Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED//FOUO
Builder (Python)
The installer build tool will be run from the high side. All strings will be stored in
UTF8. All names will be the same in code as well as the xml file. The build code will
provide three functions:
• Config – configuration of the target
• Manager – generate installer dll/bin/etc. files for target
• Wizard – {optional} step-by-step interface to walk through configuration
The following list shows additional requirements.
• Configuration will be stored in XML format
• Command line inputs managed via argparse
• Crypto – must use openssl.py
• Try not to use python/pefile.py as part of build (used for testing is OK)
NOTE: The following explains the method to create a server side cert.
openssl genpkey -algorithm RSA -out a.key
openssl req -new -key a.key -out a.req -subj /CN=10.3.2.111
openssl x509 -req -in a.req -signkey a.key -out a.cert
Naming Python
(match names in Athena header to names in python dictionary)
{
"TARGET" : { "ID" : None,
"KEY": None,
"IV" : None,
"DYN_CONFIG_TYPE": str(0),
"DYN_CONFIG_PATH": None },
"BEACON" : { "INTERVAL" : str(60*60*24),
"JITTER" : str(5),
"BOOT_DELAY" : str(60),
"HIBERNATION_TIME": str(60),
"TASK_DELAY" : str(60),
"SERVERS" : None,
"PORT" : str(80),
"PROXY_PORT" : str(0),
"PROXY_ADDRESS" : str(0),
"USER_AGENT_STRING" : "Mozilla/0.4" },
"TASKING" : { "FILE_PROCESSING_PATH" : None,
"BATCH_EXECUTION_TIMEOUT" : None,
"COMMAND_EXECUTE_TIMEOUT" : None,
"MAX_KBPS_THROUGHPUT" : None,
"MAX_CPU_UTILIZATION" : None,
"MAX_PROCESSING_DATA_SIZE" : None },
"UNINSTALL" : { "DATE_AND_TIME" : str(0),
"DEAD_MAN_DELAY" : str(0),
"BEACON_FAILURES" : str(0),
"KILL_FILE_PATH" : None },
"INSTALL" : { "ORIGINAL_FILE_NAME" : "%SystemRoot%\\System32\\dnsrslvr.dll",
"TARGET_FILE_NAME" : "%SystemRoot%\\System32\\dnsclnt.dll",
"DATA_FILE_NAME" : "%SystemRoot
%\\system32\\codeintegrity\dns.cache " },
}
UNCLASSIFIED//FOUO