How to know if your PC is hacked? Suspicious Network Activity 101

so how can you tell if your pc is hacked

it's one of the most common questions

everybody has in this video we're going

to look at your network activity and

figure out if there's anything

suspicious going on in your computer if

you're connected to any threat actors

and so on in the previous video in the

series which is our beginner's guide to

cyber security we looked at different

ways malware can persist on your system

with scheduled tasks auto runs and

windows services as usual we're going to

have a live discord workshop where we're

going to look at your system right after

this video premieres so make sure you go

to

discord.tbsc.tech or follow the link in

description for that now to kick things

off and make this a really interesting

video we have a wonderful volunteer on

the desktop it's called intel dot xm rig

the second part of the extension might

give you an idea about what it does but

we're going to go ahead and run this

file now some of you may think that

anytime there is a malicious actor

active on your computer if you're hacked

you're going to have a malware process

or you're going to have some sort of

malware running that you can scan that

you can see in your process list or you

can upload to vars total and check the

detections of or something an antivirus

scanner is going to pick up but as we'll

see here that is not necessarily the

case so after running this sample i'm

just going to open up process explorer

and as you can see we do not have

anything malicious running on the system

it looks nice and clean and good to go

but as we'll dive deep you will see that

we have a crypto miner embedded within

the system that is going to be taking up

cpu resources and profiting the attacker

another thing to note before we get

started is all the tools i'll be using

in this video are basically part of the

sys internal suite so there's no paid

tools these are all free that you can

download directly from microsoft you can

of course dive deeper with wireshark but

we don't really need to do that because

what we're trying to establish is a

connection to a certain malicious ip and

what we want to capture is the malware

actors ip address because that is going

to allow us to not only shut down the

malware activity on our system but also

report them to authorities to get them

shut down in general you don't

necessarily need to actually look at the

communications or the packets that are

being sent back and forth what you

really need to know is if there is a

suspicious connection being made and as

we're talking you can notice

svchost.exe all of a sudden starts to

take up 50

of the cpu look at the ram it's taking

up as well and it says it's a host

process for windows system and it's

correct so what's happening here hard to

tell unless we look at the network

activity i'm also going to open task

manager just to show you what a typical

user would see so there's no malicious

process here we just have the system

taking up 50 of cpu if you're an average

user you might think that this is just

an update especially now that updates do

actually persistently cause annoyances

such as this but as we'll discover when

we check the ip address this is not an

update this is a crypto miner mining

ethereum likely on our system so how are

we going to do that well first step

we're just going to right click on this

and click on properties

and

within these sections it's typically

going start at image you need to go to

tcpip and this is going to show us the

different network connections

established by this particular process

as you can see we have a remote server

here we have two of them in fact and

these are likely nodes that the threat

actor is using to run their malware

operation sometimes these can be

self-hosted by the threat actor

sometimes they may be a third party like

they may be a google server an aws

server even but if that's the case what

you can do is you can collect this ip

and write down a complaint saying that

this particular ip address is being used

for malicious purposes and the vendor

who's providing services to the threat

actors should be able to shut them down

because that would be against their

terms of service make sure you have the

resolve addresses checked over here

because that's going to show you more

details if we go back to the original

window

just exit out of this

you can also see the command that was

used when starting

svchost.exe and you can see this huge

string of random characters here that is

likely some kind of a key and you can

also see opencl cpu max threads that's

likely instructions for the miner now we

can of course go ahead and kill the

process tree but in order to make sure

that the miner goes away what we would

have to do

is look for any persistence mechanisms

that it may have on the system which is

something we discussed in the last video

so if you haven't seen that make sure

you go and watch that one to get a

better view of this though and also to

get a summary of all the connections

your computer is currently making you

can go to tcp view which is also part of

system journals and this is going to

show us all of our different process and

the remote addresses they are connecting

to now you can see some of these are

legitimate windows services once again

make sure you have the resolve addresses

checked over here but this one is

definitely suspicious as is this one

because they are not standard ip

addresses that i would normally see on a

system but of course if you're a new

user you may not know that so how can

you determine which of these are

legitimate connections being made and

which of these are suspicious well for

starters you can check if any network

activity is supposed to be happening on

your computer so if you have for example

steam discord and all of that running

you can try shutting down those

applications that's gonna reduce some of

the noise here and that way you're gonna

be able to isolate if there's anything

happening beyond what you expect once

you've done that what you can do is you

can obviously copy the particular ip

address and then look it up and see if

it is associated with a legitimate

service or you can just right click over

here and click on whois and this is

going to get the details for the domain

name and who it's registered to you can

also get a complaint form here and

report the threat actors of course once

you have isolated the original sample

you can analyze it on a web platform

like interzer or vars total a big thank

you to our sponsor synthesizer for

setting up an enterprise account so we

can do our threat investigations so as

you can see this particular threat is an

axiom rigged miner it's got a 44

correlation with that we check the first

hole report we've got 53 detections but

once again a reminder that this is not

the first thing you might see when you

look at a compromise system so you may

have a system with only legitimate

looking processes that is totally

malicious and by the way these crypto

miners are very clever so what they

might do is when you open up something

like task manager they just drop all of

their resource usage so you don't see

anything strange but when you go away in

the background the miner is going to

start ramping up and taking up all of

those cpu resources now if we look at

the dynamic execution in the sandbox

here you can see that in memory it has

the same behavior that we noticed in the

virtual machine so it launches

svchost.exe which looks legitimate but

is what carries out its mining

operations we take a look at ttps we've

got process injection here use of

process hollowing this is a technique

where attackers basically replace a

legitimate system process and use it for

their malicious activities we've also

got a crypto mining command which is

what we also saw on the system when

we're looking at process explorer it's

basically the same string and

instruction set and we've also got this

ip this one leads to the netherlands by

the way if you would like to conduct a

similar threat investigation you can set

up a community account on

analyze.insert.com and start using it

for free using the link in the

description now back on our system we

can go ahead and terminate the process

tree that is associated with the crypto

miners i don't want to keep making them

more money

but hopefully that demonstrates how

malicious network activity can be

spotted on your system so once again

going through the steps you want to open

up something like tcp view look at the

remote addresses your system is

connecting to and then try to resolve

them and see if any of them don't add up

or are not associated with any services

that you use

and once you do that you can isolate the

process and take action against them and

make sure to report the ips as well in

the future we're going to focus on more

in-depth analysis of different aspects

of malware so don't forget to subscribe

to the pc security channel if you'd like

to learn more about cyber security now

we're going to be doing a live analysis

of whatever is happening on your system

in our discord workshop so click the

link in description go to

discord.tpsc.tech to join our event and

i'll be there to help you practice some

of the concepts discussed in this video

and walk you through the process of

conducting a threat investigation so if

you have any questions that'll be a

great place for you to ask cause i will

be there live with our awesome community

so don't miss out on the event it's a

great chance to meet some amazing people

so i will see you there at

discord.tps.tech i hope you found this

video helpful please like and share it

if you'd like to see more such content

in the future this is leo thank you so

much for watching and as always stay

informed stay secure

you