Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
1. (U) Introduction
(TS) Angelfire is an implant comprised of 5 components: Solartime, Wolfcreek,
Keystone, BadMFS, and the Windows Transitory File system.
Solartime modifies the partition boot sector to load some kernel code. That kernel code
then modifies the Windows boot process so that when Windows loads boot time device
drivers, an implant device driver can be loaded. The implant driver and Solartime boot
code (aside from the partition boot sector modifications) are kept in a small user-specified
file on disk. This file is encrypted.
Wolfcreek is the kernel code that Solartime executes. Wolfcreek is a self-loading driver,
that once executed, can load other drivers and user-mode applications.
Keystone is responsible for starting user applications. Any application started by MW is
done without the implant ever being dropped to the file system. In other words, a process
is created and the implant is loaded directly into memory. Currently all processes will be
created as svchost. When viewed in task manager (or another process viewing tool) all
properties of the process will be consistent with a real instance of svchost.exe including
image path and parent process. Furthermore, since the implant code never touches the
file system (aside from the possibility of paging) there is very little forensic evidence that
the process was ever ran.
BadMFS is a covert file system that is created at the end of the active partition. It is used
to store all drivers and implants that Wolfcreek will start. All files are both encrypted and
obfuscated to avoid string or PE header scanning.
The Windows Transitory File system is the new method of installing AngelFire. Rather
than lay independent components on disk, the system allows an operator to create
transitory files for specific actions including installation, adding files to AngelFire,
removing files from AngelFire, etc. Transitory files are added to the UserInstallApp
(both the .exe or .dll versions).
2. (S) Implant Forensics
(S) Angelfire has a small forensic footprint.
Table : (S) Angelfire Installer MD5 Signature
Angelfire Installer MD5 Sum
UserInstallApp.exe (default
name
1
)
UserInstallApp.dll (default name)
tdbsip.sys (default name)
xqlmi.dat (default name, pack
1 (S) The user may rename the Angelfire Installer as necessary without impact to Angelfire's operation.
af+mainrepo+Angelfire 2.0 UserGuide 4 of 15
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh