0

I found suspicious traffic in a client a few days ago. A process in the client queries a malicious domain every 2 minutes. The domain is hostingcloud.science that hosts a javascript file for coin mining

captured traffic on wireshark

I checked the client with procmon and found the traffic sent by svchost.exe

monitored process on procmon

And also with netstat was same:

netstat log

  1. What's the meaning of "Dnscache" in netstat result? Why it doesn't stop after ipconfig /flushdns
  2. Why client query that domain continuously but i don't have any traffic with the domain?
  3. How to find the root cause?

I checked the client with two different AV and it was clean. I know the client has visited a website that contains javascript with that domain a few days ago.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Giac
  • 175
  • 1
  • 6
  • 1
    Find the service by looking for the PID in Task Manager. Also try to use Autoruns to check which DLL is executed. – Razvan Socol Dec 08 '18 at 15:29
  • The service is shown in 2nd image in pocmon result, it's svchost.exe. Also Autoruns was great tool, i checked msconfig before. But everything was normal :( – Giac Dec 09 '18 at 05:39

2 Answers2

1

Whats the meaning of "Dnscache" in netstat result?

Its a legitimate client process used as a local store (cache) for DNS responses. All responses are kept for the duration of their TTL.

why it doesn't stop after ipconfig /flushdns

Not sure its suppose to stop/restart/etc. You can run the following command to see if flushdns worked.

ipconfig /flushdns && ipconfig /displaydns

Why client query that domain continuously but i don't have any traffic with the domain?

Dig into the DNS request/response. Perhaps the necessary information is included in that exchange (i.e. DNS data exfiltration).

How to find the root cause?

Take a closer look at the svchost instance. Once you have the PID replace 0000 in the following commands. Compare these results to a known good system.

The following command will list the services using the target svchost. This will greatly narrow things down.

tasklist /svc /FI "pid eq 0000"

The following command will show the loaded modules. 

tasklist /m /FI "pid eq 0000"

You're on the right track using procmon. If you're certain that svchost is hosting malware, configure the procmon filter to only capture events for that PID. The resulting information should give you everything you need.

As @razvan-socol mentioned in the comments, use autoruns to identify how it starts up.

Ps: i checked the client with two different AV and it was clean, Just i know the client has visited a website that contain a js with that domain few days ago.

Its calling out every two minutes though right? And that's not normal for your environment right? With a two minute beacon, the malware doesn't appear to be taking steps to hide its activity. However you should consider taking the system offline for analysis.

user2320464
  • 1,802
  • 1
  • 15
  • 18
1

I found it!

The client exclude that domain on Malwarebytes, Malwarebytes Exclusions

It queries the domain continuously to allow the domain's IP.

https://support.malwarebytes.com/docs/DOC-2432

When you set up a website exclusion in Malwarebytes for Windows, you have the option to Exclude a domain or Exclude an IP Address. When exclude a domain is selected, Malwarebytes for Windows will query for the IP address of the excluded domain so it can also whitelist the IP address.

I found almost same issue here.

Community
  • 1
Giac
  • 175
  • 1
  • 6