Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
________________________________________________________________________
0xA0000102
Size too big
0xA0000103
Out of memory
0xA0000104
Disk Error – invalid disk name or ram only
10.(U) Notes and Observations
10.1 (U) Installations of Hera Require a Reboot for Elevated Access Privileges
(S//NF) Hera hijacks the Dnscache service on installation. On Windows 7 and 8, this service is
running in a netsvcs instance by default but on Windows 8.1 and Windows 10, this service runs
as NetworkService. The NetworkService user context has reduced security capability on the
system. Due to the srvhost implementation, the service will only run in the netsvcs context after
the next reboot. To account for this deficiency and still provide immediate execution after
installation, the existing service will run as NetworkService (not SYSTEM) until next reboot at
which time the System user netsvcs will be engaged. As a result, until a reboot occurs, some
attempts to access files may fail, causing the command to be reported as an error.
10.2 (U) Installer and RAM_ONLY Versions Should Never Be Run From Disk
(S//NF) Copying the Installer or the RAM_ONLY version of the implant to the target computer
and then executing either application from disk will generate an alert when Avira is the PSP.
Avira flags the size of the data section as being too large and thus possibly malware. Avira does
not flag the size of the implant data section when these applications are run from memory as
intended.
10.3 (U) Builder Does Not Produce a “Bit Copy” of an Existing Configured
Implant
(S//NF) The Builder can ingest a configuration file from an existing implant and copy the
configuration settings to a new implant. However, the new implant will not be a bit by bit exact
copy of the original implant. Making an exact copy of an existing implant is not possible due to
the design of the implant and the desire to ensure entropy in between instances of the tool. Only
way to reproduce a bit copy of an existing implant would be to have a large section of zero byte
data in the configured implant which would be an easy way to correlate instances of the tool.
10.4 (U) Offline Installer May Report a False Failure on Windows 10
Installations
(S//NF) The Offline Installer may display an error message stating the following key is not
found:
Reg: SYSTEM\CurrentControlSet\Services\SstpSvc
Start -> 0x02
Type -> 0x20
(U) If the result of the installation process is a SUCCESS, the Key Not Found error should be
ignored.
10.5 (S//NF)Timeouts May Occur While Processing Large Files
(S//NF) If the Operator selects a very small chunk size (e.g., 2048 bytes) and a short duration for
either the command execution or batch execution timeout, the implant may not have enough time
SECRET//NOFORN 42

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh