Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20341105
3. (S) Implant Operation
3.1 (U) Angelfire Installer
(S) Angelfire now comes with two installer versions, both an executable and a fire-and-
collect .dll installer. In order to install Angelfire on a target system, an operator must first
create an “inst” transitory file via the wtpack executable. This transitory file must be
finalized to the installation application of the operator’s choice.
(S) Once an “inst” transitory has been finalized, the installation method then depends on
which installer the operator has chosen to use. For the .exe installer, the installer should
merely be run on the target machine with administrative privileges. The fire-and-collect
installer should be loaded into an appropriate target process (i.e. one with administrative
privileges).
(S) Angelfire requires administrative privileges to use the either install mechanism.
3.1.1 (U) Wtpack usage
(S) Both Angelfire install mechanisms lack command line options. Instead, all options
are built through the creation of transitory files via the wtpack executable. Below are a
list of wtpack.exe commands and options associated with those commands:
(U) Wtpack commands
Table : (S) wtpack commands
Commands Options Flags Purpose
new (inst | list | del | add | get |
uninst) transitory_file_name
none Creates a new transitory file. This
transitory file can be for
installation, listing files in the
covert store, deleting files in the
covert store, adding files to the
covert store, getting the log file
from the covert store, or
uninstallation.
update transitory_file_name {flags} Updates a transitory file with
additional information required to
finalize it.
-bp (Path on Target) Specify the location of the BadMFS
covert store partition on target. If
this option is “PhysicalDrive”,
BadMFS will be used in the slack
space at the end of the drive. N.B.
certain drives do not have such
slack space at the end.
-wd (file name) Specify the location of the
wolfcreek driver to add to the
transitory file.
-cp (Path on Target) Specify the location of the solartime
container path that will be created
on target. N.B. this path cannot
af+mainrepo+Angelfire 2.0 UserGuide 6 of 15
SECRET//20341105
Angelfire-2_0-UserGuide.pdf