Identify the Callback Address, C&C List Source, and Process.
- Go to the System Tray and double-click the OfficeScan Agent icon.
- Click the Logs icon.
- For the Type, select C&C Callback.
Whereas:
Callback Address – The C&C server detected
C&C List Source – The name of the list that contains the Callback Address
Process – The process which attempted to communicate with the Callback Address
After identifying the C&C callback details, consider the following scenarios:
- Scenario 1: C&C List Source is Global C&C List
Global C&C IP List is a pattern containing known C&C servers. The host is most likely infected.
- Ensure that the connection is being blocked. Refer to KB 1106069 on how to block/log C&C IP connection in OfficeScan.
- End the associated process using Task Manager. If the process spawns again, it most likely has a persistence - scheduled task, registry, WMI, etc. When this happens, suspend the process.
Suspending the process is like pausing it. It is still present in the memory and can be resumed at a later time. This prevents the process from running, but at the same time, prevents its persistence from spawning the same process.
If the associated process is a non-malicious Windows Executable file like cmd.exe, powershell.exe, rundll32.exe, regsvr32.exe, DO NOT suspend it as it may cause the system to crash. Proceed directly to Step 3.Suspending a process using Resource Monitor:
- Press the Windows Key + R.
- Type "resmon" and press Enter.
- Go to the CPU tab and find the associated process.
- Right-click it and select Suspend.
Suspending a process using Process Explorer:
- Download Process Explorer.
- Run procexp.exe / procexp64.exe and find the associated process.
- Right-click the process and select Suspend.
- Collect suspicious files and system information using ATTK . Submit the result to Trend Micro Technical Support for analysis.
- Scenario 2: C&C List Source is Relevance Rule
Relevance Rule is a pattern containing the “network fingerprints” of highly prevalent malware. The host is possibly infected.
Export the following logs and submit them to Trend Micro Technical Support for analysis:C&C Callback Logs
Suspicious Connection LogsRefer to KB 1057359 for generating and exporting logs in OfficeScan.
- Scenario 3: C&C List Source is Virtual Analyzer C&C List
A process attempted to communicate with a URL/Domain/IP in Virtual Analyzer C&C List. The Virtual Analyzer C&C List contains callback addresses in Control Manager’s Virtual Analyzer Suspicious Object List. For this scenario, it is critical to identify why the URL/Domain/IP became a Suspicious Object.
- Log in to the Control Manager web console.
- Go to Administration > Suspicious Object > Virtual Analyzer Objects.
- Locate the Callback Address using the Search field.
- Click the drop-down button to view the details regarding the Suspicious Object. Take note of the SHA-1 hash value and file name.
- Click View on the Handling Process column.
- Click the Analysis section. Take note of the Analyzed timestamp and the Deep Discovery product which is the source of the Suspicious Object.
- Log on to the web console of the source Deep Discovery product.
- Go to Virtual Analyzer > Submissions > Completed tab.
- Narrow the Date Range using the Analyzed timestamp noted earlier.
- Click Advanced, and filter the entries using the SHA-1 hash value noted earlier.
- Click on the entry to view the details. Download the PDF analysis report and the Investigation Package.
- Submit them to Trend Micro Technical Support for analysis together with the following logs:
C&C Callback Logs
Suspicious Connection LogsRefer to KB 1057359 for generating and exporting logs in OfficeScan.
- Scenario 4: C&C List Source is User-defined C&C List
A process attempted to communicate with a URL/Domain/IP in User-defined C&C List. User-defined C&C List contains callback addresses that the administrator added for the purpose of blocking or logging any associated connections.
If you suspect that the host which communicated with the User-defined C&C List is infected, run ATTK and submit the result to Trend Micro Technical Support for analysis.