Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20341105
3.3 (S) Using the ZF
(S) Angelfire uses the BadMFS covert file system to store many of the implants and data
required to run. BadMFS uses a file called “zf” to determine where to create the file
system. There are two options when creating the file system. The first option is to create
it in a file on disk. The full file path is specified in the zf file. Care should be taken to
ensure both the name and location of the file is inconspicuous. The other option is to
have BadMFS create the file system in slack space at the end of the disk. To use this
option, simply specify “PhysicalDrive” (no quotes) in the zf. The caveat with using this
option is that some machines don’t have any space at the end of the drive. This is often
the case with VmWare VM’s and OS’ installed by the user. Many machines with factory
installed OS’ have enough space at the end of the drive to install BadMFS. If there is not
enough space to install, space can be created by a third party application by shrinking the
volume a small amount. BadMFS requires a minimum of 2 mb to install. If it is unable to
install, BadMFS will return an error.
Ensure that the zf is in the same directory as the installer application.
3.4 (S) Angelfire Installation (-ipr or -ipl)
(S) Angelfire is installed onto a host machine by running the Installer with either the -ipr
or -ipl option. All files associated with install must be in the same directory as the
installer during installation. The container path specified on the command line can
point to anywhere on the disk, however, the drive letter must not be included in the
path. Installation on the active partition is assumed. Note: The installer is a 32 bit
executable. If installation is being done on a 64 bit machine, and the user specifies the
Windows\System32 directory for container placement, WOW will cause the file to be
placed in the SysWOW64 directory. This will not affect Angelfire's execution.
3.4.1 (S) -ipr
(S) The -ipr option does a user-mode only install. That means no driver is required to
perform an installation. This option REQUIRES A REBOOT for Angelfire to begin
executing.
Parameters for an ipr based installation:
stp.exe -ipr <package file> <SLD> <zf>
<container path>
Example of doing an -ipr install with default binary
names:
stp.exe –ipr xqlmi.dat tdbsip.sys zf
\Windows\twill.log
Notes:
af+mainrepo+wolfcreek+Docs+Angelfire_UserGuide
8
of 21
SECRET//20341105
Wolfcreek-Docs-Angelfire_UserGuide.pdf