Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
Issue Cause Remediation
If an existing file (not badmfs) is
specified in the –bp option, it will
be used and modified by badmfs.
BadMFS does not check to see
if the file specified is a valid
badmfs archive.
In the future, BadMFS can check
to see if the file is actually a
valid BadMFS archive. Until
then, care must be taken when
specifying the file name.
If an application that is started by
Angelfire crashes, it is possible that
a dialog box will pop up on the
target machine stating that
svchost.exe has crashed.
All user implants look like
svchost.exe.
Fix the bug in the crashing
implant.
An application that uses networking
is failing when started on reboot.
Angelfire starts executables
very early and sometimes the
network stack might not be fully
up and available.
Use the –execd switch to delay
the application executing for x
number of seconds. This should
allow the network stack time to
become available.
When executing GUI programs with
Angelfire, the process might start,
but the GUI will not be visible.
This is because the host process
used by Keystone is svchost.exe
which is not capable of
displaying GUI applications.
This might be fixed in a future
version by allowing the user
more control over what host
process is used.
Angelfire does not allow execution
of 32 bit implants on a 64 bit
machine.
This is a limitation of Keystone
as it doesn’t handle WOW 64
execution.
Ensure you are running a 64 bit
version of the implant on 64 bit
machines.
af+mainrepo+Angelfire 2.0 UserGuide 13 of 15
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh