C2/Generic-A

Yes you should run multiple tools on that host. Your DNS is probably clean if your clients use your dns server for dns lookups. You did everything correct to identify the source, good job. Tell us if you find something. Maybe it's too early and too much but maybe you have to wipe the client if no tool detects something.

Best regards

Alex

Hi Alex,

Thanks for your reply,

I plan to run the Sophos Virus Removal Tool on the host tonight. Any other tool that you can advice us to run on the host?

Does clonyjohn.com says anthing to you? I ask this becase the ATP logs and DNS debug log show the same domain.

I cannot ping the clonyjohn.com or run a whois against it, but the DNS debug logs shows this IP 46.165.194.230

I did check the IP in IP abuse report database and IP came up clean. Also almost all of the packages send is udp.

Thanks

Hi Alex,

Thanks for your reply,

I plan to run the Sophos Virus Removal Tool on the host tonight. Any other tool that you can advice us to run on the host?

Does clonyjohn.com says anthing to you? I ask this becase the ATP logs and DNS debug log show the same domain.

I cannot ping the clonyjohn.com or run a whois against it, but the DNS debug logs shows this IP 46.165.194.230

I did check the IP in IP abuse report database and IP came up clean. Also almost all of the packages send is udp.

Thanks

Hi Aresh,

this website is rated "Malicious" also by other engines https://www.virustotal.com/gui/domain/clonyjohn.com/detection

If you wish to identify the source of the callout you could run Process Monitor on the machine and wait for another detection.  Filter the logs for the malicious domain or IP to identify the process or file attempting to access it.  It may also be possible that the domain was accessed from an advertisement on a web page.

Hi Al,

Thanks for your reply,

I did run the sophos Virus Removal Tool and host is clean. I also ran the malwarebytes  and Mcafee AV also 0 detections

To clarify, is the machine a server or client system? Normally on a server nobody uses a web browser for web surfing. So that information can help. And cases of false alarms are rare, but of course possible.

Of course you could wait a little and see if any more connection attempts will take place.

This is server is an RDS server 2012 R2 that some of our customers using it to run our applications on it. some of these users have access to browser (they need it)

I would like to know which user or what process triggers this. I think I will play a bit with the process monitor and see what we can get out it.

Should I run the Procmon only for the Internet Explorer or for all of the process? running it for all of the process until we get a hit again will use lots of space.

Any suggestion on using procmon?

Hi Aresh,

have a look here https://docs.microsoft.com/de-de/archive/blogs/motiba/process-monitor-for-dynamic-malware-analysis

I think that part is a Good start:

Included Filters:

·        TCP/UDP Send and Receive - any connections that malware may try to use while it’s running

·        Load Image – DLL/Executable loading

·        Create File – new files being created

·        Write/ Delete/Rename File – any changes to files

·        Registry activities – Run entries used for malware persistence

Then, I've excluded noisy events that are usually not relevant for malware analyses:

Excluded Filters:

·        Procmon/Procmon64/Autoruns/Sysmon : These will exclude any events related to the Sysinternals tools

·        Disposition: Open – used to filter any call for create file used to open a file rather than actually creating a file (See here: msdn.microsoft.com/.../aa363858(v=vs.85).aspx)

·        Page File – In my opinion, the page file is less/not relevant when doing malware analysis

Best regards 

Alex 

Hi Alexander,

Thank you for very nice info, we will use this.