1,5 Tales from the Crypt: Battlefield Triage

folder at least two levels down from the folder that has DENY acccss permis¬

sions. This is, no doubt, a move to hide their presence on the server.

touch -g "c:\RECYCLER" "c:\Systeni Volume Information"

touch -g "c:\RECYCLER" "c;\System Volume Information\catalog"

touch -g "c:\RECYCLER" "c;\System Volume Information\catalog\[GUID}"

touch -g "c:\RECYCLER" "c:\System Volume Information\catalog\{GUID}\l3ackup"

xcacls "c:\System Volume Infoniiation\catalog\{GUID}\backup" /G EVERYONEiE /Y

xcacls "c:\System Volume Inforniation\catal og\{GUID}" /G SYSTEM:F /Y

xcacls "c;\System Volume InforTnation\catalog" /D EVERYONE /V

xcacls "c;\System Volume Inforination" /G SYSTEM: F /Y

After they were done setting up a working folder, they changed their focus to

the System32 folder, where they installed several files (see Table 1.1). One of

these files was a remote access program named qttask.exe.

cd\

c:

cd %systenir'oot%

cd syste?n32

qttask.exe /i

net start LdmSvc

Table 1.1 Evidence from the Scene

File

Description

qttask.exe

FTP-based C2 component

pwdump5.exe

Dumps password hashes from the local SAM

lyae.cmm

ASCII banner file

pci.acx, wci.acx

ASCII text configuration files

icp.nis, icv�.nls

Language support files

libeay3Z.dll, ssleay32.dll

DLLs used by OpenSSL��

svcon.crt

PKI certificates used by DLLs

svcon.key

ASCII text registry key entry

SAM

Security accounts manager

DB

Database

PKI

Public key infrastructure

Under normal circumstances, the qttask.exe executable would be Apple's

QuickTime player, a standard program on many desktop installations. A

52. http://passwords.openwall.net/microsoft-windows-nt-2000-xp-2003-vista.

53. htlp://www,openssl.org/.

Parti I 29