once the time has
expired, the Implant will begin processing tasks and attempting to communicate
with the defined LP.
In the example above, hibernate time has been set to 1 minute using the
Assassin complex numbering system.
ID
The ID tag contains information describing what the target ID for the configured
Implant will be. The ID consists of a parent and child ID, each of which consists of
4 alpha-numeric characters. The parent ID is required and the child ID can be set
to be generated automatically at build time if it is left blank.
In the example above, the parent ID will be set to ‘assn’ and the child ID will be
generated on target. The example below shows the XML for a defined child ID:
<ID>
<Parent>assn</Parent>
<Child>0001</Child>
</ID>
In the example above, the child ID is defined as ‘0001’ so the complete ID that
will be displayed in the LP is ‘assn0001’.
Paths
The Assassin Implant uses a series of directories to receive, store, and send data
to the assigned LP. The directories required for every Assassin installation are:
input, output, startup, staging, and push. The input directory is where all files
received from the LP are stored. The output directory is where the task results
are stored. The startup directory is where all startup tasks are stored. The
staging directory is where all chunked result files are stored, awaiting transport
to the LP. The push directory is a special directory provided as a way to push
data files from any other source to the LP using the Assassin transport setup.
In the example above, the input directory is set to “c:\temp\input”, the output
directory is set to “c:\temp\output”, the startup directory is set to
“c:\temp\startup”, the staging directory is set to “c:\temp\staging” and the push
directory is set to “c:\temp\push”.
Max Consecutive Fails
In Assassin, the maximum consecutive failures are the number of consecutive
beacon attempts that have not resulted in a successful beacon. These failures
148
SECRET//ORCON//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh