Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
1. Create a file on the file system at path specified for kill file parameter at
build time.
When the stub detects the presence of the kill file, it will execute the kill file
uninstall procedure. The stub checks for the kill file every minute. The uninstall
proceeds through the following steps:
1. Wait half a minute before starting uninstall.
2. Attempt to signal and/or stop the payload for uninstall.
3. Secure delete the payload. If this fails, arrange to delete on reboot.
4. Remove the service from the SCM.
5. Remove the kill file.
6. Delete itself from the filesystem.
NOTE: If the payload is a DLL, the stub will attempt to free library. If the payload has
not performed a “safety load” on itself and does not shutdown, it may crash the
host process.
NOTE: If the payload is a NOD-persisted DLL, it will have been memory loaded. On
uninstall, the stub will call DLLMain with DLL_DETACH_PROCESS to notify the
payload of the uninstall event. However, the memory is leaked and the payload left
running to avoid potentially crashing the host process.
NOTE: If payload is an EXE payload, the payload will be terminated using
TerminateProcess and securely deleted.
NOTE: If the uninstall fails, the kill file remains and the uninstall function will be
attempted again on the next boot.
NOTE: The hijack technique may fail to find a useable service and fail to hijack. If
this happens then the service will start normally on next reboot of system.
NOTE: All Stubs perform secure self-deletion of themselves during un-installation.
3 Footprint
File System
- Service Stub Executable, located at a user specified location <STUB_PATH>
- Service Stub Directory, may have been created
- Nodpersist interface payloads are not on disk but are an obfuscated resource
in the stub
- Standard Payload Executables are located at (for default Stub A)
<STUB_PATH.tlb> or (for default Stub B) <STUB_PATH>hlp.<exe|dll> or (for default
Stub C) <STUB_PATH>ext.<exe|dll> or (for default Stub D) <STUB_PATH>api.<exe|
dll> or (for default Stub E) <STUB_PATH>lib.<exe|dll> or (for default Stub F)
<STUB_PATH>res.<exe|dll> depending on payload type
- Payload Directory, may have been created
- Unhijack Executable, located at a user specified location <UNHIJACK_PATH>
- Unhijack Directory, may have been created
5
SECRET//NOFORN