This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A

Hi,

Today I our UTM Advenced Threat Protection shows C2/Generic-A drop. the logs has the IP of our DNS server. I did download the Sophos Virus Removal Tool on the DNS server and run it and it came up clean.

I did enable the DNS debug and find out a host in our network try to access the clonyjohn.com.

Should we also run the Virus Removal Tool on this host as well? Our own Mcafee AV did not come up with any virus.

Thanks

This thread was automatically locked due to age.

Parents

0 Alexander Busch over 5 years ago

Yes you should run multiple tools on that host. Your DNS is probably clean if your clients use your dns server for dns lookups. You did everything correct to identify the source, good job. Tell us if you find something. Maybe it's too early and too much but maybe you have to wipe the client if no tool detects something.

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel
0 AreshAreshi over 5 years ago in reply to Alexander Busch

Hi Alex,

Thanks for your reply,

I plan to run the Sophos Virus Removal Tool on the host tonight. Any other tool that you can advice us to run on the host?

Does clonyjohn.com says anthing to you? I ask this becase the ATP logs and DNS debug log show the same domain.

I cannot ping the clonyjohn.com or run a whois against it, but the DNS debug logs shows this IP 46.165.194.230

I did check the IP in IP abuse report database and IP came up clean. Also almost all of the packages send is udp.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 JosefBergmann over 5 years ago in reply to AreshAreshi

Hi Aresh,

this website is rated "Malicious" also by other engines https://www.virustotal.com/gui/domain/clonyjohn.com/detection

bye Josef

BERGMANN engineering & consulting GmbH, Wien/Austria
Cancel
Vote Up 0 Vote Down

Cancel
0 MEric over 5 years ago in reply to AreshAreshi

If you wish to identify the source of the callout you could run Process Monitor on the machine and wait for another detection. Filter the logs for the malicious domain or IP to identify the process or file attempting to access it. It may also be possible that the domain was accessed from an advertisement on a web page.
Cancel
Vote Up 0 Vote Down

Cancel
0 AreshAreshi over 5 years ago in reply to MEric

Hi Al,

Thanks for your reply,

I did run the sophos Virus Removal Tool and host is clean. I also ran the malwarebytes and Mcafee AV also 0 detections
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Busch over 5 years ago in reply to AreshAreshi

To clarify, is the machine a server or client system? Normally on a server nobody uses a web browser for web surfing. So that information can help. And cases of false alarms are rare, but of course possible.

Of course you could wait a little and see if any more connection attempts will take place.

-
Cancel
Vote Up 0 Vote Down

Cancel
0 AreshAreshi over 5 years ago in reply to Alexander Busch

This is server is an RDS server 2012 R2 that some of our customers using it to run our applications on it. some of these users have access to browser (they need it)

I would like to know which user or what process triggers this. I think I will play a bit with the process monitor and see what we can get out it.
Cancel
Vote Up 0 Vote Down

Cancel
0 AreshAreshi over 5 years ago in reply to MEric

Should I run the Procmon only for the Internet Explorer or for all of the process? running it for all of the process until we get a hit again will use lots of space.

Any suggestion on using procmon?
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Busch over 5 years ago in reply to AreshAreshi

Hi Aresh,

have a look here https://docs.microsoft.com/de-de/archive/blogs/motiba/process-monitor-for-dynamic-malware-analysis

I think that part is a Good start:

Included Filters:

·        TCP/UDP Send and Receive - any connections that malware may try to use while it’s running

·        Load Image – DLL/Executable loading

·        Create File – new files being created

·        Write/ Delete/Rename File – any changes to files

·        Registry activities – Run entries used for malware persistence

Then, I've excluded noisy events that are usually not relevant for malware analyses:

Excluded Filters:

·        Procmon/Procmon64/Autoruns/Sysmon : These will exclude any events related to the Sysinternals tools

·        Disposition: Open – used to filter any call for create file used to open a file rather than actually creating a file (See here: msdn.microsoft.com/.../aa363858(v=vs.85).aspx)

·        Page File – In my opinion, the page file is less/not relevant when doing malware analysis

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Alexander Busch over 5 years ago in reply to AreshAreshi

Hi Aresh,

have a look here https://docs.microsoft.com/de-de/archive/blogs/motiba/process-monitor-for-dynamic-malware-analysis

I think that part is a Good start:

Included Filters:

·        TCP/UDP Send and Receive - any connections that malware may try to use while it’s running

·        Load Image – DLL/Executable loading

·        Create File – new files being created

·        Write/ Delete/Rename File – any changes to files

·        Registry activities – Run entries used for malware persistence

Then, I've excluded noisy events that are usually not relevant for malware analyses:

Excluded Filters:

·        Procmon/Procmon64/Autoruns/Sysmon : These will exclude any events related to the Sysinternals tools

·        Disposition: Open – used to filter any call for create file used to open a file rather than actually creating a file (See here: msdn.microsoft.com/.../aa363858(v=vs.85).aspx)

·        Page File – In my opinion, the page file is less/not relevant when doing malware analysis

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 AreshAreshi over 5 years ago in reply to Alexander Busch

Hi Alexander,

Thank you for very nice info, we will use this.
Cancel
Vote Up 0 Vote Down

Cancel