Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
Assassin provides two methods for defining when to uninstall the target. The
uninstall time can be defined with a specific time and date, or with a set number
of seconds. The shorter of the two will be used. Both of these values are
optional, and can be changed later using a task.
In the example above, the number of seconds before uninstall has been defined
as 5 days using the Assassin complex numbering system, and the uninstall date
has been set to the 12
th
of December 2012.
Whitelist
The Assassin Implant allows for an optional whitelist of programs to be set.
During a beacon attempt, at least one program in the whitelist must be running
and listed in the process list for a beacon to occur. If a required program isn’t
running, the beacon will not occur, and the beacon failure count will be
incremented. This will not affect the transport failure count, since the transport
was never attempted. An example of the XML for the blacklist is shown below:
In the example above, there are no values defined for the list, disabling the
whitelist. The example below shows the XML for a populated whitelist:
<Whitelist>
<Prog>iexplore.exe</Prog>
<Prog>firefox.exe</Prog>
<Prog>chrome.exe</Prog>
</Whitelist >
In the example above, the blacklist has the three programs, “iexplore.exe”,
“firefox.exe”, and “chrome.exe”, added to the list. If either of these shows up in
the process list, the beacon will not occur.
150
SECRET//ORCON//NOFORN