Comment on page
AnyDesk Remote Access
AnyDesk is a popular remote access program which is often used by threat actors (and scammers) as either an entry point into an environment or to transfer tools between environments
AnyDesk was downloaded and executed, without installation on a Windows 10 instance as well as an Ubuntu 20.04 instance. A number of files were transferred from one party to another.
Windows File/Log Locations
C:\Users\username\AppData\Roaming\AnyDesk\ad.trace
➡
This is where most of the information is kept. This is a verbose application runtime/connectivity log. From the short test conducted, I was able to identify the following snippets;
info 2022-03-18 01:56:24.672 front 2428 7036 main - Process started at 2022-03-18. PID 2428. OS is Windows 10 (64 bit)```
Start time for the process (with corresponding PID). The time listed 18th March 2022 01:56:24.672 is in UTC, not the time of the local system.
🔴
error 2022-03-18 01:56:28.622 front 2428 5044 os_win.fs_sentinel - Failed to monitor 'C:\Users\Public\AccountPictures\S-1-5-21-4283608420-3620247853-3965221735-1001' (2).
I'm not sure why AnyDesk is querying this particular folder in the Public folder..
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 base.proxy_finder - Skipping search. Next search in 59406 ms.
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 anynet.relay_connector - Connecting to relay boot.net.anydesk.com (1/1)
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 anynet.relay_connector - Skipping connect method connect_proxy_443 (1/6) (no proxy found)
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 anynet.relay_connector - Skipping connect method connect_proxy_80 (2/6) (no proxy found)
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 anynet.relay_connector - Skipping connect method socks_proxy_443 (3/6) (no proxy found)
info 2022-03-18 01:56:28.915 lsvc 6956 5212 12 anynet.relay_connector - Using IPv4: 213.239.219.11
Connectivity to an AnyDesk relay (that external IP is not the IP of the instance)
info 2022-03-18 02:00:19.971 lsvc 6180 4204 8 anynet.relay_connector - Connecting to relay relay-f292f5b5.net.anydesk.com (1/4)
info 2022-03-18 02:00:19.971 lsvc 6180 4204 8 anynet.relay_connector - Skipping connect method connect_proxy_443 (1/6) (no proxy found)
info 2022-03-18 02:00:19.971 lsvc 6180 4204 8 anynet.relay_connector - Skipping connect method connect_proxy_80 (2/6) (no proxy found)
info 2022-03-18 02:00:19.971 lsvc 6180 4204 8 anynet.relay_connector - Skipping connect method socks_proxy_443 (3/6) (no proxy found)
info 2022-03-18 02:00:20.036 lsvc 6180 4204 8 anynet.relay_connector - Using IPv4: 143.244.62.119
Connectivity to a relay
(anynet.relayconnector relay-f292f5b5 matches the value for ad.anynet.networkrelay in system.conf)
Again, IPv4 value is for that of the relay, not my instance.
info 2022-03-18 02:00:20.560 lsvc 6180 4204 3 anynet.main_relay_conn - Network ID: main
info 2022-03-18 02:00:20.560 lsvc 6180 4204 3 anynet.relay_conn - External address: your-public-ipv4:51361.
info 2022-03-18 02:00:20.560 lsvc 6180 4204 3 anynet.main_relay_conn - Main relay ID: f292f5b5
info 2022-03-18 02:00:20.560 lsvc 6180 4204 2 anynet.connection_mgr - Main relay connection established.
info 2022-03-18 02:00:20.560 lsvc 6180 4204 2 anynet.connection_mgr - New user data. Client-ID: 668843853.
info 2022-03-18 02:00:21.218 lsvc 6180 4204 9 gcpsa - Downloading gcapi.dll.
info 2022-03-18 02:00:21.249 lsvc 6180 4204 9 app.fib_downloader - Canceled download of 'gcapi.dll'. A file with matching hash already exists in C:\Users\username\AppData\Local\Temp.
anynet.relay_conn = external address (is your public IPv4 address)
anynet.main_relayconn = part of connected relay hostname (see above)
anynet.connection_mgr = contains Client ID (this is the value presented to the user through the application interface and also required by those connecting remotely)
The following is generated in ad.trace after a successful connection & file transfer (The public IP has been replaced with remote.malicious.ip)
info 2022-03-18 02:50:52.146 lsvc 5608 3532 41 anynet.any_socket - Logged in from remote.malicious.ip:1354 on relay b34ce89a.
info 2022-03-18 02:50:52.146 lsvc 5608 3532 41 anynet.connection_mgr - Re-using connection to client d4b5e4892f1d9cc6dbe9ea336b446c769b8afd26.
info 2022-03-18 02:50:52.146 lsvc 5608 3532 41 anynet.any_socket - Accepting the connect request.
info 2022-03-18 02:50:52.153 lsvc 5608 3532 41 anynet.relay_conn - accept_connect: sending login token ()
'Logged in from' is the IP address of the remote party.
error 2022-03-18 02:51:25.772 lctrl 5204 3924 app.readdir - Could not list directory C:\Windows\System32\config\* (5).
error 2022-03-18 02:51:25.777 lctrl 5204 3924 app.dir_sentinel - Could not monitor 'C:\Windows\System32\config' (5).
error 2022-03-18 02:51:25.777 lctrl 5204 3924 app.readdir - Could not list directory C:\Windows\System32\config\* (5).
warning 2022-03-18 02:51:54.155 lctrl 5204 6380 app.tunnel_ft_session - Invalid progress code (0).
info 2022-03-18 02:51:54.156 lctrl 5204 3924 app.prepare_task - Preparing files in 'C:\Users\username\AppData\Local\Google\Chrome\User Data\Default'.
info 2022-03-18 02:51:54.156 lctrl 5204 3924 app.local_file_transfer - Preparation of 1 files completed (io_ok).
warning 2022-03-18 02:51:54.161 lctrl 5204 6380 app.tunnel_ft_session - Invalid progress code (0).
warning 2022-03-18 02:51:54.181 lctrl 5204 6380 app.tunnel_ft_session - Invalid progress code (0).
warning 2022-03-18 02:51:57.579 lctrl 5204 6380 app.tunnel_ft_session - Invalid progress code (0).
info 2022-03-18 02:51:57.586 lctrl 5204 3924 app.prepare_task - Preparing files in 'C:\Users\username\AppData\Local\Google\Chrome\User Data\Default'.
info 2022-03-18 02:51:57.590 lctrl 5204 3924 app.local_file_transfer - Preparation of 1 files completed (io_ok).
warning 2022-03-18 02:51:57.597 lctrl 5204 6380 app.tunnel_ft_session - Invalid progress code (0).
warning 2022-03-18 02:51:57.605 lctrl 5204 6380 app.tunnel_ft_session - Invalid progress code (0).
warning 2022-03-18 02:52:00.854 lctrl 5204 6380 app.tunnel_ft_session - Invalid progress code (0).
info 2022-03-18 02:52:00.854 lctrl 5204 3924 app.prepare_task - Preparing files in 'C:\Users\username\AppData\Local\Google\Chrome\User Data\Default'.
info 2022-03-18 02:52:01.030 lctrl 5204 3924 app.local_file_transfer - Preparation of 1 files completed (io_ok).
warning 2022-03-18 02:52:01.038 lctrl 5204 6380 app.tunnel_ft_session - Invalid progress code (0).
warning 2022-03-18 02:52:01.109 lctrl 5204 6380 app.tunnel_ft_session - Invalid progress code (0).
error 2022-03-18 02:52:02.620 lsvc 5608 3532 21 base.prot.packet_factory - Invalid packet received (type=13, 3 bytes).
From the remote terminal, I browsed the victim's files (file transfer is enabled by default). I could not access any system directories due to inappropriate permissions, however I was able to download several files the victim's Google Chrome profile directory.
However, I could not find any logs indicating which files were actually transferred (whether successfully or not). There is also no indication as to the file transfer size (which you could use to infer which file/s where transferred).
C:\Users\username\AppData\Roaming\AnyDesk\connection_trace.txt
➡
Incoming 2022-03-18, 02:50 User 732092099 732092099
Incoming 2022-03-18, 02:50 User 732092099 732092099
This file is only generated after a connection is made (either accepted or rejected).
Incoming connection requests. Time is in UTC. Value (732092099) is the ID of the remote connector and the ID of the person who initiated the remote connection.
C:\Users\username\AppData\Roaming\AnyDesk\service.conf
➡
Contains cert and private key for encrypted traffic
ad.anynet.cert=-----BEGIN CERTIFICATE
ad.anynet.pkey=-----BEGIN PRIVATE KEY
C:\Users\username\AppData\Roaming\AnyDesk\system.conf
➡
ad.ancl.cached_config=AAQAAAABAAAAAAAAAAAAAAAA
ad.anynet.alias=
ad.anynet.client_stats_hash=dcfc53ad9b83500a7c5dcf7429a0568177e2a7c2
ad.anynet.cur_version=30064771078
ad.anynet.fpr=6499e464a4040391b3ff4e122c1461f6b923daca
ad.anynet.id=668843853
ad.anynet.last_relay=relay-f292f5b5.net.anydesk.com:80:443:6568
ad.anynet.network_hash=869d03874a54c384dd345e9636d51a2bbd3a9e63
ad.anynet.network_id=main
ad.anynet.relay.fatal_result=1.0
ad.anynet.relay.state=2
ad.license.name=free-1
ad.security.frontend_clipboard=1
ad.security.frontend_clipboard_files=1
ad.security.frontend_clipboard_version=1
ad.security.permission_profiles._default.permissions.sas=1
ad.security.permission_profiles._unattended_access.permissions.sas=1
ad.security.permission_profiles.version=1
ad.wol.mac_hash=8c87d8d52529ae1ab337b47209a84b535b24655e
Of interest here would be the ad.anynet.id value (which is the same as what is displayed in the user interface when it's executed), as well as the anynet.last_relay value (and ports used).
C:\Users\username\AppData\Roaming\AnyDesk\user.conf
➡
ad.roster.contacts.view_type=2
ad.roster.discovered.view_type=2
ad.roster.favorites.view_type=2
ad.roster.recent_out.view_type=2
ad.roster.sent_invitation.view_type=2
ad.ui.inst_info_count=1
ad.ui.lang=en
ad.ui.main_win.height=936
ad.ui.main_win.max=false
ad.ui.main_win.width=1768
ad.ui.main_win.x=295
ad.ui.main_win.y=156
invitation.view_typ=2
Mostly values set for the user interface itself.
ad.security.permission_profiles.address_to_profile=732092099:000000115f70726576696f75735f73657373696f6e000000400100000001000000010000000000000000000000010000000100000001000000010000000000000000000000000000000100000001000000010000000100000000000010000000000000000000000000000000000000004001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000000000010000000100000001000000010000000000000000
This value is set in user.conf after a successful connection. 732092099 is the ID of the remote party.
Linux File/Log Locations
TBA
References