Published June 19, 2023, 8:20 a.m. by Monica Louis
How do you know if your PC is hacked or compromised or infected by malware? In this video we will introduce you to the field of digital forensics looking at suspicious network activity and guide you through autoruns, sysinternals and more, with the example of a live cryptominer.
There will be a live discord workshop after this event which you can join at http://discord.tpsc.tech/
Get TCPView: https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview
Buy the best antivirus: https://thepcsecuritychannel.com/best-antivirus
Join the discussion on Discord: http://discord.tpsc.tech/
Get your business endpoints tested by us: http://tpsc.tech/
Contact us for business: https://thepcsecuritychannel.com/contact
You may also like to read about:
so how can you tell if your pc is hacked
it's one of the most common questions
everybody has in this video we're going
to look at your network activity and
figure out if there's anything
suspicious going on in your computer if
you're connected to any threat actors
and so on in the previous video in the
series which is our beginner's guide to
cyber security we looked at different
ways malware can persist on your system
with scheduled tasks auto runs and
windows services as usual we're going to
have a live discord workshop where we're
going to look at your system right after
this video premieres so make sure you go
to
discord.tbsc.tech or follow the link in
description for that now to kick things
off and make this a really interesting
video we have a wonderful volunteer on
the desktop it's called intel dot xm rig
the second part of the extension might
give you an idea about what it does but
we're going to go ahead and run this
file now some of you may think that
anytime there is a malicious actor
active on your computer if you're hacked
you're going to have a malware process
or you're going to have some sort of
malware running that you can scan that
you can see in your process list or you
can upload to vars total and check the
detections of or something an antivirus
scanner is going to pick up but as we'll
see here that is not necessarily the
case so after running this sample i'm
just going to open up process explorer
and as you can see we do not have
anything malicious running on the system
it looks nice and clean and good to go
but as we'll dive deep you will see that
we have a crypto miner embedded within
the system that is going to be taking up
cpu resources and profiting the attacker
another thing to note before we get
started is all the tools i'll be using
in this video are basically part of the
sys internal suite so there's no paid
tools these are all free that you can
download directly from microsoft you can
of course dive deeper with wireshark but
we don't really need to do that because
what we're trying to establish is a
connection to a certain malicious ip and
what we want to capture is the malware
actors ip address because that is going
to allow us to not only shut down the
malware activity on our system but also
report them to authorities to get them
shut down in general you don't
necessarily need to actually look at the
communications or the packets that are
being sent back and forth what you
really need to know is if there is a
suspicious connection being made and as
we're talking you can notice
svchost.exe all of a sudden starts to
take up 50
of the cpu look at the ram it's taking
up as well and it says it's a host
process for windows system and it's
correct so what's happening here hard to
tell unless we look at the network
activity i'm also going to open task
manager just to show you what a typical
user would see so there's no malicious
process here we just have the system
taking up 50 of cpu if you're an average
user you might think that this is just
an update especially now that updates do
actually persistently cause annoyances
such as this but as we'll discover when
we check the ip address this is not an
update this is a crypto miner mining
ethereum likely on our system so how are
we going to do that well first step
we're just going to right click on this
and click on properties
and
within these sections it's typically
going start at image you need to go to
tcpip and this is going to show us the
different network connections
established by this particular process
as you can see we have a remote server
here we have two of them in fact and
these are likely nodes that the threat
actor is using to run their malware
operation sometimes these can be
self-hosted by the threat actor
sometimes they may be a third party like
they may be a google server an aws
server even but if that's the case what
you can do is you can collect this ip
and write down a complaint saying that
this particular ip address is being used
for malicious purposes and the vendor
who's providing services to the threat
actors should be able to shut them down
because that would be against their
terms of service make sure you have the
resolve addresses checked over here
because that's going to show you more
details if we go back to the original
window
just exit out of this
you can also see the command that was
used when starting
svchost.exe and you can see this huge
string of random characters here that is
likely some kind of a key and you can
also see opencl cpu max threads that's
likely instructions for the miner now we
can of course go ahead and kill the
process tree but in order to make sure
that the miner goes away what we would
have to do
is look for any persistence mechanisms
that it may have on the system which is
something we discussed in the last video
so if you haven't seen that make sure
you go and watch that one to get a
better view of this though and also to
get a summary of all the connections
your computer is currently making you
can go to tcp view which is also part of
system journals and this is going to
show us all of our different process and
the remote addresses they are connecting
to now you can see some of these are
legitimate windows services once again
make sure you have the resolve addresses
checked over here but this one is
definitely suspicious as is this one
because they are not standard ip
addresses that i would normally see on a
system but of course if you're a new
user you may not know that so how can
you determine which of these are
legitimate connections being made and
which of these are suspicious well for
starters you can check if any network
activity is supposed to be happening on
your computer so if you have for example
steam discord and all of that running
you can try shutting down those
applications that's gonna reduce some of
the noise here and that way you're gonna
be able to isolate if there's anything
happening beyond what you expect once
you've done that what you can do is you
can obviously copy the particular ip
address and then look it up and see if
it is associated with a legitimate
service or you can just right click over
here and click on whois and this is
going to get the details for the domain
name and who it's registered to you can
also get a complaint form here and
report the threat actors of course once
you have isolated the original sample
you can analyze it on a web platform
like interzer or vars total a big thank
you to our sponsor synthesizer for
setting up an enterprise account so we
can do our threat investigations so as
you can see this particular threat is an
axiom rigged miner it's got a 44
correlation with that we check the first
hole report we've got 53 detections but
once again a reminder that this is not
the first thing you might see when you
look at a compromise system so you may
have a system with only legitimate
looking processes that is totally
malicious and by the way these crypto
miners are very clever so what they
might do is when you open up something
like task manager they just drop all of
their resource usage so you don't see
anything strange but when you go away in
the background the miner is going to
start ramping up and taking up all of
those cpu resources now if we look at
the dynamic execution in the sandbox
here you can see that in memory it has
the same behavior that we noticed in the
virtual machine so it launches
svchost.exe which looks legitimate but
is what carries out its mining
operations we take a look at ttps we've
got process injection here use of
process hollowing this is a technique
where attackers basically replace a
legitimate system process and use it for
their malicious activities we've also
got a crypto mining command which is
what we also saw on the system when
we're looking at process explorer it's
basically the same string and
instruction set and we've also got this
ip this one leads to the netherlands by
the way if you would like to conduct a
similar threat investigation you can set
up a community account on
analyze.insert.com and start using it
for free using the link in the
description now back on our system we
can go ahead and terminate the process
tree that is associated with the crypto
miners i don't want to keep making them
more money
but hopefully that demonstrates how
malicious network activity can be
spotted on your system so once again
going through the steps you want to open
up something like tcp view look at the
remote addresses your system is
connecting to and then try to resolve
them and see if any of them don't add up
or are not associated with any services
that you use
and once you do that you can isolate the
process and take action against them and
make sure to report the ips as well in
the future we're going to focus on more
in-depth analysis of different aspects
of malware so don't forget to subscribe
to the pc security channel if you'd like
to learn more about cyber security now
we're going to be doing a live analysis
of whatever is happening on your system
in our discord workshop so click the
link in description go to
discord.tpsc.tech to join our event and
i'll be there to help you practice some
of the concepts discussed in this video
and walk you through the process of
conducting a threat investigation so if
you have any questions that'll be a
great place for you to ask cause i will
be there live with our awesome community
so don't miss out on the event it's a
great chance to meet some amazing people
so i will see you there at
discord.tps.tech i hope you found this
video helpful please like and share it
if you'd like to see more such content
in the future this is leo thank you so
much for watching and as always stay
informed stay secure
you
2CUTURL
Created in 2013, 2CUTURL has been on the forefront of entertainment and breaking news. Our editorial staff delivers high quality articles, video, documentary and live along with multi-platform content.
© 2CUTURL. All Rights Reserved.