AnyDesk Remote Access

AnyDesk is a popular remote access program which is often used by threat actors (and scammers) as either an entry point into an environment or to transfer tools between environments

AnyDesk was downloaded and executed, without installation on a Windows 10 instance as well as an Ubuntu 20.04 instance. A number of files were transferred from one party to another.

Windows File/Log Locations

➡️ C:\Users\username\AppData\Roaming\AnyDesk\ad.trace

This is where most of the information is kept. This is a verbose application runtime/connectivity log. From the short test conducted, I was able to identify the following snippets;

   info 2022-03-18 01:56:24.672      front   2428   7036 main - Process started at 2022-03-18. PID 2428. OS is Windows 10 (64 bit)```

🔴 Start time for the process (with corresponding PID). The time listed 18th March 2022 01:56:24.672 is in UTC, not the time of the local system.

  error 2022-03-18 01:56:28.622      front   2428   5044                    os_win.fs_sentinel - Failed to monitor 'C:\Users\Public\AccountPictures\S-1-5-21-4283608420-3620247853-3965221735-1001' (2).

I'm not sure why AnyDesk is querying this particular folder in the Public folder..

   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12                base.proxy_finder - Skipping search. Next search in 59406 ms.
   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12           anynet.relay_connector - Connecting to relay boot.net.anydesk.com (1/1)
   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12           anynet.relay_connector - Skipping connect method connect_proxy_443 (1/6) (no proxy found)
   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12           anynet.relay_connector - Skipping connect method connect_proxy_80 (2/6) (no proxy found)
   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12           anynet.relay_connector - Skipping connect method socks_proxy_443 (3/6) (no proxy found)
   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12           anynet.relay_connector - Using IPv4: 213.239.219.11

Connectivity to an AnyDesk relay (that external IP is not the IP of the instance)

   info 2022-03-18 02:00:19.971       lsvc   6180   4204    8           anynet.relay_connector - Connecting to relay relay-f292f5b5.net.anydesk.com (1/4)
   info 2022-03-18 02:00:19.971       lsvc   6180   4204    8           anynet.relay_connector - Skipping connect method connect_proxy_443 (1/6) (no proxy found)
   info 2022-03-18 02:00:19.971       lsvc   6180   4204    8           anynet.relay_connector - Skipping connect method connect_proxy_80 (2/6) (no proxy found)
   info 2022-03-18 02:00:19.971       lsvc   6180   4204    8           anynet.relay_connector - Skipping connect method socks_proxy_443 (3/6) (no proxy found)
   info 2022-03-18 02:00:20.036       lsvc   6180   4204    8           anynet.relay_connector - Using IPv4: 143.244.62.119

Connectivity to a relay (anynet.relayconnector relay-f292f5b5 matches the value for ad.anynet.networkrelay in system.conf)

Again, IPv4 value is for that of the relay, not my instance.

   info 2022-03-18 02:00:20.560       lsvc   6180   4204    3           anynet.main_relay_conn - Network ID: main
   info 2022-03-18 02:00:20.560       lsvc   6180   4204    3                anynet.relay_conn - External address: your-public-ipv4:51361.
   info 2022-03-18 02:00:20.560       lsvc   6180   4204    3           anynet.main_relay_conn - Main relay ID: f292f5b5
   info 2022-03-18 02:00:20.560       lsvc   6180   4204    2            anynet.connection_mgr - Main relay connection established.
   info 2022-03-18 02:00:20.560       lsvc   6180   4204    2            anynet.connection_mgr - New user data. Client-ID: 668843853.
   info 2022-03-18 02:00:21.218       lsvc   6180   4204    9                            gcpsa - Downloading gcapi.dll.
   info 2022-03-18 02:00:21.249       lsvc   6180   4204    9               app.fib_downloader - Canceled download of 'gcapi.dll'. A file with matching hash already exists in C:\Users\username\AppData\Local\Temp.

anynet.relay_conn = external address (is your public IPv4 address) anynet.main_relayconn = part of connected relay hostname (see above) anynet.connection_mgr = contains Client ID (this is the value presented to the user through the application interface and also required by those connecting remotely)

The following is generated in ad.trace after a successful connection & file transfer (The public IP has been replaced with remote.malicious.ip)

  info 2022-03-18 02:50:52.146       lsvc   5608   3532   41                anynet.any_socket - Logged in from remote.malicious.ip:1354 on relay b34ce89a.
   info 2022-03-18 02:50:52.146       lsvc   5608   3532   41            anynet.connection_mgr - Re-using connection to client d4b5e4892f1d9cc6dbe9ea336b446c769b8afd26.
   info 2022-03-18 02:50:52.146       lsvc   5608   3532   41                anynet.any_socket - Accepting the connect request.
   info 2022-03-18 02:50:52.153       lsvc   5608   3532   41                anynet.relay_conn - accept_connect: sending login token ()

'Logged in from' is the IP address of the remote party.

  error 2022-03-18 02:51:25.772      lctrl   5204   3924                           app.readdir - Could not list directory C:\Windows\System32\config\* (5).
  error 2022-03-18 02:51:25.777      lctrl   5204   3924                      app.dir_sentinel - Could not monitor 'C:\Windows\System32\config' (5).
  error 2022-03-18 02:51:25.777      lctrl   5204   3924                           app.readdir - Could not list directory C:\Windows\System32\config\* (5).
warning 2022-03-18 02:51:54.155      lctrl   5204   6380                 app.tunnel_ft_session - Invalid progress code (0).
   info 2022-03-18 02:51:54.156      lctrl   5204   3924                      app.prepare_task - Preparing files in 'C:\Users\username\AppData\Local\Google\Chrome\User Data\Default'.
   info 2022-03-18 02:51:54.156      lctrl   5204   3924               app.local_file_transfer - Preparation of 1 files completed (io_ok).
warning 2022-03-18 02:51:54.161      lctrl   5204   6380                 app.tunnel_ft_session - Invalid progress code (0).
warning 2022-03-18 02:51:54.181      lctrl   5204   6380                 app.tunnel_ft_session - Invalid progress code (0).
warning 2022-03-18 02:51:57.579      lctrl   5204   6380                 app.tunnel_ft_session - Invalid progress code (0).
   info 2022-03-18 02:51:57.586      lctrl   5204   3924                      app.prepare_task - Preparing files in 'C:\Users\username\AppData\Local\Google\Chrome\User Data\Default'.
   info 2022-03-18 02:51:57.590      lctrl   5204   3924               app.local_file_transfer - Preparation of 1 files completed (io_ok).
warning 2022-03-18 02:51:57.597      lctrl   5204   6380                 app.tunnel_ft_session - Invalid progress code (0).
warning 2022-03-18 02:51:57.605      lctrl   5204   6380                 app.tunnel_ft_session - Invalid progress code (0).
warning 2022-03-18 02:52:00.854      lctrl   5204   6380                 app.tunnel_ft_session - Invalid progress code (0).
   info 2022-03-18 02:52:00.854      lctrl   5204   3924                      app.prepare_task - Preparing files in 'C:\Users\username\AppData\Local\Google\Chrome\User Data\Default'.
   info 2022-03-18 02:52:01.030      lctrl   5204   3924               app.local_file_transfer - Preparation of 1 files completed (io_ok).
warning 2022-03-18 02:52:01.038      lctrl   5204   6380                 app.tunnel_ft_session - Invalid progress code (0).
warning 2022-03-18 02:52:01.109      lctrl   5204   6380                 app.tunnel_ft_session - Invalid progress code (0).
  error 2022-03-18 02:52:02.620       lsvc   5608   3532   21         base.prot.packet_factory - Invalid packet received (type=13, 3 bytes).

From the remote terminal, I browsed the victim's files (file transfer is enabled by default). I could not access any system directories due to inappropriate permissions, however I was able to download several files the victim's Google Chrome profile directory.

However, I could not find any logs indicating which files were actually transferred (whether successfully or not). There is also no indication as to the file transfer size (which you could use to infer which file/s where transferred).

➡️ C:\Users\username\AppData\Roaming\AnyDesk\connection_trace.txt

Incoming    2022-03-18, 02:50    User                              732092099    732092099
Incoming    2022-03-18, 02:50    User                              732092099    732092099

This file is only generated after a connection is made (either accepted or rejected).

Incoming connection requests. Time is in UTC. Value (732092099) is the ID of the remote connector and the ID of the person who initiated the remote connection.

➡️ C:\Users\username\AppData\Roaming\AnyDesk\service.conf

Contains cert and private key for encrypted traffic

ad.anynet.cert=-----BEGIN CERTIFICATE
ad.anynet.pkey=-----BEGIN PRIVATE KEY

➡️ C:\Users\username\AppData\Roaming\AnyDesk\system.conf

ad.ancl.cached_config=AAQAAAABAAAAAAAAAAAAAAAA
ad.anynet.alias=
ad.anynet.client_stats_hash=dcfc53ad9b83500a7c5dcf7429a0568177e2a7c2
ad.anynet.cur_version=30064771078
ad.anynet.fpr=6499e464a4040391b3ff4e122c1461f6b923daca
ad.anynet.id=668843853
ad.anynet.last_relay=relay-f292f5b5.net.anydesk.com:80:443:6568
ad.anynet.network_hash=869d03874a54c384dd345e9636d51a2bbd3a9e63
ad.anynet.network_id=main
ad.anynet.relay.fatal_result=1.0
ad.anynet.relay.state=2
ad.license.name=free-1
ad.security.frontend_clipboard=1
ad.security.frontend_clipboard_files=1
ad.security.frontend_clipboard_version=1
ad.security.permission_profiles._default.permissions.sas=1
ad.security.permission_profiles._unattended_access.permissions.sas=1
ad.security.permission_profiles.version=1
ad.wol.mac_hash=8c87d8d52529ae1ab337b47209a84b535b24655e

Of interest here would be the ad.anynet.id value (which is the same as what is displayed in the user interface when it's executed), as well as the anynet.last_relay value (and ports used).

➡️ C:\Users\username\AppData\Roaming\AnyDesk\user.conf

ad.roster.contacts.view_type=2
ad.roster.discovered.view_type=2
ad.roster.favorites.view_type=2
ad.roster.recent_out.view_type=2
ad.roster.sent_invitation.view_type=2
ad.ui.inst_info_count=1
ad.ui.lang=en
ad.ui.main_win.height=936
ad.ui.main_win.max=false
ad.ui.main_win.width=1768
ad.ui.main_win.x=295
ad.ui.main_win.y=156
invitation.view_typ=2

Mostly values set for the user interface itself.

ad.security.permission_profiles.address_to_profile=732092099:000000115f70726576696f75735f73657373696f6e000000400100000001000000010000000000000000000000010000000100000001000000010000000000000000000000000000000100000001000000010000000100000000000010000000000000000000000000000000000000004001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000000000010000000100000001000000010000000000000000

This value is set in user.conf after a successful connection. 732092099 is the ID of the remote party.

Linux File/Log Locations

TBA

References

https://support.anydesk.com/knowledge/trace-files

PreviousCompromised UniFi Controller NextMounting UFS VMDK from NetScaler/Citrix ADC

Last updated 4 years ago