AnyDesk is a popular remote access program which is often used by threat actors (and scammers) as either an entry point into an environment or to transfer tools between environments
AnyDesk was downloaded and executed, without installation on a Windows 10 instance as well as an Ubuntu 20.04 instance. A number of files were transferred from one party to another.
This is where most of the information is kept. This is a verbose application runtime/connectivity log. From the short test conducted, I was able to identify the following snippets;
info 2022-03-18 01:56:24.672 front 2428 7036 main - Process started at 2022-03-18. PID 2428. OS is Windows 10 (64 bit)```
🔴 Start time for the process (with corresponding PID). The time listed 18th March 202201:56:24.672 is in UTC, not the time of the local system.
error 2022-03-18 01:56:28.622 front 2428 5044 os_win.fs_sentinel - Failed to monitor 'C:\Users\Public\AccountPictures\S-1-5-21-4283608420-3620247853-3965221735-1001' (2).
I'm not sure why AnyDesk is querying this particular folder in the Public folder..
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 base.proxy_finder - Skipping search. Next search in 59406 ms.
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 anynet.relay_connector - Connecting to relay boot.net.anydesk.com (1/1)
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 anynet.relay_connector - Skipping connect method connect_proxy_443 (1/6) (no proxy found)
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 anynet.relay_connector - Skipping connect method connect_proxy_80 (2/6) (no proxy found)
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 anynet.relay_connector - Skipping connect method socks_proxy_443 (3/6) (no proxy found)
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 anynet.relay_connector - Using IPv4: 213.239.219.11
Connectivity to an AnyDesk relay (that external IP is not the IP of the instance)
info 2022-03-18 02:00:19.971 lsvc 6180 4204 8 anynet.relay_connector - Connecting to relay relay-f292f5b5.net.anydesk.com (1/4)
info 2022-03-18 02:00:19.971 lsvc 6180 4204 8 anynet.relay_connector - Skipping connect method connect_proxy_443 (1/6) (no proxy found)
info 2022-03-18 02:00:19.971 lsvc 6180 4204 8 anynet.relay_connector - Skipping connect method connect_proxy_80 (2/6) (no proxy found)
info 2022-03-18 02:00:19.971 lsvc 6180 4204 8 anynet.relay_connector - Skipping connect method socks_proxy_443 (3/6) (no proxy found)
info 2022-03-18 02:00:20.036 lsvc 6180 4204 8 anynet.relay_connector - Using IPv4: 143.244.62.119
Connectivity to a relay
(anynet.relayconnector relay-f292f5b5 matches the value for ad.anynet.networkrelay in system.conf)
Again, IPv4 value is for that of the relay, not my instance.
info 2022-03-18 02:00:20.560 lsvc 6180 4204 3 anynet.main_relay_conn - Network ID: main
info 2022-03-18 02:00:20.560 lsvc 6180 4204 3 anynet.relay_conn - External address: your-public-ipv4:51361.
info 2022-03-18 02:00:20.560 lsvc 6180 4204 3 anynet.main_relay_conn - Main relay ID: f292f5b5
info 2022-03-18 02:00:20.560 lsvc 6180 4204 2 anynet.connection_mgr - Main relay connection established.
info 2022-03-18 02:00:20.560 lsvc 6180 4204 2 anynet.connection_mgr - New user data. Client-ID: 668843853.
info 2022-03-18 02:00:21.218 lsvc 6180 4204 9 gcpsa - Downloading gcapi.dll.
info 2022-03-18 02:00:21.249 lsvc 6180 4204 9 app.fib_downloader - Canceled download of 'gcapi.dll'. A file with matching hash already exists in C:\Users\username\AppData\Local\Temp.
anynet.relay_conn = external address (is your public IPv4 address)
anynet.main_relayconn = part of connected relay hostname (see above)
anynet.connection_mgr = contains Client ID (this is the value presented to the user through the application interface and also required by those connecting remotely)
The following is generated in ad.trace after a successful connection & file transfer (The public IP has been replaced with remote.malicious.ip)
info 2022-03-18 02:50:52.146 lsvc 5608 3532 41 anynet.any_socket - Logged in from remote.malicious.ip:1354 on relay b34ce89a.
info 2022-03-18 02:50:52.146 lsvc 5608 3532 41 anynet.connection_mgr - Re-using connection to client d4b5e4892f1d9cc6dbe9ea336b446c769b8afd26.
info 2022-03-18 02:50:52.146 lsvc 5608 3532 41 anynet.any_socket - Accepting the connect request.
info 2022-03-18 02:50:52.153 lsvc 5608 3532 41 anynet.relay_conn - accept_connect: sending login token ()
'Logged in from' is the IP address of the remote party.
From the remote terminal, I browsed the victim's files (file transfer is enabled by default). I could not access any system directories due to inappropriate permissions, however I was able to download several files the victim's Google Chrome profile directory.
However, I could not find any logs indicating which files were actually transferred (whether successfully or not). There is also no indication as to the file transfer size (which you could use to infer which file/s where transferred).
Incoming 2022-03-18, 02:50 User 732092099 732092099
Incoming 2022-03-18, 02:50 User 732092099 732092099
This file is only generated after a connection is made (either accepted or rejected).
Incoming connection requests. Time is in UTC. Value (732092099) is the ID of the remote connector and the ID of the person who initiated the remote connection.
Of interest here would be the ad.anynet.id value (which is the same as what is displayed in the user interface when it's executed), as well as the anynet.last_relay value (and ports used).