Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED//LES
UNCLASSIFIED//LES Page18
7.1.8 RUNNINGFULCRUMASAN EXEWITHCOMPILEDPARAMETERS
1. CopytheFULCRUMexecutablebinary(f32.exeorf64.exe)tothedesiredlocation.
2. Double‐clickthe
FULCRUMbinary
7.1.9 RUNNINGFULCRUMASADLLUSINGRUNDLL32.EXEWITHACONFIGURATIONFILE
1. PrepareaconfigurationfileasdescribedinSection7.1.1
2. EncryptaconfigurationfileasdescribedinSection7.1.3
3. Copythe
F ULCRUMDLLbinary(f32.dll)intothesamedirectoryastheconfigurationfile.
4. Openacommandprompt
5. Changedirectoriestothelocationofthe
FULCRUMbinar y.
6. Executethebinarybytypingthefollowingcommandintothecommandprompt:
rundll32.exef32.dll,rundll_entry
7.1.10 RUNNINGFULCRUMASADLLUSINGRUNDLL32.EXEWITHCOMMAND‐LINE
PARAMETERS
1. CopytheFULCRUMDLLbinary(f32.dll)tothedesiredlocation.
2. Openacommandprompt
3. Changedirectoriestothelocationofthe
FULCRUMbinar y.
4. Executethebinarybytypingthefollowingcommandintothecommandprompt:
rundll32.exef32.dll,rundll_entry[VictimMACAddress][HijackMACAddress][MillisecondsbetweenSpoofs]
[InjectedURL]
Forexample:
rundll32.exef32.dll,rundll_entryAA:AA:AA:AA:AA:AABB:BB:BB:BB:BB:BB1000http://test.com/cool.jpg
7.1.11 RUNNINGFULCRUMASADLLUSINGLOADLIBRARYWITHACONFIGURATIONFILE
1. PrepareaconfigurationfileasdescribedinSection7.1.1
2. EncryptaconfigurationfileasdescribedinSection7.1.3
3. Copythe
F ULCRUMDLLbinary(f32.dllorf64.dll)tothesamedirectoryastheconfiguration
file.
4. Fromtheparentprocess,loadthebinaryusingLoadLibrary
5. Fromtheparentprocess,gettheparameterlessexportusingGetProcAddress(func).This
functionssignatureis:voidfunc(void)
6. Fromtheparentprocess,callfunc
7.1.12 RUNNINGFULCRUMASADLLUSINGLOADLIBRARYWITHCOMPILEDPARAMETERS
1. CopytheFULCRUMDLLbinary(f32.dllorf64.dll)todesiredlocation.