Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
developer (remember the exact code). Pandemic will return 0 if it was able to kick off
the installation thread. This does not mean that Pandemic was successfully installed.
Shellterm's shellcode launcher specification prevents Pandemic from doing the full install
in the initial thread Shellterm provides (could cause Shellterm instability/crash).
Therefore, there are several installation steps that happen in a new thread, and can't report
error codes back to Shellterm. The following methods are good ways to verify successful
installation:
• Through Shellterm, use the reg command to check for the existence of the
Pandemic keys/values.
◦ Command: reg -q HKLM\SYSTEM\CurrentControlSet\Services\Null
◦ You should see a sub-key called 'Instances' Querying that, you should see
another sub-key called 'Null'.
• Checking the global objects on the system. Look for a device with the name
configured in Pandemic, or a symbolic link with the name configured in
Pandemic
• Launch the Control DLL with the -c command (See section 3.6)
3.6 (U) Verification/Uninstall
(S//NF) The DLL Control.dll is included in the delivery. This DLL is a simply Fire and
Forget (v2) DLL which can perform two different functions: Checking that Pandemic is
installed, and uninstalling Pandemic. The usage information through Shellterm is simply
'loaddll -a “<uninstall string configured above> [-c | -u]” <DLL path>
• -c: Returns successful status (0) if the Pandemic device exists on the target. If the
device was not found, the value 0x2 will be returned. The latter indicates that
Pandemic either isn't finished setting up (unlikely) or Pandemic is not running.
• -u: Instructs Pandemic to exit as soon as possible. Pandemic will check every 15
seconds to see if it should exit or not (up to any --timer value configured). The
time to complete uninstall (when a -c command would return 0x2) could take
roughly 15 seconds after issuing a -u command.
(S//NF) The uninstall string needed is the device link name that was used when
configuring Pandemic (-n <device name> <device link name>). This value should be in
your receipt file for the binary. Without this value, you cannot uninstall Pandemic short
of guessing the value, figuring out the value (listing the system's objects and guessing), or
rebooting the machine. If Pandemic has a --timer value configured, it will exit upon the
expiration of that timer.
3.7 (U) Known issues
(S//NF) The following are known/potential issues that may arise while using Pandemic:
• (S//NF) Target paths with folder names will not match correctly (replacement will
not occur). This is a known issue that has been difficult to fix because certain
systems/network configurations will not have issues with folder names, but other
SECRET//NOFORN
6